upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 03:12:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '3672-remove-auto-dnssec' into 'main'

Browse source 
Remove auto-dnssec

Closes #3672

See merge request isc-projects/bind9!8085
This commit is contained in:
Matthijs Mekking 2023-07-20 14:37:30 +00:00
commit b8e3c1bb52
135 changed files with 1286 additions and 5528 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,3 +1,8 @@
6211. [func] Remove 'auto-dnssec'. This obsoletes the configuration
options 'dnskey-sig-validity', 'dnssec-dnskey-kskonly',
'dnssec-update-mode', 'sig-validity-interval', and
'update-check-ksk'. [GL #3672]
6210. [func] Don't add signing records for DNSKEY added with dynamic
update. The dynamic update DNSSEC management feature was
removed with GL #3686. [GL !8070]

5
bin/dnssec/dnssec-signzone.rst
View file

@ -359,15 +359,12 @@ Options
.. option:: -x
This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys,
and should omit signatures from zone-signing keys. (This is similar to the
``dnssec-dnskey-kskonly yes;`` zone option in :iscman:`named`.)
and should omit signatures from zone-signing keys.
.. option:: -z
This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes
KSK-flagged keys to sign all records, not just the DNSKEY RRset.
(This is similar to the ``update-check-ksk no;`` zone option in
:iscman:`named`.)
.. option:: -3 salt

5
bin/named/config.c
View file

@ -215,9 +215,7 @@ options {\n\
check-srv-cname warn;\n\
check-wildcard yes;\n\
dialup no;\n\
dnssec-dnskey-kskonly yes;\n\
dnssec-loadkeys-interval 60;\n\
dnssec-update-mode maintain;\n\
# forward <none>\n\
# forwarders <none>\n\
# inline-signing no;\n\
@ -240,12 +238,9 @@ options {\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
sig-signing-type 65534;\n\
sig-validity-interval 30; /* days */\n\
dnskey-sig-validity 0; /* default: sig-validity-interval */\n\
transfer-source *;\n\
transfer-source-v6 *;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
update-check-ksk yes;\n\
zero-no-soa-ttl yes;\n\
zone-statistics terse;\n\
};\n\

21
bin/named/server.c
View file

@ -12330,8 +12330,7 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex,
keyopts = dns_zone_getkeyopts(zone);
/*
* "rndc loadkeys" requires "auto-dnssec maintain"
* or a "dnssec-policy".
* "rndc loadkeys" requires a "dnssec-policy".
*/
if ((keyopts & DNS_ZONEKEY_ALLOW) == 0) {
result = ISC_R_NOPERM;
@ -14455,6 +14454,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
unsigned char salt[255];
const char *ptr;
size_t n;
bool kasp = false;
REQUIRE(text != NULL);
@ -14562,17 +14562,14 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
}
if (dns_zone_getkasp(zone) != NULL) {
(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
"command instead");
(void)putnull(text);
goto cleanup;
kasp = true;
}
if (clear) {
CHECK(dns_zone_keydone(zone, keystr));
(void)putstr(text, "request queued");
(void)putnull(text);
} else if (chain) {
} else if (chain && !kasp) {
CHECK(dns_zone_setnsec3param(
zone, (uint8_t)hash, (uint8_t)flags, iter,
(uint8_t)saltlen, salt, true, resalt));
@ -14629,6 +14626,10 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
}
} else if (kasp) {
(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
"command instead");
(void)putnull(text);
}
cleanup:
@ -15126,10 +15127,8 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
}
/* Next resign event */
if (secure &&
(zonetype == dns_zone_primary ||
(zonetype == dns_zone_secondary && hasraw)) &&
((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_NORESIGN) == 0))
if (secure && (zonetype == dns_zone_primary ||
(zonetype == dns_zone_secondary && hasraw)))
{
dns_name_t *name;
dns_fixedname_t fixed;

99
bin/named/zoneconf.c
View file

@ -905,7 +905,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_stats_t *rcvquerystats;
dns_stats_t *dnssecsignstats;
dns_zonestat_level_t statlevel = dns_zonestat_none;
int seconds;
dns_ttl_t maxttl = 0; /* unlimited */
dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
bool transferinsecs = ns_server_getoption(named_g_server->sctx,
@ -1547,11 +1546,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
* use inline-signing (raw != NULL).
*/
if (ztype == dns_zone_primary || raw != NULL) {
const cfg_obj_t *validity, *resign;
bool allow = false, maint = false;
bool sigvalinsecs;
if (use_kasp) {
int seconds;
if (dns_kasp_nsec3(kasp)) {
result = dns_zone_setnsec3param(
zone, 1, dns_kasp_nsec3flags(kasp),
@ -1563,53 +1560,15 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
zone, 0, 0, 0, 0, NULL, true, false);
}
INSIST(result == ISC_R_SUCCESS);
}
if (use_kasp) {
seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp);
} else {
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
}
dns_zone_setkeyvalidityinterval(zone, seconds);
dns_zone_setkeyvalidityinterval(zone, seconds);
if (use_kasp) {
seconds = (uint32_t)dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t)dns_kasp_sigrefresh(kasp);
dns_zone_setsigresigninginterval(zone, seconds);
} else {
obj = NULL;
result = named_config_get(maps, "sig-validity-interval",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
sigvalinsecs = ns_server_getoption(
named_g_server->sctx, NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
uint32_t r = cfg_obj_asuint32(resign);
if (seconds > 7 * 86400) {
seconds = r * 86400;
} else {
seconds = r * 3600;
}
} else {
seconds = cfg_obj_asuint32(resign);
}
dns_zone_setsigresigninginterval(zone, seconds);
}
obj = NULL;
@ -1634,26 +1593,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = named_config_get(maps, "update-check-ksk", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-loadkeys-interval",
&obj);
@ -1661,28 +1600,12 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
CHECK(dns_zone_setrefreshkeyinterval(zone,
cfg_obj_asuint32(obj)));
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (kasp != NULL) {
bool s2i = (strcmp(dns_kasp_getname(kasp),
"insecure") != 0);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "allow") == 0) {
allow = true;
} else if (strcasecmp(arg, "maintain") == 0) {
allow = maint = true;
} else if (strcasecmp(arg, "off") == 0) {
/* Default */
} else {
UNREACHABLE();
}
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
}
}
@ -1825,20 +1748,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME,
ignore);
obj = NULL;
result = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "no-resign") == 0) {
dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN,
true);
} else if (strcasecmp(arg, "maintain") == 0) {
/* Default */
} else {
UNREACHABLE();
}
}
obj = NULL;
result = named_config_get(maps, "serial-update-method", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);

15
bin/rndc/rndc.rst
View file

@ -265,10 +265,9 @@ Currently supported commands are:
immediately re-signed by the new keys, but is allowed to
incrementally re-sign over time.
This command requires that the zone be configured with a ``dnssec-policy``, or
that the ``auto-dnssec`` zone option be set to ``maintain``, and also requires the
zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in
the Administrator Reference Manual for more details.)
This command requires that the zone be configured with a ``dnssec-policy``, and
also requires the zone to be configured to allow dynamic DNS. (See "Dynamic
Update Policies" in the Administrator Reference Manual for more details.)
.. option:: managed-keys (status | refresh | sync | destroy) [class [view]]
@ -504,11 +503,9 @@ Currently supported commands are:
the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the
zone is automatically re-signed with the new key set.
This command requires that the zone be configured with a ``dnssec-policy``, or
that the ``auto-dnssec`` zone option be set to ``allow`` or ``maintain``,
and also requires the zone to be configured to allow dynamic DNS. (See
"Dynamic Update Policies" in the BIND 9 Administrator Reference Manual for more
details.)
This command requires that the zone be configured with a ``dnssec-policy``, and
also requires the zone to be configured to allow dynamic DNS. (See "Dynamic
Update Policies" in the Administrator Reference Manual for more details.)
See also :option:`rndc loadkeys`.

3
bin/tests/system/Makefile.am
View file

@ -104,7 +104,6 @@ TESTS += \
dlzexternal \
dns64 \
dsdigest \
dupsigs \
dyndb \
ecdsa \
eddsa \
@ -201,7 +200,7 @@ endif HAVE_PERLMOD_NET_DNS_NAMESERVER
endif HAVE_PERLMOD_NET_DNS
if HAVE_PYTHON
TESTS += kasp keymgr2kasp multisigner tcp pipelined
TESTS += kasp multisigner tcp pipelined
if HAVE_PYTEST
TESTS += checkds dispatch rpzextra shutdown timeouts

29
bin/tests/system/autosign/clean.sh
View file

@ -11,6 +11,7 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f ./dsset-*
rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk
rm -f */core
rm -f */example.bk
@ -18,30 +19,34 @@ rm -f */named.conf
rm -f */named.memstats
rm -f */named.run*
rm -f */trusted.conf */private.conf
rm -f activate-now-publish-1day.key
rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f dig.out.*
rm -f digcomp.out.test*
rm -f activate-now-publish-1day.key prepub.key
rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/inactive/*
rmdir ns*/inactive
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns1/root.db
rm -f ns1/root.db ns1/root.db.1 ns1/root.db.2 ns1/root.db.3
rm -f ns1/signing.out
rm -f ns2/bar.db
rm -f ns2/child.nsec3.example.db
rm -f ns2/child.optout.example.db
rm -f ns2/example.db
rm -f ns2/insecure.secure.example.db
rm -f ns2/optout-with-ent.db
rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns2/private.secure.example.db
rm -f ns2/signing.*
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
rm -f ns3/*.nzf
rm -f ns3/autonsec3.example.db
rm -f ns3/cdnskey-delete.example.db
rm -f ns3/cds-delete.example.db
rm -f ns3/delay.example.db ns3/delay.example.1 ns3/delay.example.2
rm -f ns3/delzsk.example.db
rm -f ns3/dname-at-apex-nsec3.example.db
rm -f ns3/inacksk2.example.db
rm -f ns3/inacksk3.example.db
rm -f ns3/inaczsk2.example.db
rm -f ns3/inaczsk3.example.db
rm -f ns3/jitter.nsec3.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/kskonly.example.db
@ -53,7 +58,7 @@ rm -f ns3/nsec3-to-nsec.example.db
rm -f ns3/nsec3.example.db
rm -f ns3/nsec3.nsec3.example.db
rm -f ns3/nsec3.optout.example.db
rm -f ns3/oldsigs.example.db
rm -f ns3/oldsigs.example.db ns3/oldsigs.example.db.bak
rm -f ns3/optout.example.db
rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db
@ -68,5 +73,5 @@ rm -f ns3/sync.example.db
rm -f ns3/ttl*.db
rm -f nsupdate.out
rm -f settime.out.*
rm -f signing.out.*
rm -f signing.*
rm -f sync.key

6
bin/tests/system/autosign/ns1/keygen.sh
View file

@ -31,8 +31,8 @@ zskactnowpub1d=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A now -P +1d $zone)
zsknopriv=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
rm $zsknopriv.private
ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone)
kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone)
ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now -fk $zone)
kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now -fk $zone)
keyfile_to_static_ds $ksksby > trusted.conf
cp trusted.conf ../ns2/trusted.conf
@ -51,3 +51,5 @@ echo $zsknopriv > ../nopriv.key
echo $zsksby > ../standby.key
echo $zskactnowpub1d > ../activate-now-publish-1day.key
$REVOKE -R $kskrev > ../rev.key
$SIGNER -S -o . -O full root.db > signing.out 2>&1

6
bin/tests/system/autosign/ns1/named.conf.in
View file

@ -37,12 +37,10 @@ controls {
zone "." {
type primary;
file "root.db";
file "root.db.signed";
allow-transfer { any; };
allow-query { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-dnskey-kskonly no;
allow-query { any; };
};
include "trusted.conf";

0
bin/tests/system/autosign/ns2/child.nsec3.example.db → bin/tests/system/autosign/ns2/child.nsec3.example.db.in
View file

0
bin/tests/system/autosign/ns2/child.optout.example.db → bin/tests/system/autosign/ns2/child.optout.example.db.in
View file

0
bin/tests/system/autosign/ns2/insecure.secure.example.db → bin/tests/system/autosign/ns2/insecure.secure.example.db.in
View file

8
bin/tests/system/autosign/ns2/keygen.sh
View file

@ -40,7 +40,7 @@ ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
keyfile_to_static_ds $ksk > private.conf
cp private.conf ../ns4/private.conf
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > signing.privsec.out 2>&1
# Extract saved keys for the revoke-to-duplicate-key test
zone=bar
@ -54,6 +54,7 @@ do
done
$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
$DSFROMKEY Kbar.+013+60101.key > dsset-bar.
$SIGNER -S -o bar. -O full $zonefile > signing.bar.out 2>&1
# a zone with empty non-terminals.
zone=optout-with-ent
@ -62,3 +63,8 @@ infile=optout-with-ent.db.in
cat $infile > $zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
# Copy zone input files
cp child.nsec3.example.db.in child.nsec3.example.db
cp child.optout.example.db.in child.optout.example.db
cp insecure.secure.example.db.in insecure.secure.example.db

50
bin/tests/system/autosign/ns2/named.conf.in
View file

@ -36,6 +36,40 @@ controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
dnssec-policy "autosign" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "private" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
nsec3param iterations 0 optout no salt-length 2;
};
dnssec-policy "nsec3" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
nsec3param iterations 0 optout no salt-length 0;
};
dnssec-policy "optout" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
nsec3param iterations 1 optout yes salt-length 0;
};
zone "." {
type hint;
file "../../common/root.hint";
@ -47,18 +81,16 @@ zone "example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
sig-signing-type 65280;
};
zone "bar" {
type primary;
file "bar.db";
file "bar.db.signed";
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-dnskey-kskonly yes;
};
zone "private.secure.example" {
@ -67,7 +99,7 @@ zone "private.secure.example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-policy private;
};
zone "insecure.secure.example" {
@ -76,7 +108,7 @@ zone "insecure.secure.example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "child.nsec3.example" {
@ -85,7 +117,7 @@ zone "child.nsec3.example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-policy nsec3;
};
zone "child.optout.example" {
@ -94,7 +126,7 @@ zone "child.optout.example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-policy optout;
};
zone "optout-with-ent" {
@ -103,7 +135,7 @@ zone "optout-with-ent" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-policy optout;
};
include "trusted.conf";

28
bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in
View file

@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

28
bin/tests/system/autosign/ns3/cds-delete.example.db.in
View file

@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

0
bin/tests/system/autosign/ns3/delay.example.db → bin/tests/system/autosign/ns3/delay.example.db.in
View file

