diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 6ce7abd3db..71bf407e16 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -27,6 +27,7 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" wait_for_log() { msg=$1 file=$2 + for i in 1 2 3 4 5 6 7 8 9 10; do nextpart "$file" | grep "$msg" > /dev/null && return sleep 1 @@ -3649,14 +3650,23 @@ ZSK_ID=`cat ns2/${zone}.zsk.id` SECTIONS="+answer +noauthority +noadditional" echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" +# Print IDs of keys used for generating RRSIG records for RRsets of type $1 +# found in dig output file $2. +get_keys_which_signed() { + qtype=$1 + output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$output" +} + # Basic checks to make sure everything is fine before the KSK is made offline. echo_i "checking DNSKEY RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 $DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.test$n | wc -l) +lines=$(get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -grep $KSK_ID dig.out.test$n > /dev/null || ret=1 -grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3664,38 +3674,42 @@ status=$((status+ret)) echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 $DIG $DIGOPTS $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "SOA" {print}' dig.out.test$n | wc -l) -grep $KSK_ID dig.out.test$n > /dev/null && ret=1 -grep $ZSK_ID dig.out.test$n > /dev/null || ret=1 +lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 +get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 +get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) # Roll the ZSK. -echo_i "roll ZSK for zone $zone" -sleep 1 zsk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -K ns2 -n zone $zone` -echo_i "new ZSK $zsk2 created for zone $zone" echo "$zsk2" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id2 ZSK_ID2=`cat ns2/$zone.zsk.id2` -dnssec_loadkeys_on 2 $zone + +echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" +ret=0 +dnssec_loadkeys_on 2 $zone || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Wait until new ZSK becomes active. -sleep 1 -echo_i "make ZSK $ZSK inactive and make new ZSK $zsk2 active for zone $zone" +echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" +ret=0 $SETTIME -I now -K ns2 $ZSK > /dev/null $SETTIME -A now -K ns2 $zsk2 > /dev/null -dnssec_loadkeys_on 2 $zone +dnssec_loadkeys_on 2 $zone || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Remove the KSK from disk. -sleep 1 -echo_i "remove the KSK $KSK for zone $zone from disk" +echo_i "remove the KSK $KSK_ID for zone $zone from disk" mv ns2/$KSK.key ns2/$KSK.key.bak mv ns2/$KSK.private ns2/$KSK.private.bak # Update the zone that requires a resign of the SOA RRset. -sleep 1 echo_i "update the zone with $zone IN TXT nsupdate added me" ( echo zone $zone @@ -3708,11 +3722,11 @@ echo send echo_i "checking DNSKEY RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 $DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.test$n | wc -l) +lines=$(get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -grep $KSK_ID dig.out.test$n > /dev/null || ret=1 -grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 -grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3722,46 +3736,49 @@ do echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 $DIG $DIGOPTS $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n - lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l) - grep $KSK_ID dig.out.test$n > /dev/null && ret=1 - grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 - grep $ZSK_ID2 dig.out.test$n > /dev/null || ret=1 + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) done # Put back the KSK. -sleep 1 -echo_i "put back the KSK $KSK for zone $zone from disk" +echo_i "put back the KSK $KSK_ID for zone $zone from disk" mv ns2/$KSK.key.bak ns2/$KSK.key mv ns2/$KSK.private.bak ns2/$KSK.private # Roll the ZSK again. -sleep 1 zsk3=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -K ns2 -n zone $zone` -echo_i "new ZSK $zsk3 created for zone $zone" echo "$zsk3" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id3 ZSK_ID3=`cat ns2/$zone.zsk.id3` -dnssec_loadkeys_on 2 $zone + +echo_i "load new ZSK $ZSK_ID3 for $zone ($n)" +ret=0 +dnssec_loadkeys_on 2 $zone || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Wait until new ZSK becomes active. -sleep 1 -echo_i "delete old ZSK $ZSK make ZSK $ZSK2 inactive and make new ZSK $zsk3 active for zone $zone" +echo_i "delete old ZSK $ZSK_ID make ZSK $ZSK_ID2 inactive and make new ZSK $ZSK_ID3 active for zone $zone ($n)" $SETTIME -D now -K ns2 $ZSK > /dev/null $SETTIME -I +5 -K ns2 $zsk2 > /dev/null $SETTIME -A +5 -K ns2 $zsk3 > /dev/null -dnssec_loadkeys_on 2 $zone +dnssec_loadkeys_on 2 $zone || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Remove the KSK from disk. -sleep 1 -echo_i "remove the KSK $KSK for zone $zone from disk" +echo_i "remove the KSK $KSK_ID for zone $zone from disk" mv ns2/$KSK.key ns2/$KSK.key.bak mv ns2/$KSK.private ns2/$KSK.private.bak # Update the zone that requires a resign of the SOA RRset. -sleep 1 echo_i "update the zone with $zone IN TXT nsupdate added me again" ( echo zone $zone @@ -3774,12 +3791,12 @@ echo send echo_i "checking DNSKEY RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 $DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.test$n | wc -l) +lines=$(get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -grep $KSK_ID dig.out.test$n > /dev/null || ret=1 -grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 -grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1 -grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3789,31 +3806,39 @@ do echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 $DIG $DIGOPTS $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n - lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l) - grep $KSK_ID dig.out.test$n > /dev/null && ret=1 - grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 - grep $ZSK_ID2 dig.out.test$n > /dev/null || ret=1 - grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1 + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) done # Wait for newest ZSK to become active. -echo_i "sleep 6 to make new ZSK $zsk3 active and ZSK $zsk2 inactive" -sleep 6 +echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive" +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + grep "add re-sign updatecheck-kskonly\.secure\..*RRSIG.*SOA.*$ZSK_ID3.*$zone.*" ns2/named.run > /dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Redo the tests one more time. echo_i "checking DNSKEY RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 $DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.test$n | wc -l) +lines=$(get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -grep $KSK_ID dig.out.test$n > /dev/null || ret=1 -grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 -grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1 -grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 +get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret))