From db5eb04f4a40362bd7c92cd12ebccb8012ee73d3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 8 Jul 2022 13:49:52 +1000 Subject: [PATCH] inline: use $DEFAULT_ALGORITHM (cherry picked from commit e3acddefd1076a396d4136f7501d650148af74ff) --- bin/tests/system/inline/ns1/sign.sh | 4 +- bin/tests/system/inline/ns3/sign.sh | 78 ++--- bin/tests/system/inline/ns7/sign.sh | 6 +- bin/tests/system/inline/ns8/sign.sh | 8 +- bin/tests/system/inline/tests.sh | 443 ++++++++++++++-------------- 5 files changed, 270 insertions(+), 269 deletions(-) diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh index 8114d770c2..c231713a02 100644 --- a/bin/tests/system/inline/ns1/sign.sh +++ b/bin/tests/system/inline/ns1/sign.sh @@ -16,8 +16,8 @@ zone=. rm -f K.+*+*.key rm -f K.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out [ $? = 0 ] || cat signer.out diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index 7624180001..a4c9e14221 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -21,36 +21,36 @@ mv ${unsupportedkey}.tmp ${unsupportedkey}.key zone=bits rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=noixfr rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=primary rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=dynamic rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=updated rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db $SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null cp primary2.db.in updated.db @@ -59,92 +59,92 @@ cp primary2.db.in updated.db zone=expired rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db $SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null zone=retransfer rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=nsec3 rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=retransfer3 rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=inactiveksk rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 -f KSK $zone` -keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=inactivezsk rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 $zone` -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone` -keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=delayedkeys rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) # Keys for the "delayedkeys" zone should not be initially accessible. mv K${zone}.+*+*.* ../ zone=removedkeys-primary rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) zone=removedkeys-secondary rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) for s in a c d h k l m q z do zone=test-$s - keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) done for s in b f i o p t v do zone=test-$s - keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` - keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) done zone=externalkey rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -for alg in ECDSAP256SHA256 NSEC3RSASHA1 +for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM} do - k1=`$KEYGEN -q -a $alg -b 1024 -n zone -f KSK $zone` - k2=`$KEYGEN -q -a $alg -b 1024 -n zone $zone` - k3=`$KEYGEN -q -a $alg -b 1024 -n zone $zone` - k4=`$KEYGEN -q -a $alg -b 1024 -n zone -f KSK $zone` + k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + k2=$($KEYGEN -q -a $alg -n zone $zone) + k3=$($KEYGEN -q -a $alg -n zone $zone) + k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db # Convert k1 and k2 in to External Keys. diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh index 66965cc77a..8ab8288bca 100755 --- a/bin/tests/system/inline/ns7/sign.sh +++ b/bin/tests/system/inline/ns7/sign.sh @@ -19,6 +19,6 @@ zone=nsec3-loop rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone` -keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone` +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh index dd9790fa18..d9b95e4ab2 100755 --- a/bin/tests/system/inline/ns8/sign.sh +++ b/bin/tests/system/inline/ns8/sign.sh @@ -20,8 +20,8 @@ for zone in example01.com example02.com example03.com example04.com \ do rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private - keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` - keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone` + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) cp example.com.db.in ${zone}.db $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 done @@ -29,7 +29,7 @@ done for zone in example unsigned-serial-test; do rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private - keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` - keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone` + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) cp example.db.in ${zone}.db done diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index 8d4026bd0d..a8f8860a01 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -37,55 +37,55 @@ $RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 for i in 1 2 3 4 5 6 7 8 9 0 do - nsec3param=`$DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.` + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) test "$nsec3param" = "1 0 0 -" && break sleep 1 done -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that an unsupported algorithm is not used for signing ($n)" ret=0 grep -q "algorithm is unsupported" ns3/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that rrsigs are replaced with ksk only ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 axfr nsec3. | awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 do ret=0 $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + keys=$(grep '^Done signing' signing.out.test$n | wc -l) [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking expired signatures are updated on load ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n -expiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n` +expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n) [ "$expiry" = "20110101000000" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking removal of private type record via 'rndc signing -clear' ($n)" ret=0 $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 -keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n` +keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1 break; # We only want to remove 1 record for now. @@ -95,16 +95,16 @@ for i in 1 2 3 4 5 6 7 8 9 10 do ans=0 $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 - num=`grep "Done signing with" signing.out.test$n | wc -l` + num=$(grep "Done signing with" signing.out.test$n | wc -l) [ $num = 1 ] && break sleep 1 done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking private type was properly signed ($n)" ret=0 $DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n @@ -112,9 +112,9 @@ grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)" ret=0 $RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 @@ -130,9 +130,9 @@ done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking negative private type response was properly signed ($n)" ret=0 sleep 1 @@ -142,7 +142,7 @@ grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone bits @@ -151,16 +151,16 @@ update add added.bits 0 A 1.2.3.4 send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that the record is added on the hidden primary ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that update has been transferred and has been signed ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 @@ -173,7 +173,7 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone bits @@ -182,7 +182,7 @@ update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600 send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n @@ -190,9 +190,9 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do @@ -205,22 +205,22 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer, noixfr ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 do ret=0 $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + keys=$(grep '^Done signing' signing.out.test$n | wc -l) [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone noixfr @@ -229,16 +229,16 @@ update add added.noixfr 0 A 1.2.3.4 send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that the record is added on the hidden primary, noixfr ($n)" ret=0 $DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that update has been transferred and has been signed, noixfr ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 @@ -251,7 +251,7 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone noixfr @@ -260,7 +260,7 @@ update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600 send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)" ret=0 $DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n @@ -268,9 +268,9 @@ grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do @@ -283,28 +283,28 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that the primary zone signed on initial load ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + keys=$(grep '^Done signing' signing.out.test$n | wc -l) [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)" ret=0 $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 -keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n` +keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do $RNDCCMD 10.53.0.3 signing -clear ${key} primary > /dev/null || ret=1 break; # We only want to remove 1 record for now. @@ -314,16 +314,16 @@ for i in 1 2 3 4 5 6 7 8 9 do ans=0 $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 - num=`grep "Done signing with" signing.out.test$n | wc -l` + num=$(grep "Done signing with" signing.out.test$n | wc -l) [ $num = 1 ] && break sleep 1 done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking private type was properly signed (primary) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.6 primary TYPE65534 > dig.out.ns6.test$n @@ -331,9 +331,9 @@ grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)" ret=0 $RNDCCMD 10.53.0.3 signing -clear all primary > /dev/null || ret=1 @@ -348,9 +348,9 @@ done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check adding of record to unsigned primary ($n)" ret=0 cp ns3/primary2.db.in ns3/primary.db @@ -366,9 +366,9 @@ do done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check adding record fails when SOA serial not changed ($n)" ret=0 echo "c A 10.0.0.3" >> ns3/primary.db @@ -377,9 +377,9 @@ sleep 1 $DIG $DIGOPTS @10.53.0.3 c.primary A > dig.out.ns3.test$n grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check adding record works after updating SOA serial ($n)" ret=0 cp ns3/primary3.db.in ns3/primary.db @@ -395,9 +395,9 @@ do done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check the added record was properly signed ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 e.primary A > dig.out.ns6.test$n @@ -405,28 +405,28 @@ grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that the dynamic primary zone signed on initial load ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + keys=$(grep '^Done signing' signing.out.test$n | wc -l) [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking primary zone that was updated while offline is correct ($n)" ret=0 $DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n -serial=`awk '{print $3}' dig.out.ns2.soa.test$n` +serial=$(awk '{print $3}' dig.out.ns2.soa.test$n) # serial should have changed [ "$serial" = "2000042407" ] && ret=1 # e.updated should exist and should be signed @@ -438,14 +438,14 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records # (SOA/RRSIG, NSEC/RRSIG). $JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n -serial=`awk '/Source serial =/ {print $4}' journalprint.out.test$n` +serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n) [ "$serial" = "2000042408" ] || ret=1 -diffsize=`wc -l < journalprint.out.test$n` +diffsize=$(wc -l < journalprint.out.test$n) [ "$diffsize" -le 13 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking adding of record to unsigned primary using UPDATE ($n)" ret=0 @@ -473,21 +473,21 @@ done [ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "stop bump in the wire signer server ($n)" ret=0 stop_server inline ns3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "restart bump in the wire signer server ($n)" ret=0 start_server --noclean --restart --port ${PORT} inline