26
bin/tests/system/autosign/ns3/inacksk2.example.db.in
View file

@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

26
bin/tests/system/autosign/ns3/inacksk3.example.db.in
View file

@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

26
bin/tests/system/autosign/ns3/inaczsk3.example.db.in
View file

@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

66
bin/tests/system/autosign/ns3/keygen.sh
View file

@ -29,6 +29,8 @@ setup () {
n=$((${n:-0} + 1))
}
mkdir inactive
setup secure.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
@ -181,7 +183,8 @@ do
done
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
$SIGNER -PS -x -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
cp $zonefile.signed $zonefile.bak
mv $zonefile.signed $zonefile
#
@ -198,7 +201,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
setup prepub.example
infile="prepub.example.db.in"
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../prepub.key
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
#
@ -237,6 +241,7 @@ ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.o
echo $ksk > ../delayksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../delayzsk.key
cp delay.example.db.in delay.example.db
#
# A zone with signatures that are already expired, and the private KSK
@ -274,7 +279,7 @@ echo $zsk > ../inaczsk-zsk.key
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
#
# A zone that is set to 'auto-dnssec maintain' during a reconfig
# A zone that is set to 'dnssec-policy' during a reconfig
#
setup reconf.example
cp secure.example.db.in $zonefile
@ -282,7 +287,7 @@ $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
#
# A zone which generates CDS and CDNSEY RRsets automatically
# A zone which generates CDS and CDNSEY RRsets automatically (with an additional CSK)
#
setup sync.example
cp $infile $zonefile
@ -292,7 +297,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
echo ns3/$ksk > ../sync.key
#
# A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly
# A zone that generates CDS and CDNSKEY automatically
#
setup kskonly.example
cp $infile $zonefile
@ -300,15 +305,6 @@ ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || du
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# A zone that has a published inactive key that is autosigned.
#
setup inacksk2.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# A zone that has a published inactive key that is autosigned.
#
@ -318,26 +314,6 @@ ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inacksk3.example
cp $infile $zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inaczsk3.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the
# latter getting deleted during the test.
@ -347,6 +323,9 @@ cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out
cat $zsk.key >> $zonefile
mv $zsk.key inactive/
mv $zsk.private inactive/
echo $zsk > ../delzsk.key
#
@ -357,22 +336,3 @@ cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# Check that dynamically added CDS (DELETE) is kept in the zone after signing.
#
setup cds-delete.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after
# signing.
#
setup cdnskey-delete.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.

182
bin/tests/system/autosign/ns3/named.conf.in
View file

@ -40,6 +40,86 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
# The default
dnssec-policy "autosign" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
# Additional CSK
dnssec-policy "sync" {
keys {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
# NSEC3
dnssec-policy "nsec3" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
nsec3param iterations 0 optout no salt-length 0;
};
# NSEC3 opt-out
dnssec-policy "optout" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
nsec3param iterations 0 optout yes salt-length 0;
};
# Jitter
dnssec-policy "jitter" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
signatures-validity P10D;
signatures-validity-dnskey P10D;
signatures-refresh P2D;
};
# Jitter, NSEC3
dnssec-policy "jitter-nsec3" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
nsec3param iterations 0 optout no salt-length 0;
signatures-validity P10D;
signatures-validity-dnskey P10D;
signatures-refresh P2D;
};
# RSASHA256
dnssec-policy "rsasha256" {
keys {
ksk key-directory lifetime unlimited algorithm RSASHA256 2048;
zsk key-directory lifetime unlimited algorithm RSASHA256 2048;
};
};
# RSASHA512
dnssec-policy "rsasha512" {
keys {
ksk key-directory lifetime unlimited algorithm RSASHA512 2048;
zsk key-directory lifetime unlimited algorithm RSASHA512 2048;
};
};
zone "." {
type hint;
file "../../common/root.hint";
@ -61,48 +141,48 @@ zone "secure.example" {
type primary;
file "secure.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "insecure.example" {
type primary;
file "insecure.example.db";
dnssec-policy none;
};
zone "nsec3.example" {
type primary;
file "nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy nsec3;
};
zone "autonsec3.example" {
type primary;
file "autonsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy nsec3;
};
zone "optout.nsec3.example" {
type primary;
file "optout.nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy optout;
};
zone "nsec3.nsec3.example" {
type primary;
file "nsec3.nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy nsec3;
};
zone "jitter.nsec3.example" {
type primary;
file "jitter.nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
sig-validity-interval 10 2;
dnssec-policy jitter-nsec3;
sig-signing-nodes 1000;
sig-signing-signatures 100;
};
@ -111,71 +191,70 @@ zone "secure.nsec3.example" {
type primary;
file "secure.nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy nsec3;
};
zone "optout.example" {
type primary;
file "optout.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy optout;
};
zone "secure.optout.example" {
type primary;
file "secure.optout.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy optout;
};
zone "nsec3.optout.example" {
type primary;
file "nsec3.optout.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy optout;
};
zone "optout.optout.example" {
type primary;
file "optout.optout.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy optout;
};
zone "rsasha256.example" {
type primary;
file "rsasha256.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy rsasha256;
};
zone "rsasha512.example" {
type primary;
file "rsasha512.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy rsasha512;
};
zone "nsec-only.example" {
type primary;
file "nsec-only.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "nsec3-to-nsec.example" {
type primary;
file "nsec3-to-nsec.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy nsec3;
};
zone "oldsigs.example" {
type primary;
file "oldsigs.example.db";
allow-update { any; };
auto-dnssec maintain;
sig-validity-interval 10 2;
dnssec-policy jitter;
sig-signing-nodes 1000;
sig-signing-signatures 100;
};
@ -184,137 +263,96 @@ zone "prepub.example" {
type primary;
file "prepub.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "ttl1.example" {
type primary;
file "ttl1.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "ttl2.example" {
type primary;
file "ttl2.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "ttl3.example" {
type primary;
file "ttl3.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "ttl4.example" {
type primary;
file "ttl4.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "delay.example" {
type primary;
file "delay.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "nozsk.example" {
type primary;
file "nozsk.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "inaczsk.example" {
type primary;
file "inaczsk.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "noksk.example" {
type primary;
file "noksk.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "sync.example" {
type primary;
file "sync.example.db";
allow-update { any; };
dnssec-dnskey-kskonly no;
auto-dnssec maintain;
dnssec-policy sync;
};
zone "kskonly.example" {
type primary;
file "kskonly.example.db";
allow-update { any; };
dnssec-dnskey-kskonly yes;
auto-dnssec maintain;
};
zone "inacksk2.example" {
type primary;
file "inacksk2.example.db";
allow-update { any; };
dnssec-dnskey-kskonly yes;
auto-dnssec maintain;
};
zone "inacksk3.example" {
type primary;
file "inacksk3.example.db";
allow-update { any; };
dnssec-dnskey-kskonly yes;
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "inaczsk2.example" {
type primary;
file "inaczsk2.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "inaczsk3.example" {
type primary;
file "inaczsk3.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy autosign;
};
zone "delzsk.example." {
type primary;
file "delzsk.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy nsec3;
};
zone "dname-at-apex-nsec3.example" {
type primary;
file "dname-at-apex-nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "cds-delete.example" {
type primary;
file "cds-delete.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "cdnskey-delete.example" {
type primary;
file "cdnskey-delete.example.db";
allow-update { any; };
auto-dnssec maintain;
dnssec-policy nsec3;
};
include "trusted.conf";

581
bin/tests/system/autosign/tests.sh
View file

@ -91,7 +91,7 @@ checkjitter () {
_count=0
# Check if we have at least 4 days
# This number has been tuned for `sig-validity-interval 10 2`, as
# This number has been tuned for `signatures-validity 10d; signatures-refresh 2d`, as
# 1 signature expiration dates should be spread out across at most 8 (10-2) days
# 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days
# 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2)
@ -155,23 +155,22 @@ do
#
# Wait for the root DNSKEY RRset to be fully signed.
#
$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n.dnskey || ret=1
grep "ANSWER: 11," dig.out.ns1.test$n.dnskey > /dev/null || ret=1
for z in .
do
$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n.nsec || ret=1
grep "NS SOA" dig.out.ns1.test$n.nsec > /dev/null || ret=1
done
for z in bar. example. private.secure.example. optout-with-ent.
for z in bar. example. # skip NSEC3 signed zones
do
$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n.$z || ret=1
grep "NS SOA" dig.out.ns2.test$n.$z > /dev/null || ret=1
done
for z in bar. example. inacksk2.example. inacksk3.example \
inaczsk2.example. inaczsk3.example noksk.example nozsk.example
for z in bar. example. inaczsk2.example. noksk.example nozsk.example
do
$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n.$z || ret=1
grep "NS SOA" dig.out.ns3.test$n.$z > /dev/null || ret=1
done
i=$((i + 1))
if [ $ret = 0 ]; then break; fi
@ -179,12 +178,9 @@ do
sleep 2
done
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "done"; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "Convert optout-with-ent from nsec to nsec3"
($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
for z in .
do
@ -196,7 +192,7 @@ do
echo_i zone $z
$DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done
for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example
for z in inaczsk2.example.
do
echo_i zone $z
$DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
@ -205,107 +201,6 @@ done
# Set logfile offset for wait_for_log usage.
nextpartreset ns3/named.run
#
# Check that DNSKEY is initially signed with a KSK and not a ZSK.
#
echo_i "check that zone with active and inactive KSK and active ZSK is properly"
echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
echo_ic "is initially signed with a KSK and not a ZSK. ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}')
grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1
pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
count=$(awk 'BEGIN { count = 0 }
$4 == "RRSIG" && $5 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n)
test $count -eq 1 || ret=1
count=$(awk 'BEGIN { count = 0 }
$4 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n)
test $count -eq 3 || ret=1
awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
id=$(awk "${awk}" dig.out.ns3.test$n)
keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
#
# Check that zone is initially signed with a ZSK and not a KSK.
#
echo_i "check that zone with active and inactive ZSK and active KSK is properly"
echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone"
echo_ic "is initially signed with a ZSK and not a KSK. ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
$DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' )
grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1
grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
count=$(awk 'BEGIN { count = 0 }
$4 == "RRSIG" && $5 == "CNAME" { count++ }
END {print count}' dig.out.ns3.test$n)
test $count -eq 1 || ret=1
count=$(awk 'BEGIN { count = 0 }
$4 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n)
test $count -eq 3 || ret=1
id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n)
keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "resetting nsec3param via rndc signing ($n)"
ret=0
$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1
$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
for i in 0 1 2 3 4 5 6 7 8 9; do
ret=0
$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
num=$(grep "Pending " signing.out.test$n | wc -l)
[ $num -eq 1 ] || ret=1
[ $ret -eq 0 ] && break
echo_i "waiting ... ($i)"
sleep 2
done
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "setting nsec3param via rndc signing ($n)"
ret=0
$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef optout.example. 2>&1
for i in 0 1 2 3 4 5 6 7 8 9; do
ret=0
$DIG $DIGOPTS @10.53.0.3 nsec3param optout.example > dig.out.ns3.test$n
# Note that the Opt-Out flag is not used in NSEC3PARAM and is set to zero.
grep "NSEC3PARAM.*1.*0.*10.*BEEF" dig.out.ns3.test$n > /dev/null || ret=1
[ $ret -eq 0 ] && break
echo_i "waiting ... ($i)"
sleep 2
done
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "signing preset nsec3 zone"
zsk=$(cat autozsk.key)
ksk=$(cat autoksk.key)
@ -890,7 +785,7 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking that deactivated key does not sign records ($n)"
echo_i "checking that deactivated key does not sign records ($n)"
ret=0
id=$(keyfile_to_key_id "$(cat inact.key)")
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
@ -932,10 +827,9 @@ ret=0
$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
oldserial=$(cat dig.out.ns3.test$n | awk '$0 !~ /SOA/ {print $3}')
oldinception=$(cat dig.out.ns3.test$n | awk '/SOA/ {print $6}' | sort -u)
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
id=$(keyfile_to_key_id "$(cat prepub.key)")
echo_i "prepublish key for ZSK $id"
($RNDCCMD 10.53.0.3 dnssec -rollover -key $id prepub.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
newserial=$oldserial
try=0
while [ $oldserial -eq $newserial -a $try -lt 42 ]
@ -955,30 +849,31 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "preparing to test key change corner cases"
echo_i "removing a private key file"
file="ns1/$(cat vanishing.key).private"
rm -f $file
echo_i "preparing ZSK roll"
starttime=$($PERL -e 'print time(), "\n";')
oldfile=$(cat active.key)
oldid=$(keyfile_to_key_id "$(cat active.key)")
newfile=$(cat standby.key)
newid=$(keyfile_to_key_id "$(cat standby.key)")
$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1
$SETTIME -K ns1 -I now -D now+25 $oldfile > settime.out.test$n.1 || ret=1
$SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1
# note previous zone serial number
oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}')
($RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
cp ns1/root.db.signed ns1/root.db.1
$SIGNER -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db.1 > signing.root.out$n 2>&1 || ret=1
($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
sleep 4
echo_i "revoking key to duplicated key ID"
$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1
($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
($RNDCCMD 10.53.0.2 freeze bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
cp ns2/bar.db.signed ns2/bar.db
$SIGNER -S -o bar. -O full -K ns2 ns2/bar.db > signing.bar.out$n 2>&1 || ret=1
($RNDCCMD 10.53.0.2 thaw bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
echo_i "waiting for changes to take effect"
sleep 5
@ -1002,7 +897,6 @@ status=$((status + ret))
echo_i "checking that signing records have been marked as complete ($n)"
ret=0
checkprivate bar 10.53.0.2 || ret=1
checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280
checkprivate private.secure.example 10.53.0.3 2 || ret=1 # pre-signed
checkprivate nsec3.example 10.53.0.3 || ret=1
@ -1017,7 +911,7 @@ checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed
checkprivate optout.example 10.53.0.3 || ret=1
checkprivate optout.nsec3.example 10.53.0.3 || ret=1
checkprivate optout.optout.example 10.53.0.3 || ret=1
checkprivate prepub.example 10.53.0.3 1 || ret=1 # expecting incomplete
checkprivate prepub.example 10.53.0.3 2 || ret=1 # pre-signed
checkprivate rsasha256.example 10.53.0.3 || ret=1
checkprivate rsasha512.example 10.53.0.3 || ret=1
checkprivate secure.example 10.53.0.3 || ret=1
@ -1032,14 +926,17 @@ status=$((status + ret))
echo_i "forcing full sign ($n)"
ret=0
($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
cp ns1/root.db.signed ns1/root.db.2
$SIGNER -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db > signing.root.out$n 2>&1 || ret=1
($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
echo_i "waiting for change to take effect"
sleep 5
echo_i "checking former standby key has now signed fully ($n)"
echo_i "checking former standby key $newid has now signed fully ($n)"
ret=0
$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
@ -1055,6 +952,11 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "preparing to test key change corner cases"
echo_i "removing a private key file"
file="ns1/$(cat vanishing.key).private"
rm -f $file
echo_i "checking delayed key publication/activation ($n)"
ret=0
zsk=$(cat delayzsk.key)
@ -1075,30 +977,32 @@ echo_i "checking scheduled key publication, not activation ($n)"
ret=0
# Ensure initial zone is loaded.
wait_for_notifies "delay.example" "ns3" || ret=1
$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1
$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1
($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
echo_i "waiting for changes to take effect"
sleep 3
wait_for_notifies "delay.example" "ns3" || ret=1
$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
# DNSKEY expected:
awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1
# RRSIG not expected:
awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
$SETTIME -K ns3 -P now -A none $zsk > settime.out.test$n.zsk || ret=1
$SETTIME -K ns3 -P now -A none $ksk > settime.out.test$n.ksk || ret=1
cp ns3/delay.example.db ns3/delay.example.1
# This will create a non valid DNSSEC zone, disable post-sign verification
$SIGNER -P -S -o delay.example. -O full -N increment -K ns3 -f ns3/delay.example.db ns3/delay.example.1 > signing.delay.out.$n 2>&1 || ret=1
($RNDCCMD 10.53.0.3 reload delay.example | sed 's/^/ns3 /' | cat_i) || ret=1
check_has_dnskey() {
$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || return 1
# DNSKEY expected:
awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || return 1
# RRSIG not expected:
awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && return 1
return 0
}
retry_quiet 5 check_has_dnskey || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking scheduled key activation ($n)"
ret=0
$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1
$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1
($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
echo_i "waiting for changes to take effect"
sleep 3
wait_for_log_re 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run
$SETTIME -K ns3 -A now $zsk > settime.out.test$n.zsk || ret=1
$SETTIME -K ns3 -A now $ksk > settime.out.test$n.ksk || ret=1
cp ns3/delay.example.db ns3/delay.example.2
$SIGNER -S -o delay.example. -O full -N increment -K ns3 -f ns3/delay.example.db ns3/delay.example.2 > signing.delay.out.$n 2>&1 || ret=1
($RNDCCMD 10.53.0.3 reload delay.example | sed 's/^/ns3 /' | cat_i) || ret=1
check_is_signed() {
$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1
# DNSKEY expected:
@ -1126,19 +1030,24 @@ now=$($PERL -e 'print time(), "\n";')
sleep=$((starttime + 29 - now))
case $sleep in
-*|0);;
*) echo_i "waiting for timer to have activated"; sleep $sleep;;
*) echo_i "waiting $sleep seconds for timer to have activated"; sleep $sleep;;
esac
ret=0
($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
cp ns1/root.db.signed ns1/root.db.3
$SIGNER -v 3 -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db.3 > signing.root.out$n 2>&1 || ret=1
($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking private key file removal caused no immediate harm ($n)"
id=$(keyfile_to_key_id "$(cat vanishing.key)")
echo_i "checking private key file $id removal caused no immediate harm ($n)"
ret=0
id=$(keyfile_to_key_id "$(cat vanishing.key)")
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS soa . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -1168,52 +1077,6 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# this confirms that key events are never scheduled more than
# 'dnssec-loadkeys-interval' minutes in the future, and that the
# event scheduled is within 10 seconds of expected interval.
check_interval () {
awk '/next key event/ {print $2 ":" $9}' $1/named.run |
sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' |
awk -F: '
{
x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000);
# abs(x) < 1000 ms treat as 'now'
if (x < 1000 && x > -1000)
x = 0;
# convert to seconds
x = x/1000;
# handle end of day roll over
if (x < 0)
x = x + 24*3600;
# handle log timestamp being a few milliseconds later
if (x != int(x))
x = int(x + 1);
if (int(x) > int(interval))
exit (1);
}
END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 || return $?
return 0
}
echo_i "checking automatic key reloading interval ($n)"
ret=0
check_interval ns1 3600 || ret=1
check_interval ns2 1800 || ret=1
check_interval ns3 600 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking for key reloading loops ($n)"
ret=0
# every key event should schedule a successor, so these should be equal
rekey_calls=$(grep "reconfiguring zone keys" ns*/named.run | wc -l)
rekey_events=$(grep "next key event" ns*/named.run | wc -l)
[ "$rekey_calls" = "$rekey_events" ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "forcing full sign with unreadable keys ($n)"
ret=0
chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1
@ -1224,14 +1087,14 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "test turning on auto-dnssec during reconfig ($n)"
echo_i "test turning on dnssec-policy during reconfig ($n)"
ret=0
# first create a zone that doesn't have auto-dnssec
# first create a zone that doesn't have dnssec-policy
($RNDCCMD 10.53.0.3 addzone reconf.example '{ type primary; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l)
[ "$rekey_calls" -eq 0 ] || ret=1
# ...then we add auto-dnssec and reconfigure
($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
# ...then we add dnssec-policy and reconfigure
($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; dnssec-policy default; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
rndc_reconfig ns3 10.53.0.3
for i in 0 1 2 3 4 5 6 7 8 9; do
lret=0
@ -1256,7 +1119,7 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)"
echo_i "test 'csk' affects DNSKEY/CDS/CDNSKEY ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n
$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
@ -1271,7 +1134,7 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)"
echo_i "test 'ksk' affects DNSKEY/CDS/CDNSKEY ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n
$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n
@ -1286,22 +1149,24 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1
($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1
echo_i "checking that the CDS and CDNSKEY are deleted ($n)"
ret=0
ensure_cds_and_cdnskey_are_deleted() {
$DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1
awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1
$DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1
awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1
}
retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# XXXWMM Replace this test with dnssec-policy equivalent once we have
# implemented 'cdnskey "only-during-rollovers";'.
#echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
#$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1
#($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1
#
#echo_i "checking that the CDS and CDNSKEY are deleted ($n)"
#ret=0
#ensure_cds_and_cdnskey_are_deleted() {
# $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1
# awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1
# $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1
# awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1
#}
#retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1
#n=$((n + 1))
#if [ $ret != 0 ]; then echo_i "failed"; fi
#status=$((status + ret))
echo_i "check that dnssec-settime -p Dsync works ($n)"
ret=0
@ -1319,24 +1184,6 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' )
pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
$DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' )
pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
@ -1345,101 +1192,27 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
#
# Check that DNSKEY is now signed with the ZSK.
#
echo_i "check that zone with active and inactive KSK and active ZSK is properly"
echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
echo_ic "is now signed with the ZSK. ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' )
pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
count=$(awk 'BEGIN { count = 0 }
$4 == "RRSIG" && $5 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n)
test $count -eq 1 || ret=1
count=$(awk 'BEGIN { count = 0 }
$4 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n)
test $count -eq 2 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
#
# Check that zone is now signed with the KSK.
#
echo_i "check that zone with active and inactive ZSK and active KSK is properly"
echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone"
echo_ic "is now signed with the KSK. ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
$DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' )
grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
count=$(awk 'BEGIN { count = 0 }
$4 == "RRSIG" && $5 == "CNAME" { count++ }
END {print count}' dig.out.ns3.test$n)
test $count -eq 1 || ret=1
count=$(awk 'BEGIN { count = 0 }
$4 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n)
test $count -eq 2 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)"
ret=0
# Switch the zone over to NSEC3 and wait until the transition is complete.
$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
_ret=1
$DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1
{ grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1; rc=$?; } || true
if [ $rc -eq 0 ]; then
$RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1
{ grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1; rc=$?; } || true
if [ $rc -ne 0 ]; then
_ret=0
break
fi
fi
sleep 1
done
if [ $_ret -ne 0 ]; then
echo_i "timed out waiting for NSEC3 chain creation"
ret=1
fi
# Mark the inactive ZSK as pending removal.
file="ns3/$(cat delzsk.key).key"
$SETTIME -D now-1h $file > settime.out.test$n || ret=1
# Trigger removal of the inactive ZSK and wait until its completion.
($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
_ret=1
$RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1
{ grep "Signing " signing.out.3.test$n > /dev/null 2>&1; rc=$?; } || true
if [ $rc -ne 0 ]; then
if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then
_ret=0
break
fi
fi
sleep 1
done
if [ $_ret -ne 0 ]; then
# Delete the ZSK
file="ns3/inactive/$(cat delzsk.key).key"
$NSUPDATE > nsupdate.out.test$n 2>&1 <<END
server 10.53.0.3 ${PORT}
zone delzsk.example.
update del $(cat $file | grep -v ";.*")
send
END
zsk_is_gone() {
$DIG $DIGOPTS +noall +multi +answer dnskey delzsk.example. @10.53.0.3 > dig.out.ns3.test$n || return 1
grep '; key id = '"$oldid"'$' dig.out.ns3.test$n > /dev/null && return 1
return 0
}
retry_quiet 5 zsk_is_gone || ret=1
if [ $ret -ne 0 ]; then
echo_i "timed out waiting for key removal"
ret=1
fi
# Check whether key removal caused NSEC3 records to be erroneously created for
# glue records due to a secure delegation already being signed by the active key
# (i.e. a key other than the one being removed but using the same algorithm).
@ -1455,7 +1228,7 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-policy) ($n)"
ret=0
$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1
@ -1475,111 +1248,54 @@ status=$((status + ret))
echo_i "checking key maintenance events were logged correctly ($n)"
ret=0
pub=$(grep "DNSKEY .* is now published" ns1/named.run | wc -l)
[ "$pub" -eq 6 ] || ret=1
act=$(grep "DNSKEY .* is now active" ns1/named.run | wc -l)
[ "$act" -eq 5 ] || ret=1
rev=$(grep "DNSKEY .* is now revoked" ns1/named.run | wc -l)
[ "$rev" -eq 1 ] || ret=1
inac=$(grep "DNSKEY .* is now inactive" ns1/named.run | wc -l)
[ "$inac" -eq 1 ] || ret=1
del=$(grep "DNSKEY .* is now deleted" ns1/named.run | wc -l)
[ "$del" -eq 1 ] || ret=1
pub=$(grep "DNSKEY .* is now published" ns2/named.run | grep -v "CDNSKEY" | wc -l)
[ "$pub" -eq 10 ] || ret=1
act=$(grep "DNSKEY .* is now active" ns2/named.run | wc -l)
[ "$act" -eq 10 ] || ret=1
rev=$(grep "DNSKEY .* is now revoked" ns2/named.run | wc -l)
[ "$rev" -eq 0 ] || ret=1
inac=$(grep "DNSKEY .* is now inactive" ns2/named.run | wc -l)
[ "$inac" -eq 0 ] || ret=1
del=$(grep "DNSKEY .* is now deleted" ns2/named.run | wc -l)
[ "$del" -eq 0 ] || ret=1
pub=$(grep "DNSKEY .* is now published" ns3/named.run | grep -v "CDNSKEY" | wc -l)
act=$(grep "DNSKEY .* is now active" ns3/named.run | wc -l)
if $SHELL ../testcrypto.sh -q RSASHA1
then
# Include two log lines for nsec-only zone.
[ "$pub" -eq 53 ] || ret=1
[ "$act" -eq 53 ] || ret=1
else
[ "$pub" -eq 51 ] || ret=1
[ "$act" -eq 51 ] || ret=1
fi
rev=$(grep "DNSKEY .* is now revoked" ns3/named.run | wc -l)
[ "$rev" -eq 0 ] || ret=1
inac=$(grep "DNSKEY .* is now inactive" ns3/named.run | wc -l)
[ "$inac" -eq 0 ] || ret=1
del=$(grep "DNSKEY .* is now deleted" ns3/named.run | wc -l)
[ "$del" -eq 3 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking that CDS (DELETE) persists after zone sign ($n)"
echo_i "update add cds-delete.example. CDS 0 0 00"
ret=0
$NSUPDATE > nsupdate.out 2>&1 <<END
server 10.53.0.3 ${PORT}
zone cds-delete.example.
update add cds-delete.example. 3600 CDS 0 0 0 00
send
END
_cds_delete() (
$DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1
grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1
return 0
)
_cdnskey_delete_nx() {
$DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1
grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1
return 0
}
echo_i "query cds-delete.example. CDS"
retry_quiet 10 _cds_delete cds-delete.example. || ret=1
echo_i "query cds-delete.example. CDNSKEY"
retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1
echo_i "sign cds-delete.example."
nextpart ns3/named.run >/dev/null
$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1
wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run
# The CDS (DELETE) record should still be here.
echo_i "query cds-delete.example. CDS"
retry_quiet 1 _cds_delete cds-delete.example. || ret=1
# The CDNSKEY (DELETE) record should still not be added.
echo_i "query cds-delete.example. CDNSKEY"
retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)"
echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA=="
ret=0
$NSUPDATE > nsupdate.out 2>&1 <<END
server 10.53.0.3 ${PORT}
zone cdnskey-delete.example.
update add cdnskey-delete.example. 3600 CDNSKEY 0 3 0 AA==
send
END
_cds_delete_nx() (
$DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1
grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1
return 0
)
_cdnskey_delete() {
$DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1
grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1
return 0
}
echo_i "query cdnskey-delete.example. CDNSKEY"
retry_quiet 10 _cdnskey_delete cdnskey-delete.example. || ret=1
echo_i "query cdnskey-delete.example. CDS"
retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1
echo_i "sign cdsnskey-delete.example."
nextpart ns3/named.run >/dev/null
$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1
wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run
# The CDNSKEY (DELETE) record should still be here.
echo_i "query cdnskey-delete.example. CDNSKEY"
retry_quiet 1 _cdnskey_delete cdnskey-delete.example. || ret=1
# The CDS (DELETE) record should still not be added.
echo_i "query cdnskey-delete.example. CDS"
retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
ret=0
echo_i "check removal of ENT NSEC3 records when opt out delegations are removed"
zone=optout-with-ent
hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
# check that NSEC3 for ENT is present
echo_i "check ENT NSEC3 is initially present"
ret=0
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1
grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check ENT NSEC3 is still present after removing one of two delegations ($n)"
ret=0
# remove first delegation of two delegations, NSEC3 for ENT should remain.
(
echo zone $zone
@ -1593,6 +1309,12 @@ $DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n
grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1
grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check ENT NSEC3 is gone after removing the second delegation ($n)"
ret=0
# remove second delegation of two delegations, NSEC3 for ENT should be deleted.
(
echo zone $zone
@ -1600,7 +1322,8 @@ echo server 10.53.0.2 "$PORT"
echo update del sub2.ent.$zone NS
echo send
) | $NSUPDATE
# check that NSEC3 for ENT is gone present
# check that NSEC3 for ENT is gone
echo_i "check ENT NSEC3 is gone for zone $zone hash $hash"
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n
grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1

