mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
Fix autosign system test
When creating keys, set Publish and Activate times so that keys will be initialized as omnipresent. This way we start with a safe DNSSEC state. In most cases at least, because some tests depend on special key timings. The ttl[1-4].example cases have become incorrect. With dnssec-policy we require the TTL to match the dnskey-ttl from the policy. The delzsk.example will have a ZSK removed from the zone. It also requires that the DNSKEY RRset is already published. This means that for the existing keys the, no longer "is now published" messages will be logged. The nsec-only.example and reconf.example zones are fixed to have a correct matching policy. This all means the expected count of log messages changes slightly.
This commit is contained in:
Matthijs Mekking
parent
67ea0e656b
commit
c756b8a505
6 changed files with 114 additions and 82 deletions
|
|
@ -31,10 +31,13 @@ setup() {
|
|||
|
||||
mkdir inactive
|
||||
|
||||
T="now-7d"
|
||||
keytimes="-P $T -A $T"
|
||||
|
||||
setup secure.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -42,8 +45,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup secure.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -51,8 +54,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup nsec3.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -74,8 +77,8 @@ done
|
|||
#
|
||||
setup optout.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -83,8 +86,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup nsec3.example
|
||||
cat $infile dsset-*.${zone}. >$zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -92,9 +95,9 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup autonsec3.example
|
||||
cat $infile >$zonefile
|
||||
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
echo $ksk >../autoksk.key
|
||||
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
|
||||
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
echo $zsk >../autozsk.key
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
|
|
@ -103,8 +106,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup secure.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -112,8 +115,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup nsec3.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -121,8 +124,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup optout.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -130,8 +133,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup optout.example
|
||||
cat $infile dsset-*.${zone}. >$zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -139,8 +142,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup rsasha256.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA256 -b 2048 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -148,8 +151,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup rsasha512.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA512 -b 2048 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -160,8 +163,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
if [ $RSASHA1_SUPPORTED = 1 ]; then
|
||||
setup nsec-only.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a RSASHA1 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
else
|
||||
echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
|
||||
|
|
@ -178,8 +181,8 @@ while [ $count -le 1000 ]; do
|
|||
echo "label${count} IN TXT label${count}" >>$zonefile
|
||||
count=$((count + 1))
|
||||
done
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -PS -x -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out
|
||||
cp $zonefile.signed $zonefile.bak
|
||||
mv $zonefile.signed $zonefile
|
||||
|
|
@ -188,16 +191,16 @@ mv $zonefile.signed $zonefile
|
|||
# NSEC3->NSEC transition test zone.
|
||||
#
|
||||
setup nsec3-to-nsec.example
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
|
||||
|
||||
#
|
||||
# NSEC3->NSEC3 transition test zone.
|
||||
#
|
||||
setup nsec3-to-nsec3.example
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
|
||||
|
||||
#
|
||||
|
|
@ -205,8 +208,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
|
|||
#
|
||||
setup prepub.example
|
||||
infile="prepub.example.db.in"
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
|
||||
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
echo $zsk >../prepub.key
|
||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
|
||||
|
||||
|
|
@ -214,29 +217,29 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
|
|||
# Key TTL tests.
|
||||
#
|
||||
|
||||
# no default key TTL; DNSKEY should get SOA TTL
|
||||
# no default key TTL; DNSKEY should get default dnskey-ttl
|
||||
setup ttl1.example
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# default key TTL should be used
|
||||
# default dnskey-ttl should be used
|
||||
setup ttl2.example
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# mismatched key TTLs, should use shortest
|
||||
# mismatched key TTLs, should use default dnskey-ttl
|
||||
setup ttl3.example
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# existing DNSKEY RRset, should retain TTL
|
||||
# existing DNSKEY RRset, should update to use dnksey-ttl
|
||||
setup ttl4.example
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out
|
||||
cat ${infile} K${zone}.+*.key >$zonefile
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
#
|
||||
# A zone with a DNSKEY RRset that is published before it's activated
|
||||
|
|
@ -253,8 +256,8 @@ cp delay.example.db.in delay.example.db
|
|||
# is missing.
|
||||
#
|
||||
setup noksk.example
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
|
||||
echo $ksk >../noksk-ksk.key
|
||||
rm -f ${ksk}.private
|
||||
|
|
@ -264,8 +267,8 @@ rm -f ${ksk}.private
|
|||
# is missing.
|
||||
#
|
||||
setup nozsk.example
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
|
||||
echo $ksk >../nozsk-ksk.key
|
||||
echo $zsk >../nozsk-zsk.key
|
||||
|
|
@ -276,8 +279,8 @@ rm -f ${zsk}.private
|
|||
# is inactive.
|
||||
#
|
||||
setup inaczsk.example
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
|
||||
echo $ksk >../inaczsk-ksk.key
|
||||
echo $zsk >../inaczsk-zsk.key
|
||||
|
|
@ -288,16 +291,16 @@ $SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out
|
|||
#
|
||||
setup reconf.example
|
||||
cp secure.example.db.in $zonefile
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
|
||||
#
|
||||
# A zone which generates CDS and CDNSEY RRsets automatically (with an additional CSK)
|
||||
#
|
||||
setup sync.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
echo ns3/$ksk >../sync.key
|
||||
|
||||
|
|
@ -306,8 +309,8 @@ echo ns3/$ksk >../sync.key
|
|||
#
|
||||
setup kskonly.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
#
|
||||
|
|
@ -315,7 +318,7 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup inaczsk2.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
||||
|
|
@ -325,19 +328,19 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
|
|||
#
|
||||
setup delzsk.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
|
||||
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out
|
||||
cat $zsk.key >>$zonefile
|
||||
mv $zsk.key inactive/
|
||||
mv $zsk.private inactive/
|
||||
echo $zsk >../delzsk.key
|
||||
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now-7d $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
zsk1=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1) || dumpit kg.out
|
||||
zsk2=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes -I now-1d $zone 2>kg.out) || dumpit kg.out
|
||||
cat $ksk.key $zsk2.key >>$zonefile
|
||||
cp $zsk2.key inactive/
|
||||
cp $zsk2.private inactive/
|
||||
echo $zsk2 >../delzsk.key
|
||||
|
||||
#
|
||||
# Check that NSEC3 are correctly signed and returned from below a DNAME
|
||||
#
|
||||
setup dname-at-apex-nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
|
||||
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key >dsset-${zone}.