ns3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone bits @@ -496,7 +496,7 @@ update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600 send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n @@ -504,9 +504,9 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do @@ -519,7 +519,7 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone noixfr @@ -528,7 +528,7 @@ update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600 send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)" ret=0 $DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n @@ -536,9 +536,9 @@ grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do @@ -551,7 +551,7 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone bits @@ -560,7 +560,7 @@ update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600 send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking forwarded update on hidden primary ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n @@ -568,9 +568,9 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking forwarded update on signed zone ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do @@ -583,7 +583,7 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone noixfr @@ -592,7 +592,7 @@ update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600 send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking forwarded update on hidden primary, noixfr ($n)" ret=0 $DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n @@ -600,9 +600,9 @@ grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking forwarded update on signed zone, noixfr ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do @@ -615,19 +615,19 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) ret=0 -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking turning on of inline signing in a secondary zone via reload ($n)" $DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "setup broken"; fi -status=`expr $status + $ret` +status=$((status + ret)) copy_setports ns5/named.conf.post ns5/named.conf -(cd ns5; $KEYGEN -q -a rsasha256 bits) > /dev/null 2>&1 -(cd ns5; $KEYGEN -q -a rsasha256 -f KSK bits) > /dev/null 2>&1 +(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1 +(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1 rndc_reload ns5 10.53.0.5 for i in 1 2 3 4 5 6 7 8 9 10 do @@ -639,9 +639,9 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)" ret=0 $RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1; } @@ -650,10 +650,10 @@ $RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynami sleep 1 grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)" ret=0 $RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1 @@ -664,9 +664,9 @@ awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } mv ns3/dynamic.db.new ns3/dynamic.db $RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check added record freeze1.dynamic ($n)" for i in 1 2 3 4 5 6 7 8 9 do @@ -678,12 +678,12 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # allow 1 second so that file time stamps change sleep 1 -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking rndc freeze/thaw of server ($n)" ret=0 $RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1 @@ -694,9 +694,9 @@ awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } mv ns3/dynamic.db.new ns3/dynamic.db $RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check added record freeze2.dynamic ($n)" for i in 1 2 3 4 5 6 7 8 9 do @@ -708,17 +708,17 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check rndc reload allows reuse of inline-signing zones ($n)" ret=0 { $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check rndc sync removes both signed and unsigned journals ($n)" ret=0 [ -f ns3/dynamic.db.jnl ] || ret=1 @@ -727,7 +727,7 @@ $RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1 [ -f ns3/dynamic.db.jnl ] && ret=1 [ -f ns3/dynamic.db.signed.jnl ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) $NSUPDATE << EOF zone retransfer @@ -737,16 +737,16 @@ send EOF -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that the retransfer record is added on the hidden primary ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that the change has not been transferred due to notify ($n)" ret=0 for i in 0 1 2 3 4 5 6 7 8 9 @@ -758,9 +758,9 @@ do sleep 1 done if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check rndc retransfer of a inline secondary zone works ($n)" ret=0 $RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1 @@ -775,9 +775,9 @@ do done [ $ans = 1 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)" ret=0 # The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2, @@ -803,8 +803,8 @@ $RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1 for i in 0 1 2 3 4 5 6 7 8 9 do $RNDCCMD 10.53.0.3 signing -list retransfer3 > signing.out.test$n.$i 2>&1 - keys_done=`grep "Done signing" signing.out.test$n.$i | wc -l` - nsec3_pending=`grep "NSEC3 chain" signing.out.test$n.$i | wc -l` + keys_done=$(grep "Done signing" signing.out.test$n.$i | wc -l) + nsec3_pending=$(grep "NSEC3 chain" signing.out.test$n.$i | wc -l) test $keys_done -eq 2 -a $nsec3_pending -eq 0 && break sleep 1 done @@ -813,9 +813,9 @@ $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ret=1 grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)" ret=0 $RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 @@ -840,11 +840,11 @@ do done [ $ans = 1 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # NOTE: The test below should be considered fragile. More details can be found # in the comment inside ns7/named.conf. -n=`expr $n + 1` +n=$((n + 1)) echo_i "check rndc retransfer of a inline nsec3 secondary does not trigger an infinite loop ($n)" ret=0 zone=nsec3-loop @@ -856,7 +856,7 @@ for i in 1 2 3 4 5 6 7 8 9 0 do ret=1 $RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + keys=$(grep '^Done signing' signing.out.test$n | wc -l) [ $keys -eq 3 ] && ret=0 && break sleep 1 done @@ -866,7 +866,7 @@ $RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 for i in 1 2 3 4 5 6 7 8 9 0 do ret=1 - nsec3param=`$DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone` + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) test "$nsec3param" = "1 0 2 12345678" && ret=0 && break sleep 1 done @@ -887,27 +887,27 @@ do sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "stop bump in the wire signer server ($n)" ret=0 stop_server inline ns3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "update SOA record while stopped" cp ns3/primary4.db.in ns3/primary.db rm ns3/primary.db.jnl -n=`expr $n + 1` +n=$((n + 1)) echo_i "restart bump in the wire signer server ($n)" ret=0 start_server --noclean --restart --port ${PORT} inline ns3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 @@ -921,9 +921,9 @@ do done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that reloading all zones does not cause zone maintenance to cease for inline-signed zones ($n)" ret=1 # Ensure "rndc reload" attempts to load ns3/primary.db by waiting 1 second so @@ -946,9 +946,9 @@ done $DIG $DIGOPTS @10.53.0.3 primary SOA > dig.out.ns3.test$n || ret=1 grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that reloading errors prevent synchronization ($n)" ret=1 $DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1 @@ -969,14 +969,14 @@ done $DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.2 || ret=1 diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check inline-signing with an include file ($n)" ret=0 $DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) sleep 1 nextpart ns3/named.run > /dev/null cp ns3/primary7.db.in ns3/primary.db @@ -993,9 +993,9 @@ retry_quiet 10 _includefile_loaded $DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.2 || ret=1 diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "test add/del zone combinations ($n)" ret=0 for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z @@ -1009,34 +1009,35 @@ $RNDCCMD 10.53.0.3 addzone test-$zone \ $RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing adding external keys to a inline zone ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n -for alg in 7 13 +for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER} do [ $alg = 13 -a ! -f checkecdsa ] && continue; case $alg in 7) echo_i "checking NSEC3RSASHA1";; + 8) echo_i "checking RSASHA256";; 13) echo_i "checking ECDSAP256SHA256";; *) echo_i "checking $alg";; esac - dnskeys=`grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l` - rrsigs=`grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l` + dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) + rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing imported key won't overwrite a private key ($n)" ret=0 -key=`$KEYGEN -q -a rsasha256 import.example` +key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example) cp ${key}.key import.key # import should fail $IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1 @@ -1046,90 +1047,90 @@ $IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 # now that it's an external key, re-import should succeed $IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)" ret=0 $DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n -newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n` +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) $RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)" ret=0 $DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n -oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n` -newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n` +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) $RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 sleep 1 $DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n -serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n` +serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) [ ${oldserial:-0} -eq ${serial:-1} ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # Freezing only operates on the raw zone. # -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)" ret=0 $DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n -oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n` -newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n` +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) $RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1 $RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 $RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)" ret=0 $DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n -newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n` +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) $RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)" ret=0 $DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n -oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n` -newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n` +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) $RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)" ret=0 $DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n -oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n` -newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n` +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) $RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1 $RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 $RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1 -soa1=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n` +soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n) $NSUPDATE << EOF server 10.53.0.2 ${PORT} @@ -1140,7 +1141,7 @@ EOF for i in 1 2 3 4 5 6 7 8 9 10 do $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1 - soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n` + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) test ${soa1:-0} -ne ${soa2:-0} && break sleep 1 done @@ -1149,44 +1150,44 @@ test ${soa1:-0} -ne ${soa2:-0} || ret=1 $DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1 grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT 7 2" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT 8 2" dig.out.ns3.test$n > /dev/null || ret=1 +grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n # -# check that DNSKEY is signed with ZSK for algorithm 7 +# check that