4
bin/tests/system/checkconf/bad-dnssec.conf
View file

@ -15,8 +15,6 @@ zone not-inline {
type secondary;
primaries { 127.0.0.1; };
inline-signing no;
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
dnssec-loadkeys-interval 10;
};
@ -25,7 +23,5 @@ zone inline {
type secondary;
primaries { 127.0.0.1; };
inline-signing yes;
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
dnssec-loadkeys-interval 10;
};

24
bin/tests/system/checkconf/bad-kasp2.conf
View file

@ -1,24 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
// Bad zone configuration because this has dnssec-policy and other DNSSEC sign
// configuration options (auto-dnssec).
zone "example.net" {
type primary;
file "example.db";
dnssec-policy "test";
auto-dnssec maintain;
allow-update { any; };
};

2
bin/tests/system/checkconf/bad-noddns.conf
View file

@ -14,6 +14,6 @@
zone example {
type primary;
file "example.db";
auto-dnssec maintain;
dnssec-policy default;
allow-update { none; };
};

16
bin/tests/system/checkconf/bad-sig-validity.conf
View file

@ -1,16 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
sig-validity-interval 5000;
};

27
bin/tests/system/checkconf/dnssec.1
View file

@ -1,27 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
view view1 {
match-clients { any; };
dnssec-validation yes;
};
view view2 {
match-clients { none; };
dnssec-validation auto;
};
view view3 {
match-clients { none; };
auto-dnssec maintain;
};

34
bin/tests/system/checkconf/dnssec.2
View file

@ -1,34 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
view view1 {
match-clients { any; };
};
view view2 {
match-clients { none; };
};
view view3 {
match-clients { none; };
dnssec-validation auto;
};
view view4 {
match-clients { none; };
};
view view5 {
match-clients { none; };
auto-dnssec off;
};

18
bin/tests/system/checkconf/dnssec.3
View file

@ -1,18 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "test" {
type primary;
file "test.db";
auto-dnssec maintain;
};

16
bin/tests/system/checkconf/good-dnskey-validity-zero.conf
View file

@ -1,16 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnskey-sig-validity 0; /* 0 is disabled */
};

2
bin/tests/system/checkconf/inline-bad.conf
View file

@ -17,7 +17,7 @@ primaries "publicSecondaries" {127.0.0.1;};
zone "example.net" {
type secondary;
key-directory "/var/lib/bind/example.net";
auto-dnssec maintain;
dnssec-policy default;
inline-signing yes;
primaries { stealthPrimaries; };
notify explicit;

2
bin/tests/system/checkconf/inline-good.conf
View file

@ -18,7 +18,7 @@ zone "example.net" {
type secondary;
file "/var/cache/bind/example.net.db";
key-directory "/var/lib/bind/example.net";
auto-dnssec maintain;
dnssec-policy default;
inline-signing yes;
primaries { stealthPrimaries; };
notify explicit;

2
bin/tests/system/checkconf/inline-no.conf
View file

@ -17,7 +17,7 @@ primaries "publicSecondaries" {127.0.0.1;};
zone "example.net" {
type secondary;
key-directory "/var/lib/bind/example.net";
auto-dnssec maintain;
dnssec-policy default;
inline-signing no;
primaries { stealthPrimaries; };
notify explicit;

6
bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf
View file

@ -17,11 +17,5 @@ zone "nsec3.net" {
type primary;
file "nsec3.db";
dnssec-policy "test";
auto-dnssec maintain;
dnskey-sig-validity 3600;
dnssec-dnskey-kskonly yes;
dnssec-update-mode maintain;
inline-signing no;
sig-validity-interval 3600;
update-check-ksk yes;
};

29
bin/tests/system/checkconf/tests.sh
View file

@ -142,23 +142,6 @@ warnings=$(grep "'notify' is disabled" < checkconf.out$n | wc -l)
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf dnssec warnings ($n)"
ret=0
# dnssec.1: auto-dnssec warning
$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 && ret=1
grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1
# dnssec.2: should have no warnings (other than deprecation warning)
$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 || ret=1
grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1
lines=$(wc -l < "checkconf.out$n.2")
if [ $lines != 1 ]; then ret=1; fi
# dnssec.3: should have specific deprecation warning
$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 && ret=1
grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
@ -235,15 +218,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking options allowed in inline-signing secondaries ($n)"
ret=0
$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 && ret=1
l=$(grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l)
[ $l -eq 1 ] || ret=1
$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1
l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l)
[ $l -eq 1 ] || ret=1
$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 && ret=1
l=$(grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l)
[ $l -eq 1 ] || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -507,12 +484,6 @@ echo_i "checking named-checkconf kasp errors ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))

1
bin/tests/system/conf.sh.common
View file

@ -42,7 +42,6 @@ export LANG=C
PARALLEL_COMMON="
rpzrecurse
serve-stale
dupsigs
acl
additional
addzone

1
bin/tests/system/conf.sh.in
View file

@ -109,7 +109,6 @@ enginepkcs11
filter-aaaa
kasp
keyfromlabel
keymgr2kasp
legacy
logfileconfig
multisigner

1
bin/tests/system/conftest.py
View file

@ -96,7 +96,6 @@ else:
PORTS_PER_TEST = 20
PRIORITY_TESTS = [
# Tests that are scheduled first. Speeds up parallel execution.
"dupsigs/",
"rpz/",
"rpzrecurse/",
"serve-stale/",

13
bin/tests/system/dnssec/clean.sh
View file

@ -13,7 +13,7 @@
set -e
rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed
rm -f ./K* ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed
rm -f ./*/example.bk
rm -f ./*/named.conf
rm -f ./*/named.memstats
@ -31,7 +31,6 @@ rm -f ./dnssectools.out*
rm -f ./dsfromkey.out.*
rm -f ./keygen.err
rm -f ./named.secroots.test*
rm -f ./nosign.before
rm -f ./ns*/*.nta
rm -f ./ns*/managed-keys.bind ./ns*/managed-keys.bind.jnl ./ns*/*.mkeys*
rm -f ./ns*/named.lock
@ -40,18 +39,17 @@ rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db
rm -f ./ns1/trusted.keys
rm -f ./ns2/algroll.db
rm -f ./ns2/badparam.db ./ns2/badparam.db.bad
rm -f ./ns2/cdnskey-kskonly.secure.db
rm -f ./ns2/cdnskey-kskonly.secure.id
rm -f ./ns2/cdnskey-update.secure.db
rm -f ./ns2/cdnskey-update.secure.id
rm -f ./ns2/cdnskey-x.secure.db
rm -f ./ns2/cdnskey.secure.db
rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl
rm -f ./ns2/cds-kskonly.secure.db
rm -f ./ns2/cds-kskonly.secure.id
rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl
rm -f ./ns2/cds-update.secure.id
rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
rm -f ./ns2/in-addr.arpa.db
rm -f ./ns2/nsec3chain-test.db
rm -f ./ns2/settime.out.*
rm -f ./ns2/single-nsec3.db
rm -f ./ns2/too-many-iterations.db
rm -f ./ns2/updatecheck-kskonly.secure.*
@ -69,7 +67,7 @@ rm -f ./ns3/dnskey-unsupported.example.db
rm -f ./ns3/dnskey-unsupported.example.db.tmp
rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl
rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db
rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db
rm -f ./ns3/expiring.example.db
rm -f ./ns3/future.example.db ./ns3/trusted-future.key
rm -f ./ns3/inline.example.db.signed
rm -f ./ns3/kskonly.example.db
@ -82,7 +80,6 @@ rm -f ./ns3/occluded.example.db
rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db
rm -f ./ns3/optout.nsec3.example.db
rm -f ./ns3/optout.optout.example.db
rm -f ./ns3/publish-inactive.example.db
rm -f ./ns3/revkey.example.db
rm -f ./ns3/rsasha1-1024.example.tmp
rm -f ./ns3/rsasha1.example.tmp

14
bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in
View file

@ -1,14 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.

14
bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in
View file

@ -1,14 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.

62
bin/tests/system/dnssec/ns2/named.conf.in
View file

@ -37,6 +37,35 @@ controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
dnssec-policy "dnssec" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "kskonly" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
signatures-validity 10d;
signatures-validity-dnskey 40d;
};
dnssec-policy "not-enough-hours-in-day" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
/* validity 500 days, resign in 449 days */
signatures-validity-dnskey 500d;
signatures-validity 500d;
signatures-refresh 449d;
};
zone "." {
type hint;
file "../../common/root.hint";
@ -119,23 +148,14 @@ zone "cds-x.secure" {
zone "cds-update.secure" {
type primary;
dnssec-dnskey-kskonly no;
file "cds-update.secure.db.signed";
allow-update { any; };
};
zone "cds-kskonly.secure" {
type primary;
dnssec-dnskey-kskonly yes;
file "cds-kskonly.secure.db.signed";
allow-update { any; };
};
zone "cds-auto.secure" {
type primary;
dnssec-dnskey-kskonly no;
file "cds-auto.secure.db.signed";
auto-dnssec maintain;
dnssec-policy dnssec;
allow-update { any; };
};
@ -151,35 +171,21 @@ zone "cdnskey-x.secure" {
zone "cdnskey-update.secure" {
type primary;
dnssec-dnskey-kskonly no;
file "cdnskey-update.secure.db.signed";
allow-update { any; };
};
zone "cdnskey-kskonly.secure" {
type primary;
dnssec-dnskey-kskonly yes;
file "cdnskey-kskonly.secure.db.signed";
allow-update { any; };
};
zone "cdnskey-auto.secure" {
type primary;
dnssec-dnskey-kskonly no;
file "cdnskey-auto.secure.db.signed";
auto-dnssec maintain;
dnssec-policy dnssec;
allow-update { any; };
};
zone "updatecheck-kskonly.secure" {
type primary;
auto-dnssec maintain;
key-directory ".";
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
sig-validity-interval 10;
dnskey-sig-validity 40;
file "updatecheck-kskonly.secure.db.signed";
dnssec-policy kskonly;
allow-update { any; };
};
@ -191,9 +197,7 @@ zone "corp" {
zone "hours-vs-days" {
type primary;
file "hours-vs-days.db.signed";
auto-dnssec maintain;
/* validity 500 days, resign in 499 days */
sig-validity-interval 500 499;
dnssec-policy not-enough-hours-in-day;
allow-update { any; };
};

30
bin/tests/system/dnssec/ns2/sign.sh
View file

@ -233,15 +233,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cds-kskonly.secure
infile=cds-kskonly.secure.db.in
zonefile=cds-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cds-kskonly.secure.id
keyfile_to_key_id "$key1" > cds-update.secure.id
zone=cds-auto.secure
infile=cds-auto.secure.db.in
@ -277,15 +269,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cdnskey-kskonly.secure
infile=cdnskey-kskonly.secure.db.in
zonefile=cdnskey-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
keyfile_to_key_id "$key1" > cdnskey-update.secure.id
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
@ -305,11 +289,11 @@ keyfile_to_key_id "$key1" > $zone.ksk.id
keyfile_to_key_id "$key2" > $zone.zsk.id
echo "${key1}" > $zone.ksk.key
echo "${key2}" > $zone.zsk.key
# Add CDS and CDNSKEY records
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey"
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile"
# Don't sign, let auto-dnssec maintain do it.
# Make sure dnssec-policy adds CDS and CDNSKEY records
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $key1 > settime.out.$zone.ksk 2>&1
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 > settime.out.$zone.zsk 2>&1
# Don't sign, let dnssec-policy maintain do it.
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
mv $zonefile "$zonefile.signed"
zone=hours-vs-days

81
bin/tests/system/dnssec/ns3/named.conf.in
View file

@ -37,6 +37,42 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
dnssec-policy "dnssec" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "nsec3" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
nsec3param iterations 0 optout no salt-length 0;
};
dnssec-policy "autonsec" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
};
};
dnssec-policy "autonsec3" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
};
nsec3param iterations 0 optout no salt-length 0;
};
zone "." {
type hint;
file "../../common/root.hint";
@ -209,21 +245,21 @@ zone "expired.example" {
zone "update-nsec3.example" {
type primary;
auto-dnssec maintain;
dnssec-policy nsec3;
allow-update { any; };
file "update-nsec3.example.db.signed";
};
zone "auto-nsec.example" {
type primary;
auto-dnssec maintain;
dnssec-policy autonsec;
allow-update { !0.0.0.0; };
file "auto-nsec.example.db.signed";
};
zone "auto-nsec3.example" {
type primary;
auto-dnssec maintain;
dnssec-policy autonsec3;
allow-update { !0.0.0.0; };
file "auto-nsec3.example.db.signed";
};
@ -265,13 +301,6 @@ zone "expiring.example" {
file "expiring.example.db.signed";
};
zone "nosign.example" {
type primary;
allow-update { any; };
dnssec-update-mode no-resign;
file "nosign.example.db.signed";
};
zone "upper.example" {
type primary;
file "upper.example.db.signed";
@ -286,15 +315,7 @@ zone "inline.example" {
type primary;
file "inline.example.db";
inline-signing yes;
auto-dnssec maintain;
};
zone "publish-inactive.example" {
type primary;
file "publish-inactive.example.db";
auto-dnssec maintain;
dnssec-dnskey-kskonly no;
update-policy local;
dnssec-policy dnssec;
};
zone "future.example" {
@ -389,6 +410,28 @@ zone "rsasha1-1024.example" {
file "rsasha1-1024.example.db";
};
dnssec-policy "siginterval1" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
signatures-validity 1d;
signatures-refresh 21h;
signatures-validity-dnskey 90d;
};
dnssec-policy "siginterval2" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
signatures-validity 35d;
signatures-refresh 28d;
signatures-validity-dnskey 90d;
};
include "siginterval.conf";
include "trusted.conf";

4
bin/tests/system/dnssec/ns3/siginterval1.conf
View file

@ -14,8 +14,6 @@
zone "siginterval.example" {
type primary;
allow-update { any; };
sig-validity-interval 1 23;
dnskey-sig-validity 90;
auto-dnssec maintain;
dnssec-policy siginterval1;
file "siginterval.example.db";
};

4
bin/tests/system/dnssec/ns3/siginterval2.conf
View file

@ -14,8 +14,6 @@
zone "siginterval.example" {
type primary;
allow-update { any; };
sig-validity-interval 35 28;
dnskey-sig-validity 90;
auto-dnssec maintain;
dnssec-policy siginterval2;
file "siginterval.example.db";
};