|
||||
|
|
|
|||
|
|
@ -250,14 +250,6 @@ zone "rsasha512.example" {
|
|||
dnssec-policy rsasha512;
|
||||
};
|
||||
|
||||
zone "nsec-only.example" {
|
||||
type primary;
|
||||
file "nsec-only.example.db";
|
||||
allow-update { any; };
|
||||
inline-signing no;
|
||||
dnssec-policy autosign;
|
||||
};
|
||||
|
||||
zone "nsec3-to-nsec.example" {
|
||||
type primary;
|
||||
file "nsec3-to-nsec.example.db";
|
||||
|
|
@ -394,4 +386,6 @@ zone "dname-at-apex-nsec3.example" {
|
|||
dnssec-policy nsec3;
|
||||
};
|
||||
|
||||
include "nsec-only.conf";
|
||||
|
||||
include "trusted.conf";
|
||||
|
|
|
|||
27
bin/tests/system/autosign/ns3/nsec-only.conf.in
Normal file
27
bin/tests/system/autosign/ns3/nsec-only.conf.in
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
/*
|
||||
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* SPDX-License-Identifier: MPL-2.0
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* See the COPYRIGHT file distributed with this work for additional
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "nsec-only" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm rsasha1;
|
||||
zsk key-directory lifetime unlimited algorithm rsasha1;
|
||||
};
|
||||
};
|
||||
|
||||
zone "nsec-only.example" {
|
||||
type primary;
|
||||
file "nsec-only.example.db";
|
||||
allow-update { any; };
|
||||
inline-signing no;
|
||||
dnssec-policy nsec-only;
|
||||
};
|
||||
|
|
@ -15,6 +15,11 @@
|
|||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
copy_setports ns2/named.conf.in ns2/named.conf
|
||||
if [ $RSASHA1_SUPPORTED = 1 ]; then
|
||||
cp ns3/nsec-only.conf.in ns3/nsec-only.conf
|
||||
else
|
||||
: >ns3/nsec-only.conf
|
||||
fi
|
||||
copy_setports ns3/named.conf.in ns3/named.conf
|
||||
copy_setports ns4/named.conf.in ns4/named.conf
|
||||
copy_setports ns5/named.conf.in ns5/named.conf
|
||||
|
|
|
|||
|
|
@ -1087,7 +1087,7 @@ ret=0
|
|||
rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l)
|
||||
[ "$rekey_calls" -eq 0 ] || ret=1
|
||||
# ...then we add dnssec-policy and reconfigure
|
||||
($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; dnssec-policy default; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
|
||||
($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; dnssec-policy autosign; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
|
||||
rndc_reconfig ns3 10.53.0.3
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
lret=0
|
||||
|
|
@ -1256,17 +1256,19 @@ act=$(grep "DNSKEY .* is now active" ns3/named.run | wc -l)
|
|||
if [ $RSASHA1_SUPPORTED = 1 ]; then
|
||||
# Include two log lines for nsec-only zone.
|
||||
[ "$pub" -eq 53 ] || ret=1
|
||||
[ "$act" -eq 53 ] || ret=1
|
||||
[ "$act" -eq 54 ] || ret=1
|
||||
else
|
||||
[ "$pub" -eq 51 ] || ret=1
|
||||
[ "$act" -eq 51 ] || ret=1
|
||||
[ "$act" -eq 52 ] || ret=1
|
||||
fi
|
||||
rev=$(grep "DNSKEY .* is now revoked" ns3/named.run | wc -l)
|
||||
[ "$rev" -eq 0 ] || ret=1
|
||||
# inaczsk.example
|
||||
inac=$(grep "DNSKEY .* is now inactive" ns3/named.run | wc -l)
|
||||
[ "$inac" -eq 0 ] || ret=1
|
||||
[ "$inac" -eq 1 ] || ret=1
|
||||
# delzsk.example
|
||||
del=$(grep "DNSKEY .* is now deleted" ns3/named.run | wc -l)
|
||||
[ "$del" -eq 3 ] || ret=1
|
||||
[ "$del" -eq 1 ] || ret=1
|
||||
n=$((n + 1))
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
|
|
|||
|
|
@ -114,6 +114,7 @@ pytestmark = pytest.mark.extra_artifacts(
|
|||
"ns3/kskonly.example.db.jbk",
|
||||
"ns3/noksk.example.db",
|
||||
"ns3/nozsk.example.db",
|
||||
"ns3/nsec-only.conf",
|
||||
"ns3/nsec-only.example.db",
|
||||
"ns3/nsec3-to-nsec.example.db",
|
||||
"ns3/nsec3-to-nsec3.example.db",
|
||||
|
|
|
|||
Loading…
Reference in a new issue