DNSKEY is signed with ZSK for default algorithm # -awk='$4 == "DNSKEY" && $5 == 256 && $7 == 7 { print }' -zskid=`awk "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ` -grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 -awk='$4 == "DNSKEY" && $5 == 257 && $7 == 7 { print }' -kskid=`awk "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ` -grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 +awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' +zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 +awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' +kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 # -# check that DNSKEY is signed with KSK for algorithm 8 +# check that DNSKEY is signed with KSK for alternative algorithm # -awk='$4 == "DNSKEY" && $5 == 256 && $7 == 8 { print }' -zskid=`awk "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ` -grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 -awk='$4 == "DNSKEY" && $5 == 257 && $7 == 8 { print }' -kskid=`awk "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ` -grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 +awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' +zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 +awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' +kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Wait until an update to the raw part of a given inline signed zone is fully # processed. As waiting for a fixed amount of time is suboptimal and there is @@ -1206,7 +1207,7 @@ wait_until_raw_zone_update_is_processed() { done } -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that changes to raw zone are applied to a previously unsigned secure zone ($n)" ret=0 # Query for bar.nokeys/A and ensure the response is negative. As this zone @@ -1231,9 +1232,9 @@ $DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.post.test$n 2>&1 grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1 grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (primary) ($n)" ret=0 # Query for bar.removedkeys-primary/A and ensure the response is negative. As @@ -1260,16 +1261,16 @@ $DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.post.test$n 2> grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that backlogged changes to raw zone are applied after keys become available (primary) ($n)" ret=0 # Restore the signing keys for this zone. mv ns3/removedkeys/Kremovedkeys-primary* ns3 $RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1 # Determine what a SOA record with a bumped serial number should look like. -BUMPED_SOA=`sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}'` +BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}') # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. nextpart ns3/named.run > /dev/null @@ -1288,9 +1289,9 @@ $DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.test$n 2>&1 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (secondary) ($n)" ret=0 # Query for bar.removedkeys-secondary/A and ensure the response is negative. As this @@ -1317,16 +1318,16 @@ $DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.post.test$n grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that backlogged changes to raw zone are applied after keys become available (secondary) ($n)" ret=0 # Restore the signing keys for this zone. mv ns3/removedkeys/Kremovedkeys-secondary* ns3 $RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1 # Determine what a SOA record with a bumped serial number should look like. -BUMPED_SOA=`sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}'` +BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}') # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. nextpart ns3/named.run > /dev/null @@ -1345,7 +1346,7 @@ $DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.test$n 2>&1 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check that the file $2 for zone $1 does not contain RRSIG records # while the journal file for that zone does contain them. @@ -1356,7 +1357,7 @@ ensure_sigs_only_in_journal() { $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1 } -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that records added from a journal are scheduled to be resigned ($n)" ret=0 # Signing keys for the "delayedkeys" zone are not yet accessible. Thus, the @@ -1368,7 +1369,7 @@ $RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 # Wait until the zone is signed. check_done_signing () ( $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 - num=`grep "Done signing with" signing.out.test$n | wc -l` + num=$(grep "Done signing with" signing.out.test$n | wc -l) [ $num -eq 2 ] ) retry_quiet 10 check_done_signing || ret=1 @@ -1395,30 +1396,30 @@ wait_for_log 20 "all zones loaded" ns3/named.run || ret=1 $RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1 grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)" ret=0 $RNDCCMD 10.53.0.3 zonestatus primary > rndc.out.ns3.test$n grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)" ret=0 $RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking reload of touched inline zones ($n)" ret=0 echo_ic "pre-reload 'next key event'" nextpart ns8/named.run > nextpart.pre$n.out -count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l` +count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l) echo_ic "found: $count/16" [ $count -eq 16 ] || ret=1 echo_ic "touch and reload" @@ -1427,13 +1428,13 @@ $RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i sleep 5 echo_ic "post-reload 'next key event'" nextpart ns8/named.run > nextpart.post$n.out -count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l` +count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l) echo_ic "found: $count/16" [ $count -eq 16 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking second reload of touched inline zones ($n)" ret=0 nextpart ns8/named.run > nextpart.pre$n.out @@ -1442,7 +1443,7 @@ sleep 5 nextpart ns8/named.run > nextpart.post$n.out grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) n=$((n+1)) echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"