45
bin/tests/system/dnssec/ns3/sign.sh
View file

@ -419,7 +419,7 @@ cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
#
# A NSEC signed zone that will have auto-dnssec enabled and
# A NSEC signed zone that will have dnssec-policy enabled and
# extra keys not in the initial signed zone.
#
zone=auto-nsec.example.
@ -428,13 +428,13 @@ zonefile=auto-nsec.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
#
# A NSEC3 signed zone that will have auto-dnssec enabled and
# A NSEC3 signed zone that will have dnssec-policy enabled and
# extra keys not in the initial signed zone.
#
zone=auto-nsec3.example.
@ -443,8 +443,8 @@ zonefile=auto-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
@ -545,23 +545,6 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone"
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
#
# Zone with signatures about to expire, and dynamic, but configured
# not to resign with 'auto-resign no;'
#
zone="nosign.example."
infile="nosign.example.db.in"
zonefile="nosign.example.db"
signedfile="nosign.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
# preserve a normalized copy of the NS RRSIG for comparison later
$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
sed 's/[ ][ ]*/ /g'> ../nosign.before
#
# An inline signing zone
#
@ -570,21 +553,7 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone"
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
#
# publish a new key while deactivating another key at the same time.
#
zone=publish-inactive.example
infile=publish-inactive.example.db.in
zonefile=publish-inactive.example.db
now=$(date -u +%Y%m%d%H%M%S)
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
#
# A zone which will change its sig-validity-interval
# A zone which will change its signatures-validity
#
zone=siginterval.example
infile=siginterval.example.db.in

320
bin/tests/system/dnssec/tests.sh
View file

@ -2763,7 +2763,6 @@ status=$((status+ret))
echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)"
ret=0
(
cd ns3 || exit 1
kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example)
(
echo zone update-nsec3.example
@ -2780,7 +2779,7 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
echo_i "checking that the NSEC record is properly generated when DNSKEY are added by dnssec-policy ($n)"
ret=0
dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
@ -2790,7 +2789,7 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added by dnssec-policy ($n)"
ret=0
dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
@ -2842,121 +2841,6 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param' works with salt ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
for i in 1 2 3 4 5 6 7 8 9 10 ; do
salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
if [ "$salt" = "FFFF" ]; then
break;
fi
echo_i "sleeping ...."
sleep 1
done;
[ "$salt" = "FFFF" ] || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param' works without salt ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
for i in 1 2 3 4 5 6 7 8 9 10 ; do
salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
if [ "$salt" = "-" ]; then
break;
fi
echo_i "sleeping ...."
sleep 1
done;
[ "$salt" = "-" ] || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)"
ret=0
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
for i in 1 2 3 4 5 6 7 8 9 10 ; do
salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
[ -n "$salt" ] && [ "$salt" != "-" ] && break
echo_i "sleeping ...."
sleep 1
done;
[ "$salt" != "-" ] || ret=1
[ "${#salt}" -eq 16 ] || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)"
ret=0
oldsalt=$salt
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
rndccmd 10.53.0.3 status > /dev/null || ret=1
for i in 1 2 3 4 5 6 7 8 9 10 ; do
salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
[ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break
echo_i "sleeping ...."
sleep 1
done;
[ "$salt" != "$oldsalt" ] || ret=1
[ "${#salt}" -eq 16 ] || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check rndc signing -list output ($n)"
ret=0
{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out.dynamic.example; } 2>&1
@ -3085,48 +2969,6 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "testing new records are signed with 'no-resign' ($n)"
ret=0
(
echo zone nosign.example
echo server 10.53.0.3 "$PORT"
echo update add new.nosign.example 300 in txt "hi there"
echo send
) | $NSUPDATE
sleep 1
dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \
> dig.out.ns3.test$n 2>&1
grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "testing expiring records aren't resigned with 'no-resign' ($n)"
ret=0
dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \
grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1
# the NS RRSIG should not be changed
diff nosign.before dig.out.ns3.test$n > /dev/null|| ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "testing updates fail with no private key ($n)"
ret=0
rm -f ns3/Knosign.example.*.private
(
echo zone nosign.example
echo server 10.53.0.3 "$PORT"
echo update add fail.nosign.example 300 in txt "reject me"
echo send
) | $NSUPDATE > /dev/null 2>&1 && ret=1
dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \
> dig.out.ns3.test$n 2>&1
[ -s dig.out.ns3.test$n ] && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "testing legacy upper case signer name validation ($n)"
ret=0
$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \
@ -3398,26 +3240,7 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)"
ret=0
cnt=0
while :
do
dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n
keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l)
test "$keys" -gt 2 && break
cnt=$((cnt+1))
test "$cnt" -gt 120 && break
sleep 1
done
test "$keys" -gt 2 || ret=1
sigs=$(grep -c RRSIG dig.out.ns3.test$n || true)
n=$((n+1))
test "$sigs" -eq 2 || ret=1
if test "$ret" -ne 0 ; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)"
echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)"
ret=0
before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA)
cp ns3/siginterval2.conf ns3/siginterval.conf
@ -3434,7 +3257,7 @@ if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi
status=$((status+ret))
if [ -x "$PYTHON" ]; then
echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)"
echo_i "check signatures-validity-dnskey sets longer expiry for DNSKEY ($n)"
ret=0
rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i
# convert expiry date to a comma-separated list of integers python can
@ -3641,11 +3464,11 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)"
echo_i "check that CDS records are signed using KSK by with dnssec-policy ($n)"
ret=0
dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 2 || ret=1
test "$lines" -eq 1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -3668,8 +3491,9 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)"
echo_i "check that CDS records are signed only using KSK when added by nsupdate ($n)"
ret=0
keyid=$(cat ns2/cds-update.secure.id)
(
echo zone cds-update.secure
echo server 10.53.0.2 "$PORT"
@ -3683,30 +3507,6 @@ echo send
) | $NSUPDATE
dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 2 || ret=1
lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 2 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that CDS records are signed only using KSK when added by"
echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
ret=0
keyid=$(cat ns2/cds-kskonly.secure.id)
(
echo zone cds-kskonly.secure
echo server 10.53.0.2 "$PORT"
echo update delete cds-kskonly.secure CDS
echo send
dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure |
grep "DNSKEY.257" |
$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure |
sed "s/^/update add /"
echo send
) | $NSUPDATE
dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
@ -3716,18 +3516,17 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that CDS deletion records are signed only using KSK when added by"
echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
echo_i "check that CDS deletion records are signed only using KSK when added by nsupdate ($n)"
ret=0
keyid=$(cat ns2/cds-kskonly.secure.id)
keyid=$(cat ns2/cds-update.secure.id)
(
echo zone cds-kskonly.secure
echo zone cds-update.secure
echo server 10.53.0.2 "$PORT"
echo update delete cds-kskonly.secure CDS
echo update add cds-kskonly.secure 0 CDS 0 0 0 00
echo update delete cds-update.secure CDS
echo update add cds-update.secure 0 CDS 0 0 0 00
echo send
) | $NSUPDATE
dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l)
@ -3771,7 +3570,7 @@ echo send
) | $NSUPDATE
dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 2 || ret=1
test "$lines" -eq 1 || ret=1
lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 4 || ret=1
n=$((n+1))
@ -3820,7 +3619,7 @@ echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)
ret=0
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 2 || ret=1
test "$lines" -eq 1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -3892,8 +3691,9 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)"
echo_i "check that CDNSKEY records are signed using KSK only when added by nsupdate ($n)"
ret=0
keyid=$(cat ns2/cdnskey-update.secure.id)
(
echo zone cdnskey-update.secure
echo server 10.53.0.2 "$PORT"
@ -3904,27 +3704,6 @@ echo send
) | $NSUPDATE
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 2 || ret=1
lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that CDNSKEY records are signed only using KSK when added by"
echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
ret=0
keyid=$(cat ns2/cdnskey-kskonly.secure.id)
(
echo zone cdnskey-kskonly.secure
echo server 10.53.0.2 "$PORT"
echo update delete cdnskey-kskonly.secure CDNSKEY
dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure |
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
echo send
) | $NSUPDATE
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
@ -3934,29 +3713,8 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that CDNSKEY deletion records are signed only using KSK when added by"
echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
ret=0
keyid=$(cat ns2/cdnskey-kskonly.secure.id)
(
echo zone cdnskey-kskonly.secure
echo server 10.53.0.2 "$PORT"
echo update delete cdnskey-kskonly.secure CDNSKEY
echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA==
echo send
) | $NSUPDATE
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l)
test "${lines:-10}" -eq 1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "status: $status"
exit $status
echo_i "checking initialization with a revoked managed key ($n)"
ret=0
@ -3983,7 +3741,7 @@ echo send
) | $NSUPDATE
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 2 || ret=1
test "$lines" -eq 1 || ret=1
lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "$lines" -eq 2 || ret=1
n=$((n+1))
@ -4312,7 +4070,7 @@ get_keys_which_signed() {
# Basic checks to make sure everything is fine before the KSK is made offline.
for qtype in "DNSKEY" "CDNSKEY" "CDS"
do
echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)"
echo_i "checking $qtype RRset is signed with KSK only ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
@ -4324,7 +4082,7 @@ do
status=$((status+ret))
done
echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)"
echo_i "checking SOA RRset is signed with ZSK only ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n
lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l)
@ -4339,10 +4097,9 @@ status=$((status+ret))
zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2
ZSK_ID2=$(cat ns2/$zone.zsk.id2)
echo_i "load new ZSK $ZSK_ID2 for $zone ($n)"
ret=0
dnssec_loadkeys_on 2 $zone || ret=1
echo_i "prepublish new ZSK $ZSK_ID2 for $zone ($n)"
rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID $zone 2>&1 | sed 's/^/ns2 /' | cat_i
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -4351,7 +4108,7 @@ status=$((status+ret))
echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)"
ret=0
$SETTIME -I now -K ns2 $ZSK > /dev/null
$SETTIME -A now -K ns2 $zsk2 > /dev/null
$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk2 > /dev/null
dnssec_loadkeys_on 2 $zone || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
@ -4374,7 +4131,7 @@ echo send
# Redo the tests now that the zone is updated and the KSK is offline.
for qtype in "DNSKEY" "CDNSKEY" "CDS"
do
echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)"
echo_i "checking $qtype RRset is signed with KSK only, KSK offline ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
@ -4389,7 +4146,7 @@ done
for qtype in "SOA" "TXT"
do
echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)"
echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID2 only, KSK offline ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
@ -4414,10 +4171,10 @@ ZSK_ID3=$(cat ns2/$zone.zsk.id3)
# Schedule the new ZSK (ZSK3) to become active.
echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)"
$SETTIME -D now -K ns2 $ZSK > /dev/null
$SETTIME -s -k UNRETENTIVE -z HIDDEN -D now -K ns2 $ZSK > /dev/null
$SETTIME -I +3600 -K ns2 $zsk2 > /dev/null
$SETTIME -A +3600 -K ns2 $zsk3 > /dev/null
dnssec_loadkeys_on 2 $zone || ret=1
rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID2 $zone 2>&1 | sed 's/^/ns2 /' | cat_i
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -4439,7 +4196,7 @@ echo send
# Redo the tests now that the ZSK roll has deleted the old key.
for qtype in "DNSKEY" "CDNSKEY" "CDS"
do
echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)"
echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
@ -4455,7 +4212,7 @@ done
for qtype in "SOA" "TXT"
do
echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)"
echo_i "checking $qtype RRset is signed with ZSK $ZSK_ID2 only, old ZSK deleted ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
@ -4471,8 +4228,9 @@ done
# Make the new ZSK (ZSK3) active.
echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)"
$SETTIME -I +1 -K ns2 $zsk2 > /dev/null
$SETTIME -A +1 -K ns2 $zsk3 > /dev/null
$SETTIME -I now -K ns2 $zsk2 > /dev/null
$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk3 > /dev/null
dnssec_loadkeys_on 2 $zone || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
@ -4506,7 +4264,7 @@ status=$((status+ret))
# Redo the tests one more time.
for qtype in "DNSKEY" "CDNSKEY" "CDS"
do
echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)"
echo_i "checking $qtype RRset is signed with KSK only, new ZSK active ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
@ -4522,7 +4280,7 @@ done
for qtype in "SOA" "TXT"
do
echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)"
echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID3 only, new ZSK active ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
@ -4545,9 +4303,9 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking sig-validity-interval second field hours vs days ($n)"
echo_i "checking signatures-validity second field hours vs days ($n)"
ret=0
# zone configured with 'sig-validity-interval 500 499;'
# zone configured with 'signatures-validity 500 499;'
# 499 days in the future w/ a 20 minute runtime to now allowance
min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];')
dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n

206
bin/tests/system/dupsigs/check_journal.pl
View file

@ -1,206 +0,0 @@
#!/usr/bin/env perl
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
use strict;
use warnings;
sub process_changeset;
my @changeset;
while( my $line = <> ) {
chomp $line;
if( $line =~ /^(?<op>add|del) (?<label>\S+)\s+(?<ttl>\d+)\s+IN\s+(?<rrtype>\S+)\s+(?<rdata>.*)/ ) {
my $change = {
op => $+{op},
label => $+{label},
ttl => $+{ttl},
rrtype => $+{rrtype},
rdata => $+{rdata},
};
if( $change->{op} eq 'del' and $change->{rrtype} eq 'SOA' ) {
if( @changeset ) {
process_changeset( @changeset );
@changeset = ();
}
}
push @changeset, $change;
}
else {
die "error parsing journal data";
}
}
if( @changeset ) {
process_changeset( @changeset );
}
{
my %rrsig_db;
my %keys;
my $apex;
sub process_changeset {
my @changeset = @_;
if( not $apex ) {
# the first record of the first changeset is guaranteed to be the apex
$apex = $changeset[0]{label};
}
my $newserial;
my %touched_rrsigs;
my %touched_keys;
foreach my $change( @changeset ) {
if( $change->{rrtype} eq 'SOA' ) {
if( $change->{op} eq 'add' ) {
if( $change->{rdata} !~ /^\S+ \S+ (?<serial>\d+)/ ) {
die "unable to parse SOA";
}
$newserial = $+{serial};
}
}
elsif( $change->{rrtype} eq 'NSEC' ) {
; # do nothing
}
elsif( $change->{rrtype} eq 'DNSKEY' ) {
; # ignore for now
}
elsif( $change->{rrtype} eq 'TYPE65534' and $change->{label} eq $apex ) {
# key status
if( $change->{rdata} !~ /^\\# (?<datasize>\d+) (?<data>[0-9A-F]+)$/ ) {
die "unable to parse key status record";
}
my $datasize = $+{datasize};
my $data = $+{data};
if( $datasize == 5 ) {
my( $alg, $id, $flag_del, $flag_done ) = unpack 'CnCC', pack( 'H10', $data );
if( $change->{op} eq 'add' ) {
if( not exists $keys{$id} ) {
$touched_keys{$id} //= 1;
$keys{$id} = {
$data => 1,
rrs => 1,
done_signing => $flag_done,
deleting => $flag_del,
};
}
else {
if( not exists $keys{$id}{$data} ) {
my $keydata = $keys{$id};
$touched_keys{$id} = { %$keydata };
$keydata->{rrs}++;
$keydata->{$data} = 1;
$keydata->{done_signing} += $flag_done;
$keydata->{deleting} += $flag_del;
}
}
}
else {
# this logic relies upon the convention that there won't
# ever be multiple records with the same flag set
if( exists $keys{$id} ) {
my $keydata = $keys{$id};
if( exists $keydata->{$data} ) {
$touched_keys{$id} = { %$keydata };
$keydata->{rrs}--;
delete $keydata->{$data};
$keydata->{done_signing} -= $flag_done;
$keydata->{deleting} -= $flag_del;
if( $keydata->{rrs} == 0 ) {
delete $keys{$id};
}
}
}
}
}
else {
die "unexpected key status record content";
}
}
elsif( $change->{rrtype} eq 'RRSIG' ) {
if( $change->{rdata} !~ /^(?<covers>\S+) \d+ \d+ \d+ (?<validity_end>\d+) (?<validity_start>\d+) (?<signing_key>\d+)/ ) {
die "unable to parse RRSIG rdata";
}
$change->{covers} = $+{covers};
$change->{validity_end} = $+{validity_end};
$change->{validity_start} = $+{validity_start};
$change->{signing_key} = $+{signing_key};
my $db_key = $change->{label} . ':' . $change->{covers};
$rrsig_db{$db_key} //= {};
$touched_rrsigs{$db_key} = 1;
if( $change->{op} eq 'add' ) {
$rrsig_db{$db_key}{ $change->{signing_key} } = 1;
}
else {
# del
delete $rrsig_db{$db_key}{ $change->{signing_key} };
}
}
}
foreach my $key_id( sort keys %touched_keys ) {
my $old_data;
my $new_data;
if( ref $touched_keys{$key_id} ) {
$old_data = $touched_keys{$key_id};
}
if( exists $keys{$key_id} ) {
$new_data = $keys{$key_id};
}
if( $old_data ) {
if( $new_data ) {
print "at serial $newserial key $key_id status changed from ($old_data->{deleting},$old_data->{done_signing}) to ($new_data->{deleting},$new_data->{done_signing})\n";
}
else {
print "at serial $newserial key $key_id status removed from zone\n";
}
}
else {
print "at serial $newserial key $key_id status added with flags ($new_data->{deleting},$new_data->{done_signing})\n";
}
}
foreach my $rrsig_id( sort keys %touched_rrsigs ) {
my $n_signing_keys = keys %{ $rrsig_db{$rrsig_id} };
if( $n_signing_keys == 0 ) {
print "at serial $newserial $rrsig_id went unsigned\n";
}
elsif( $n_signing_keys > 1 ) {
my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} };
print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n";
}
}
}
}

24
bin/tests/system/dupsigs/clean.sh
View file

@ -1,24 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f dig.out*
rm -f ns1/named.conf
rm -f ns1/named.lock
rm -f ns1/named.memstats
rm -f ns1/named.run
rm -f ns1/signing.test.db
rm -f ns1/signing.test.db.jbk
rm -f ns1/signing.test.db.signed
rm -f ns1/signing.test.db.signed.jnl
rm -f ns1/keys/signing.test/K*
rm -f ns1/managed-keys.bind*

1
bin/tests/system/dupsigs/ns1/named.args
View file

@ -1 +0,0 @@
-D dupsigs-ns1 -X named.lock -m record -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152 -T sigvalinsecs

34
bin/tests/system/dupsigs/ns1/named.conf.in
View file

@ -1,34 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
recursion no;
max-journal-size unlimited;
port @PORT@;
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
pid-file "named.pid";
dnssec-validation no;
};
zone "signing.test" {
type primary;
masterfile-format text;
allow-update { any; };
file "signing.test.db";
update-check-ksk yes;
key-directory "keys/signing.test";
inline-signing yes;
auto-dnssec maintain;
sig-validity-interval 20 5;
};

99
bin/tests/system/dupsigs/ns1/reset_keys.sh
View file

@ -1,99 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../../conf.sh
zone=signing.test
rm -rf keys/signing.test
mkdir -p keys/signing.test
timetodnssec() {
$PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]);
printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1}
}
KEYDIR=keys/signing.test
KSK=$($KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone)
ZSK0=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK1=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK2=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK3=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK4=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK5=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK6=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK7=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK8=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK9=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
# clear all times on all keys
for FILEN in keys/signing.test/*.key
do
$SETTIME -P none -A none -R none -I none -D none $FILEN
done
BASE=$(date +%s)
BASET=$(timetodnssec $BASE)
# reset the publish and activation time on the KSK
$SETTIME -P $BASET -A $BASET $KEYDIR/$KSK
# reset the publish and activation time on the first ZSK
$SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0
# schedule the first roll
R1=$((BASE + 50))
R1T=$(timetodnssec $R1)
$SETTIME -I $R1T $KEYDIR/$ZSK0
$SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1
# schedule the second roll (which includes the delete of the first key)
R2=$((R1 + 50))
R2T=$(timetodnssec $R2)
DT=$R2
DTT=$(timetodnssec $DT)
$SETTIME -D $DTT $KEYDIR/$ZSK0
$SETTIME -I $R2T $KEYDIR/$ZSK1
$SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2
# schedule the third roll
R3=$((R2 + 25))
R3T=$(timetodnssec $R3)
$SETTIME -D $R3T $KEYDIR/$ZSK1
$SETTIME -I $R3T $KEYDIR/$ZSK2
$SETTIME -P $R2T -A $R3T $KEYDIR/$ZSK3
$SETTIME -P $R3T $KEYDIR/$ZSK4
echo KSK=$KSK
echo ZSK0=$ZSK0
echo ZSK1=$ZSK1
echo ZSK2=$ZSK2
echo ZSK3=$ZSK3
echo ZSK4=$ZSK4
exit
# schedule the fourth roll
# this isn't long enough for the signing to complete and would result in
# duplicate signatures, see
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
R4=$((R3 + 10))
R4T=$(timetodnssec $R4)
$SETTIME -D $R4T $KEYDIR/$ZSK2
$SETTIME -I $R4T $KEYDIR/$ZSK3
$SETTIME -P $R3T -A $R4T $KEYDIR/$ZSK4

18
bin/tests/system/dupsigs/ns1/signing.test.db.in
View file

@ -1,18 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ IN SOA ns root.ns 1996072700 3600 1800 86400 60
@ NS ns
ns A 127.0.0.1
ns AAAA ::1
$GENERATE 0-499 a${0,4,d} AAAA ::$

23
bin/tests/system/dupsigs/setup.sh
View file

@ -1,23 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../conf.sh
$SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
copy_setports ns1/named.conf.in ns1/named.conf
cp -f ns1/signing.test.db.in ns1/signing.test.db
(cd ns1; $SHELL ./reset_keys.sh)

71
bin/tests/system/dupsigs/tests.sh
View file

@ -1,71 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
. ../conf.sh
status=0
# Wait for the zone to be fully signed before beginning test
#
# We expect the zone to have the following:
#
# - 5 signatures for signing.test.
# - 3 signatures for ns.signing.test.
# - 2 x 500 signatures for a{0000-0499}.signing.test.
#
# for a total of 1008.
fully_signed () {
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr"
awk 'BEGIN { lines = 0 }
$4 == "RRSIG" {lines++}
END { if (lines != 1008) exit(1) }' < "dig.out.ns1.axfr"
}
# Wait for the last NSEC record in the zone to be signed. This is a lightweight
# alternative to avoid many AXFR requests while waiting for the zone to be
# fully signed.
_wait_for_last_nsec_signed() {
$DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1
grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1
return 0
}
echo_i "wait for the zone to be fully signed"
retry_quiet 60 _wait_for_last_nsec_signed
retry_quiet 10 fully_signed || status=1
if [ $status != 0 ]; then echo_i "failed"; fi
start=$(date +%s)
now=$start
end=$((start + 140))
while [ $now -lt $end ] && [ $status -eq 0 ]; do
et=$((now - start))
echo_i "............... $et ............"
$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l)
if [ ${et} -ne 0 -a ${lines} -ne 1008 ]
then
echo_i "failed"
status=$((status + 1))
fi
sleep 5
now=$(date +%s)
done
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

14
bin/tests/system/dupsigs/tests_sh_dupsigs.py
View file

@ -1,14 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
def test_dupsigs(run_tests_sh):
run_tests_sh()

2
bin/tests/system/inline/clean.sh
View file

@ -24,4 +24,4 @@ rm -rf ./*/*.jbk \
./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \
./*.out ./*.out* ./*/*.out ./*/*.out* \
./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \
ns3/a-file ns3/removedkeys
ns3/a-file ns3/removedkeys ns3/delayedkeys.conf

9
bin/tests/system/inline/ns1/root.db.in
View file

@ -48,12 +48,3 @@ ns3.nsec3. A 10.53.0.3
externalkey. NS ns3.externalkey.
ns3.externalkey. A 10.53.0.3
retransfer3. NS ns3.retransfer.
ns3.retransfer3. A 10.53.0.3
inactiveksk. NS ns3.inactiveksk.
ns3.inactiveksk. A 10.53.0.3
inactivezsk. NS ns3.inactivezsk.
ns3.inactivezsk. A 10.53.0.3

20
bin/tests/system/inline/ns2/named.conf.in
View file

@ -47,32 +47,12 @@ zone "retransfer" {
notify no;
};
zone "retransfer3" {
type primary;
file "retransfer3.db";
allow-update { any; };
allow-transfer { none; }; // changed dynamically by tests.sh
notify no;
};
zone "nsec3-loop" {
type primary;
file "nsec3-loop.db";
notify no;
};
zone "inactiveksk" {
type primary;
file "inactiveksk.db";
allow-update { any; };
};
zone "inactivezsk" {
type primary;
file "inactivezsk.db";
allow-update { any; };
};
zone "nokeys" {
type primary;
file "nokeys.db";

7
bin/tests/system/checkconf/bad-dnskey-validity.conf → bin/tests/system/inline/ns3/delayedkeys.conf.1
View file

@ -11,6 +11,9 @@
* information regarding copyright ownership.
*/
options {
dnskey-sig-validity 5000; /* maximum value 10 years, this is 14 */
zone "delayedkeys" {
type primary;
file "delayedkeys.db";
inline-signing yes;
dnssec-policy insecure;
};

7
bin/tests/system/checkconf/good-dnskey-validity-3660.conf → bin/tests/system/inline/ns3/delayedkeys.conf.2
View file

@ -11,6 +11,9 @@
* information regarding copyright ownership.
*/
options {
dnskey-sig-validity 3660; /* maximum value 10 years */
zone "delayedkeys" {
type primary;
file "delayedkeys.db";
inline-signing yes;
dnssec-policy inline;
};

85
bin/tests/system/inline/ns3/named.conf.in
View file

@ -35,11 +35,35 @@ options {
dnssec-validation no;
};
dnssec-policy "inline" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "nsec3" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
nsec3param iterations 0 optout no salt-length 0;
};
dnssec-policy "external" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
};
};
zone "bits" {
type secondary;
primaries { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
allow-update-forwarding { any; };
file "bits.bk";
sig-signing-signatures 1; // force incremental processing
@ -51,7 +75,7 @@ zone "noixfr" {
type secondary;
primaries { 10.53.0.4; };
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
allow-update-forwarding { any; };
file "noixfr.bk";
};
@ -59,7 +83,7 @@ zone "noixfr" {
zone "primary" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "primary.db";
notify explicit;
also-notify {
@ -70,7 +94,7 @@ zone "primary" {
zone "dynamic" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
allow-update { any; };
file "dynamic.db";
};
@ -78,7 +102,7 @@ zone "dynamic" {
zone "updated" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
allow-update { none; };
file "updated.db";
};
@ -86,7 +110,7 @@ zone "updated" {
zone "expired" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
allow-update { any; };
file "expired.db";
};
@ -95,14 +119,14 @@ zone "retransfer" {
type secondary;
primaries { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "retransfer.bk";
};
zone "nsec3" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy nsec3;
allow-update { any; };
file "nsec3.db";
};
@ -110,56 +134,23 @@ zone "nsec3" {
zone "externalkey" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-dnskey-kskonly no;
dnssec-policy external;
allow-update { any; };
file "externalkey.db";
};
zone "retransfer3" {
type secondary;
primaries { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
file "retransfer3.bk";
};
zone "inactiveksk" {
type secondary;
primaries { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
dnssec-dnskey-kskonly yes;
file "inactiveksk.bk";
};
zone "inactivezsk" {
type secondary;
primaries { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
file "inactivezsk.bk";
};
zone "nokeys" {
type secondary;
primaries { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
dnssec-policy insecure;
file "nokeys.bk";
};
zone "delayedkeys" {
type primary;
inline-signing yes;
auto-dnssec maintain;
file "delayedkeys.db";
};
zone "removedkeys-primary" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
allow-update { any; };
also-notify { 10.53.0.2; };
file "removedkeys-primary.db";
@ -169,7 +160,7 @@ zone "removedkeys-secondary" {
type secondary;
primaries { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "removedkeys-secondary.bk";
};
@ -177,5 +168,7 @@ zone "unsupported" {
type primary;
file "unsupported.db";
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
};
include "delayedkeys.conf";

47
bin/tests/system/inline/ns3/sign.sh
View file

@ -49,10 +49,12 @@ $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=updated
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
$SETTIME -s -g OMNIPRESENT -k RUMOURED now -z RUMOURED now "$zsk" > settime.out.updated.1 2>&1
$SETTIME -s -g OMNIPRESENT -k RUMOURED now -r RUMOURED now -d HIDDEN now "$ksk" > settime.out.updated.2 2>&1
$DSFROMKEY -T 1200 $ksk >> ../ns1/root.db
$SIGNER -S -x -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
cp primary2.db.in updated.db
# signatures are expired and should be regenerated on startup
@ -77,31 +79,6 @@ rm -f K${zone}.+*+*.private
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=retransfer3
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=inactiveksk
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone)
keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=inactivezsk
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone)
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=delayedkeys
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
@ -136,6 +113,7 @@ do
done
zone=externalkey
zonefile=${zone}.db
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
@ -147,13 +125,10 @@ do
k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
$DSFROMKEY -T 1200 $k4 >> ../ns1/root.db
# Convert k1 and k2 in to External Keys.
cat $k1.key $k2.key >> $zonefile
rm -f $k1.key
rm -f $k1.private
mv $k1.key a-file
$IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 ||
( echo_i "importkey failed: $alg" )
rm -f $k2.key
rm -f $k2.private
mv $k2.key a-file
$IMPORTKEY -f a-file $zone > /dev/null 2>&1 ||
( echo_i "importkey failed: $alg" )
done

9
bin/tests/system/inline/ns5/named.conf.post
View file

@ -33,10 +33,17 @@ options {
servfail-ttl 0;
};
dnssec-policy "inline" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
zone "bits" {
type secondary;
primaries { 10.53.0.2; };
file "bits.bk";
auto-dnssec maintain;
dnssec-policy inline;
inline-signing yes;
};

10
bin/tests/system/inline/ns7/named.conf.in
View file

@ -48,3 +48,13 @@ options {
sig-signing-nodes 100;
sig-signing-signatures 10;
};
dnssec-policy "nsec3" {
keys {
ksk key-directory lifetime unlimited algorithm RSASHA256 2048;
zsk key-directory lifetime unlimited algorithm RSASHA256 2048;
zsk key-directory lifetime unlimited algorithm RSASHA256 1024;
};
nsec3param iterations 0 optout no salt-length 0;
};

6
bin/tests/system/inline/ns7/sign.sh
View file

@ -19,6 +19,6 @@
zone=nsec3-loop
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
keyname=$($KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone)
keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone)

43
bin/tests/system/inline/ns8/named.conf.in
View file

@ -36,128 +36,135 @@ options {
dnssec-validation no;
};
dnssec-policy "inline" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
zone "example01.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example01.com.db";
};
zone "example02.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example02.com.db";
};
zone "example03.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example03.com.db";
};
zone "example04.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example04.com.db";
};
zone "example05.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example05.com.db";
};
zone "example06.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example06.com.db";
};
zone "example07.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example07.com.db";
};
zone "example08.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example08.com.db";
};
zone "example09.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example09.com.db";
};
zone "example10.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example10.com.db";
};
zone "example11.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example11.com.db";
};
zone "example12.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example12.com.db";
};
zone "example13.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example13.com.db";
};
zone "example14.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example14.com.db";
};
zone "example15.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example15.com.db";
};
zone "example16.com" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example16.com.db";
};
zone example {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "example.db";
};
zone "unsigned-serial-test" {
type primary;
inline-signing yes;
auto-dnssec maintain;
dnssec-policy inline;
file "unsigned-serial-test.db";
};

4
bin/tests/system/inline/setup.sh
View file

@ -18,12 +18,9 @@ cp ns1/root.db.in ns1/root.db
touch ns2/trusted.conf
cp ns2/nsec3-loop.db.in ns2/nsec3-loop.db
cp ns2/bits.db.in ns2/bits.db
cp ns2/bits.db.in ns2/inactiveksk.db
cp ns2/bits.db.in ns2/inactivezsk.db
cp ns2/bits.db.in ns2/nokeys.db
cp ns2/bits.db.in ns2/removedkeys-secondary.db
cp ns2/bits.db.in ns2/retransfer.db
cp ns2/bits.db.in ns2/retransfer3.db
cp ns3/primary.db.in ns3/primary.db
cp ns3/primary.db.in ns3/dynamic.db
@ -44,6 +41,7 @@ cp ns4/noixfr.db.in ns4/noixfr.db
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
cp ns3/delayedkeys.conf.1 ns3/delayedkeys.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.pre ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf

175
bin/tests/system/inline/tests.sh
View file

@ -36,8 +36,7 @@ status=0
n=0
ret=0
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 || ret=1
# Make sure nsec3 zone is NSEC3 signed.
for i in 1 2 3 4 5 6 7 8 9 0
do
nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1
@ -65,15 +64,12 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking that the zone is signed on initial transfer ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
do
ret=0
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1
keys=$(grep '^Done signing' signing.out.test$n | wc -l)
[ $keys = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
zone_is_signed() {
$DIG $DIGOPTS @10.53.0.3 bits. AXFR > dig.out.ns3.test$n || return 1
$VERIFY -z -o bits. dig.out.ns3.test$n > verify.out.bits.test$n || return 1
return 0
}
retry_quiet 10 zone_is_signed || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -93,7 +89,7 @@ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1
keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
for key in $keys; do
$RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1
break; # We only want to remove 1 record for now.
break; # We only want to remove 1 record for now.
done 2>&1 |sed 's/^/ns3 /' | cat_i
for i in 1 2 3 4 5 6 7 8 9 10
@ -113,6 +109,7 @@ n=$((n + 1))
echo_i "checking private type was properly signed ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1
# One private type record, one signature
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
@ -122,7 +119,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
ret=0
$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
$RNDCCMD 10.53.0.3 signing -clear all bits > signing.out.test$n.clear || ret=1
for i in 1 2 3 4 5 6 7 8 9 10
do
@ -434,8 +431,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking primary zone that was updated while offline is correct ($n)"
ret=0
$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n || ret=1
serial=$(awk '{print $3}' dig.out.ns2.soa.test$n)
$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns3.soa.test$n || ret=1
serial=$(awk '{print $3}' dig.out.ns3.soa.test$n)
# serial should have changed
[ "$serial" = "2000042407" ] && ret=1
# e.updated should exist and should be signed
@ -446,7 +443,7 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
# of primary2.db, and should show a minimal diff: no more than 8 added
# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
# (SOA/RRSIG, NSEC/RRSIG).
$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n || ret=1
$JOURNALPRINT ns3/updated.db.signed.jnl > journalprint.out.test$n || ret=1
serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n)
[ "$serial" = "2000042408" ] || ret=1
diffsize=$(wc -l < journalprint.out.test$n)
@ -791,65 +788,6 @@ done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)"
ret=0
# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2,
# which means it should not yet be available on ns3.
$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n || ret=1
grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1
# Switch the zone to NSEC3. An "NSEC3 -> NSEC -> NSEC3" sequence is used purely
# to test that multiple queued "rndc signing -nsec3param" requests are handled
# properly.
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone.
sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new
mv ns2/named.conf.new ns2/named.conf
$RNDCCMD 10.53.0.2 reconfig || ret=1
# Request ns3 to retransfer the "retransfer3" zone.
$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
# Check whether "retransfer3" uses NSEC3 as requested.
for i in 0 1 2 3 4 5 6 7 8 9
do
ret=0
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i || ret=1
grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
test $ret -eq 0 && break
sleep 1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)"
ret=0
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
for i in 0 1 2 3 4 5 6 7 8 9
do
ans=0
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
[ $ans = 0 ] && break
sleep 1
done
$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1
for i in 0 1 2 3 4 5 6 7 8 9
do
ans=0
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
[ $ans = 0 ] && break
sleep 1
done
[ $ans = 1 ] && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# NOTE: The test below should be considered fragile. More details can be found
# in the comment inside ns7/named.conf.
n=$((n + 1))
@ -858,7 +796,7 @@ ret=0
zone=nsec3-loop
# Add secondary zone using rndc
$RNDCCMD 10.53.0.7 addzone $zone \
'{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1
'{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; dnssec-policy default; };' || ret=1
# Wait until secondary zone is fully signed using NSEC
for i in 1 2 3 4 5 6 7 8 9 0
do
@ -869,15 +807,18 @@ do
sleep 1
done
# Switch secondary zone to NSEC3
$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 modzone $zone \
'{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; dnssec-policy nsec3; };' || ret=1
# Wait until secondary zone is fully signed using NSEC3
for i in 1 2 3 4 5 6 7 8 9 0
do
ret=1
nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1
test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
$DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone > dig.out.ns7.test$n
nsec3param=$(cat dig.out.ns7.test$n)
test "$nsec3param" = "1 0 0 -" && ret=0 && break
sleep 1
done
# Attempt to retransfer the secondary zone from primary
$RNDCCMD 10.53.0.7 retransfer $zone || ret=1
# Check whether the signer managed to fully sign the retransferred zone by
@ -1013,7 +954,7 @@ $RNDCCMD 10.53.0.2 addzone test-$zone \
$DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n || ret=1
grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; }
$RNDCCMD 10.53.0.3 addzone test-$zone \
'{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1
'{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; dnssec-policy default; allow-transfer { any; }; };' || ret=1
$RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 || ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -1036,8 +977,8 @@ do
dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l)
rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l)
test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
test ${dnskeys:-0} -eq 4 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
test ${rrsigs:-0} -eq 1 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -1133,70 +1074,6 @@ retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1
soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n)
$NSUPDATE << EOF || ret=1
server 10.53.0.2 ${PORT}
update add added.inactivezsk 0 IN TXT added record
send
EOF
for i in 1 2 3 4 5 6 7 8 9 10
do
$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1
soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
test ${soa1:-0} -ne ${soa2:-0} && break
sleep 1
done
test ${soa1:-0} -ne ${soa2:-0} || ret=1
$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n || ret=1
#
# check that DNSKEY is signed with ZSK for default algorithm
#
awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
$DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
#
# check that DNSKEY is signed with KSK for alternative algorithm
#
awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
$DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Wait until an update to the raw part of a given inline signed zone is fully
# processed. As waiting for a fixed amount of time is suboptimal and there is
# no single message that would signify both a successful modification and an
@ -1368,12 +1245,16 @@ ensure_sigs_only_in_journal() {
n=$((n + 1))
echo_i "checking that records added from a journal are scheduled to be resigned ($n)"
ret=0
zone="delayedkeys"
# Signing keys for the "delayedkeys" zone are not yet accessible. Thus, the
# zone file for the signed version of the zone will contain no DNSSEC records.
# Move keys into place now and load them, which will cause DNSSEC records to
# only be present in the journal for the signed version of the zone.
mv Kdelayedkeys* ns3/
$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
cp ns3/delayedkeys.conf.2 ns3/delayedkeys.conf
$RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1 || ret=1
#$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
# Wait until the zone is signed.
check_done_signing () (
$RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 || true

7
bin/tests/system/kasp/ns6/named.conf.in
View file

@ -69,6 +69,13 @@ zone "step1.going-straight-to-none.kasp" {
dnssec-policy "default";
};
zone "step1.going-straight-to-none-dynamic.kasp" {
type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
dnssec-policy "default";
allow-update { any; };
};
/* These are alorithm rollover test zones. */
zone "step1.algorithm-roll.kasp" {
type primary;

7
bin/tests/system/kasp/ns6/named2.conf.in
View file

@ -82,6 +82,13 @@ zone "step1.going-straight-to-none.kasp" {
dnssec-policy "none";
};
zone "step1.going-straight-to-none-dynamic.kasp" {
type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
dnssec-policy "none";
allow-update { any; };
};
/*
* Zones for testing KSK/ZSK algorithm roll.
*/

12
bin/tests/system/kasp/ns6/setup.sh
View file

@ -83,6 +83,18 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
# This zone is going straight to "none" policy. This is undefined behavior.
setup step1.going-straight-to-none-dynamic.kasp
echo "$zone" >> zones
TactN="now"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
#
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
# algorithm rollover.

69
bin/tests/system/kasp/tests.sh
View file

@ -3897,6 +3897,44 @@ check_apex
check_subdomain
dnssec_verify
#
# Zone step1.going-straight-to-none-dynamic.kasp
#
set_zone "step1.going-straight-to-none-dynamic.kasp"
set_policy "default" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
set_keyrole "KEY1" "csk"
set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_DS" "omnipresent"
# This policy only has one key.
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The first key is immediately published and activated.
created=$(key_get KEY1 CREATED)
set_keytime "KEY1" "PUBLISHED" "${created}"
set_keytime "KEY1" "ACTIVE" "${created}"
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
check_keytimes
check_apex
check_subdomain
dnssec_verify
# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
# changes).
echo_i "reconfig dnssec-policy to trigger algorithm rollover"
@ -4143,6 +4181,37 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
dnssec_verify
#
# Zone: step1.going-straight-to-none-dynamic.kasp
#
set_zone "step1.going-straight-to-none-dynamic.kasp"
set_policy "none" "1" "3600"
set_server "ns6" "10.53.0.6"
# The zone will go bogus after signatures expire, but remains validly signed for now.
# Key properties.
set_keyrole "KEY1" "csk"
set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_DS" "omnipresent"
# This policy only has one key.
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# Various signing policy checks.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
dnssec_verify
#
# Testing KSK/ZSK algorithm rollover.
#

17
bin/tests/system/keymgr2kasp/README
View file

@ -1,17 +0,0 @@
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
The test setup for migrating to KASP tests.
ns3 is an authoritative server for the various test domains.
ns4 is an authoritative server that tests a specific case where zones
using views migrate to dnssec-policy.

34
bin/tests/system/keymgr2kasp/clean.sh
View file

@ -1,34 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
rm -f ns*/named.conf ns*/kasp.conf
rm -f ns*/named.memstats ns*/named.run
rm -f ns*/keygen.out* ns*/signer.out*
rm -f ns*/zones
rm -f ns*/dsset-*
rm -f ns*/*.db ns*/*.db.jnl ns*/*.db.jbk
rm -f ns*/*.db.signed* ns*/*.db.infile
rm -f ns*/managed-keys.bind*
rm -f ns*/*.mkeys*
rm -f ./*.created
rm -f ./created.key-*
rm -f ./dig.out*
rm -f ./python.out.*
rm -f ./retired.*
rm -f ./rndc.dnssec.*
rm -f ./unused.key*
rm -f ./verify.out.*

104
bin/tests/system/keymgr2kasp/ns3/kasp.conf.in
View file

@ -1,104 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "migrate" {
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "timing-metadata" {
dnskey-ttl 300;
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
keys {
ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
/*
* This policy tests migration from existing keys with 1024 bits RSASHA1 keys
* to ECDSAP256SHA256 keys.
*/
dnssec-policy "migrate-nomatch-algnum" {
dnskey-ttl 300;
keys {
ksk key-directory lifetime unlimited algorithm ecdsa256;
zsk key-directory lifetime P60D algorithm ecdsa256;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
/*
* This policy tests migration from existing keys with 2048 bits RSASHA256 keys
* to 3072 bits RSASHA256 keys.
*/
dnssec-policy "migrate-nomatch-alglen" {
dnskey-ttl 300;
keys {
ksk key-directory lifetime unlimited algorithm rsasha256 3072;
zsk key-directory lifetime P60D algorithm rsasha256 3072;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
/*
* This policy tests migration from existing KSK and ZSK to CSK.
* The keys clause matches the default policy.
*/
dnssec-policy "migrate-nomatch-kzc" {
dnskey-ttl 300;
keys {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};

106
bin/tests/system/keymgr2kasp/ns3/named.conf.in
View file

@ -1,106 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS3
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
key-directory ".";
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* These are zones that migrate to dnssec-policy. */
zone "migrate.kasp" {
type primary;
file "migrate.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "csk.kasp" {
type primary;
file "csk.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly no;
};
zone "csk-nosep.kasp" {
type primary;
file "csk-nosep.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly no;
};
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "omnipresent.kasp" {
type primary;
file "omnipresent.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "migrate-nomatch-algnum.kasp" {
type primary;
file "migrate-nomatch-algnum.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "migrate-nomatch-alglen.kasp" {
type primary;
file "migrate-nomatch-alglen.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "migrate-nomatch-kzc.kasp" {
type primary;
file "migrate-nomatch-kzc.kasp.db";
auto-dnssec maintain;
inline-signing yes;
};

95
bin/tests/system/keymgr2kasp/ns3/named2.conf.in
View file

@ -1,95 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS3
include "kasp.conf";
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* These are zones that migrate to dnssec-policy. */
zone "migrate.kasp" {
type primary;
file "migrate.kasp.db";
allow-update { any; };
dnssec-policy "migrate";
};
zone "csk.kasp" {
type primary;
file "csk.kasp.db";
allow-update { any; };
dnssec-policy "default";
};
zone "csk-nosep.kasp" {
type primary;
file "csk-nosep.kasp.db";
allow-update { any; };
dnssec-policy "default";
};
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
allow-update { any; };
dnssec-policy "timing-metadata";
};
zone "omnipresent.kasp" {
type primary;
file "omnipresent.kasp.db";
allow-update { any; };
dnssec-policy "timing-metadata";
};
zone "migrate-nomatch-algnum.kasp" {
type primary;
file "migrate-nomatch-algnum.kasp.db";
allow-update { any; };
dnssec-policy "migrate-nomatch-algnum";
};
zone "migrate-nomatch-alglen.kasp" {
type primary;
file "migrate-nomatch-alglen.kasp.db";
allow-update { any; };
dnssec-policy "migrate-nomatch-alglen";
};
zone "migrate-nomatch-kzc.kasp" {
type primary;
file "migrate-nomatch-kzc.kasp.db";
inline-signing yes;
dnssec-policy "migrate-nomatch-kzc";
};

148
bin/tests/system/keymgr2kasp/ns3/setup.sh
View file

@ -1,148 +0,0 @@
#!/bin/sh -e
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../../conf.sh
echo_i "ns3/setup.sh"
setup() {
zone="$1"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
}
# Make lines shorter by storing key states in environment variables.
H="HIDDEN"
R="RUMOURED"
O="OMNIPRESENT"
U="UNRETENTIVE"
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
setup migrate.kasp
echo "$zone" >> zones
ksktimes="-P now -A now -P sync now"
zsktimes="-P now -A now"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to
# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;'
# configured, meaning the zone is signed with a single CSK.
setup csk.kasp
echo "$zone" >> zones
csktimes="-P now -A now -P sync now"
CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1)
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
setup csk-nosep.kasp
echo "$zone" >> zones
csktimes="-P now -A now -P sync now"
CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1)
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
# time the existing keys do not match the policy. The existing keys are
# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates
# ECDSAP256SHA256 keys.
setup migrate-nomatch-algnum.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5 "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
# time the existing keys do not match the policy. The existing keys are
# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that
# dictates 3072 bits RSASHA256 keys.
setup migrate-nomatch-alglen.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5 "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to default dnssec-policy.
# The zone is signed with KSK/ZSK split, but the dnssec-policy uses CSK.
setup migrate-nomatch-kzc.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
cp $infile $zonefile
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5 "$ZSK" >> "$infile"
$SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
#
# Set up zones to test time metadata correctly sets state.
#
# Key states expected to be rumoured after migration.
setup rumoured.kasp
echo "$zone" >> zones
Tds="now-2h"
Tkey="now-300s"
Tsig="now-11h"
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Key states expected to be omnipresent after migration.
setup omnipresent.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

27
bin/tests/system/keymgr2kasp/ns3/template.db.in
View file

@ -1,27 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns3
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3

73
bin/tests/system/keymgr2kasp/ns4/named.conf.in
View file

@ -1,73 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
key-directory ".";
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
key "external" {
algorithm @DEFAULT_HMAC@;
secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
};
key "internal" {
algorithm @DEFAULT_HMAC@;
secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
};
view "ext" {
match-clients { key "external"; };
zone "view-rsasha256.kasp" {
type primary;
file "view-rsasha256.kasp.ext.db";
auto-dnssec maintain;
inline-signing yes;
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
};
view "int" {
match-clients { key "internal"; };
zone "view-rsasha256.kasp" {
type primary;
file "view-rsasha256.kasp.int.db";
auto-dnssec maintain;
inline-signing yes;
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
};

90
bin/tests/system/keymgr2kasp/ns4/named2.conf.in
View file

@ -1,90 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
key-directory ".";
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
dnssec-policy "rsasha256" {
keys {
zsk key-directory lifetime P3M algorithm 8 2048;
ksk key-directory lifetime P1Y algorithm 8 2048;
};
dnskey-ttl 300;
publish-safety 1h;
retire-safety 1h;
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
max-zone-ttl 1d;
zone-propagation-delay 300;
parent-ds-ttl 86400;
parent-propagation-delay 3h;
};
key "external" {
algorithm @DEFAULT_HMAC@;
secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
};
key "internal" {
algorithm @DEFAULT_HMAC@;
secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
};
view "ext" {
match-clients { key "external"; };
zone "view-rsasha256.kasp" {
type primary;
file "view-rsasha256.kasp.ext.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
};
view "int" {
match-clients { key "internal"; };
zone "view-rsasha256.kasp" {
type primary;
file "view-rsasha256.kasp.int.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
};

46
bin/tests/system/keymgr2kasp/ns4/setup.sh
View file

@ -1,46 +0,0 @@
#!/bin/sh -e
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../../conf.sh
echo_i "ns4/setup.sh"
# Make lines shorter by storing key states in environment variables.
H="HIDDEN"
R="RUMOURED"
O="OMNIPRESENT"
U="UNRETENTIVE"
zone="view-rsasha256.kasp"
algo="RSASHA256"
num="8"
echo "$zone" >> zones
# Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy.
# The keys for these zones are in use long enough that they should start a
# rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y).
ksktimes="-P -186d -A -186d -P sync -186d"
zsktimes="-P -186d -A -186d"
KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2)
echo_i "setting up zone $zone (external)"
view="ext"
zonefile="${zone}.${view}.db"
cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
echo_i "setting up zone $zone (internal)"
view="int"
zonefile="${zone}.${view}.db"
cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"

24
bin/tests/system/keymgr2kasp/ns4/template.ext.db.in
View file

@ -1,24 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns4
ns4 A 10.53.0.4
view TXT "external"

24
bin/tests/system/keymgr2kasp/ns4/template.int.db.in
View file

@ -1,24 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns4
ns4 A 10.53.0.4
view TXT "internal"

34
bin/tests/system/keymgr2kasp/setup.sh
View file

@ -1,34 +0,0 @@
#!/bin/sh -e
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../conf.sh
set -e
$SHELL clean.sh
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns3/kasp.conf.in ns3/kasp.conf
# Setup zones
(
cd ns3
$SHELL setup.sh
)
(
cd ns4
$SHELL setup.sh
)

1276
bin/tests/system/keymgr2kasp/tests.sh
View file

File diff suppressed because it is too large Load diff

14
bin/tests/system/keymgr2kasp/tests_sh_keymgr2kasp.py
View file

@ -1,14 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
def test_keymgr2kasp(run_tests_sh):
run_tests_sh()

9
bin/tests/system/masterformat/ns1/named.conf.in
View file

@ -34,6 +34,13 @@ controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
dnssec-policy "masterformat" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
zone "example" {
type primary;
masterfile-format raw;
@ -84,5 +91,5 @@ zone "signed" {
masterfile-format raw;
allow-transfer { any; };
update-policy local;
auto-dnssec maintain;
dnssec-policy masterformat;
};

1
bin/tests/system/mkeys/clean.sh
View file

@ -25,6 +25,7 @@ rm -f ns*/named.lock
rm -f ns1/dsset-sub.tld.
rm -f ns1/dsset-tld.
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns1/signer.out.*
rm -f ns1/zone.key
rm -f ns3/broken.conf
rm -f ns4/dsset-sub.foo.

2
bin/tests/system/mkeys/ns1/named1.conf.in
View file

@ -44,8 +44,6 @@ controls {
zone "." {
type primary;
file "root.db.signed";
allow-update { any; };
auto-dnssec maintain;
};
zone "tld" {

2
bin/tests/system/mkeys/ns1/root.db
View file

@ -11,7 +11,7 @@
$TTL 20
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
1 ; serial
600 ; refresh
600 ; retry
1200 ; expire

2
bin/tests/system/mkeys/ns1/sign.sh
View file

@ -37,7 +37,7 @@ zonefile=root.db
keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
$SIGNER -Sg -N unixtime -o $zone $zonefile > /dev/null 2>/dev/null
# Configure the resolving server with an initializing key.
keyfile_to_initial_ds $keyname > managed.conf

34
bin/tests/system/mkeys/tests.sh
View file

@ -41,11 +41,15 @@ mkeys_reload_on() (
wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1
)
mkeys_loadkeys_on() (
nsidx=$1
nextpart "ns${nsidx}"/named.run > /dev/null
rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i
wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1
mkeys_resign_rootzone() (
n=$1
(
cd ns1
$SIGNER -PSg -N unixtime -o . root.db > signer.out.test$1 2>&1
)
nextpart ns1/named.run > /dev/null
rndccmd "10.53.0.1" reload . | sed "s/^/ns1 /" | cat_i
wait_for_log 20 "loaded serial" ns1/named.run || return 1
)
mkeys_refresh_on() (
@ -137,7 +141,7 @@ n=$((n+1))
echo_i "check new trust anchor can be added ($n)"
ret=0
standby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
# there should be two keys listed now
@ -178,7 +182,7 @@ ret=0
mkeys_sync_on 2 || ret=1
t1=$(grep "trust pending" ns2/managed-keys.bind) || true
$SETTIME -D now -K ns1 "$standby1" > /dev/null
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
@ -199,7 +203,7 @@ echo_i "restore untrusted standby key, revoke original key ($n)"
t1=$t2
$SETTIME -D none -K ns1 "$standby1" > /dev/null
$SETTIME -R now -K ns1 "$original" > /dev/null
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
@ -269,9 +273,9 @@ ret=0
echo_i "restore revoked key, ensure same result ($n)"
t1=$t2
$SETTIME -R none -D now -K ns1 "$original" > /dev/null
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
$SETTIME -D none -K ns1 "$original" > /dev/null
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
@ -347,7 +351,7 @@ echo_i "revoke original key, add new standby ($n)"
ret=0
standby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
$SETTIME -R now -K ns1 "$original" > /dev/null
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
# three keys listed
@ -378,7 +382,7 @@ n=$((n+1))
echo_i "revoke standby before it is trusted ($n)"
ret=0
standby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
# four keys listed
@ -391,7 +395,7 @@ count=$(grep -c "trust revoked" rndc.out.1.$n) || true
count=$(grep -c "trust pending" rndc.out.1.$n) || true
[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; }
$SETTIME -R now -K ns1 "$standby3" > /dev/null
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
# now three keys listed
@ -404,7 +408,7 @@ count=$(grep -c "trust revoked" rndc.out.2.$n) || true
count=$(grep -c "trust pending" rndc.out.2.$n) || true
[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; }
$SETTIME -D now -K ns1 "$standby3" > /dev/null
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
@ -435,7 +439,7 @@ ret=0
$SETTIME -D now -K ns1 "$original" > /dev/null
$SETTIME -R now -K ns1 "$standby1" > /dev/null
$SETTIME -R now -K ns1 "$standby2" > /dev/null
mkeys_loadkeys_on 1 || ret=1
mkeys_resign_rootzone $n || ret=1
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
# two keys listed

3
bin/tests/system/nsupdate/clean.sh
View file

@ -21,7 +21,6 @@ rm -f */named.memstats
rm -f */named.run */ans.run
rm -f */named.run.prev
rm -f Kxxx.*
rm -f doubleksk.key prepub.key
rm -f check.out.*
rm -f dig.out.*
rm -f jp.out.ns3.*
@ -48,14 +47,12 @@ rm -f ns3/*.signed
rm -f ns3/K*
rm -f ns3/delegation.test.db
rm -f ns3/dnskey.test.db
rm -f ns3/doubleksk.test.db
rm -f ns3/dsset-*
rm -f ns3/example.db
rm -f ns3/relaxed.db
rm -f ns3/multisigner.test.db
rm -f ns3/many.test.bk
rm -f ns3/nsec3param.test.db
rm -f ns3/prepub.test.db
rm -f ns3/too-big.test.db
rm -f ns5/local.db
rm -f ns6/in-addr.db

15
bin/tests/system/nsupdate/ns3/doubleksk.test.db.in
View file

@ -1,15 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
doubleksk.test. 10 IN SOA doubleksk.test. hostmaster.doubleksk.test. 1 3600 900 2419200 3600
doubleksk.test. 10 IN NS doubleksk.test.
doubleksk.test. 10 IN A 10.53.0.3
doubleksk.test. 10 IN NSEC3PARAM 1 1 0 -

17
bin/tests/system/nsupdate/ns3/named.conf.in
View file

@ -35,7 +35,6 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "example" {
type primary;
allow-update { any; };
@ -81,22 +80,6 @@ zone "too-big.test" {
file "too-big.test.db";
};
zone "prepub.test" {
type primary;
allow-update { any; };
auto-dnssec maintain;
dnssec-dnskey-kskonly yes;
file "prepub.test.db.signed";
};
zone "doubleksk.test" {
type primary;
allow-update { any; };
auto-dnssec maintain;
dnssec-dnskey-kskonly yes;
file "doubleksk.test.db.signed";
};
/* Zone for testing CDS and CDNSKEY updates from other provider */
zone "multisigner.test" {
type primary;

Some files were not shown because too many files have changed in this diff Show more