2009-11-30 21:00:48 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
#
|
2018-02-23 09:53:12 +01:00
|
|
|
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
2012-06-29 11:39:47 +10:00
|
|
|
#
|
2016-06-27 14:56:38 +10:00
|
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
2018-02-23 09:53:12 +01:00
|
|
|
#
|
|
|
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
|
|
|
# information regarding copyright ownership.
|
2009-11-30 21:00:48 +00:00
|
|
|
|
|
|
|
|
SYSTEMTESTTOP=..
|
|
|
|
|
. $SYSTEMTESTTOP/conf.sh
|
|
|
|
|
|
|
|
|
|
status=0
|
|
|
|
|
n=0
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
|
|
|
|
|
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
|
2009-11-30 21:00:48 +00:00
|
|
|
|
2011-05-26 04:25:47 +00:00
|
|
|
# convert private-type records to readable form
|
|
|
|
|
showprivate () {
|
|
|
|
|
echo "-- $@ --"
|
|
|
|
|
$DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
|
|
|
|
|
while read record; do
|
2014-06-24 13:50:14 +10:00
|
|
|
$PERL -e 'my $rdata = pack("H*", @ARGV[0]);
|
2011-05-26 04:25:47 +00:00
|
|
|
die "invalid record" unless length($rdata) == 5;
|
|
|
|
|
my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
|
|
|
|
|
my $action = "signing";
|
|
|
|
|
$action = "removing" if $remove;
|
|
|
|
|
my $state = " (incomplete)";
|
|
|
|
|
$state = " (complete)" if $complete;
|
|
|
|
|
print ("$action: alg: $alg, key: $key$state\n");' $record
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# check that signing records are marked as complete
|
|
|
|
|
checkprivate () {
|
2013-08-15 13:37:07 +10:00
|
|
|
_ret=0
|
|
|
|
|
expected="${3:-0}"
|
2011-05-26 04:25:47 +00:00
|
|
|
x=`showprivate "$@"`
|
2013-08-15 13:37:07 +10:00
|
|
|
echo $x | grep incomplete > /dev/null && _ret=1
|
|
|
|
|
|
|
|
|
|
if [ $_ret = $expected ]; then
|
|
|
|
|
return 0
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "$x"
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "failed"
|
2013-08-15 13:37:07 +10:00
|
|
|
return 1
|
2011-05-26 04:25:47 +00:00
|
|
|
}
|
|
|
|
|
|
2010-06-07 04:45:43 +00:00
|
|
|
#
|
|
|
|
|
# The NSEC record at the apex of the zone and its RRSIG records are
|
|
|
|
|
# added as part of the last step in signing a zone. We wait for the
|
|
|
|
|
# NSEC records to appear before proceeding with a counter to prevent
|
|
|
|
|
# infinite loops if there is a error.
|
|
|
|
|
#
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting for autosign changes to take effect"
|
2010-06-07 04:45:43 +00:00
|
|
|
i=0
|
|
|
|
|
while [ $i -lt 30 ]
|
|
|
|
|
do
|
|
|
|
|
ret=0
|
2011-03-02 04:08:58 +00:00
|
|
|
#
|
|
|
|
|
# Wait for the root DNSKEY RRset to be fully signed.
|
|
|
|
|
#
|
|
|
|
|
$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
for z in .
|
2010-06-07 04:45:43 +00:00
|
|
|
do
|
2011-03-02 04:08:58 +00:00
|
|
|
$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
done
|
|
|
|
|
for z in bar. example. private.secure.example.
|
|
|
|
|
do
|
|
|
|
|
$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
|
2010-06-07 04:45:43 +00:00
|
|
|
grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
|
|
|
|
|
done
|
2017-12-06 20:26:43 +11:00
|
|
|
for z in bar. example. inacksk2.example. inacksk3.example \
|
|
|
|
|
inaczsk2.example. inaczsk3.example
|
2010-06-07 04:45:43 +00:00
|
|
|
do
|
2011-03-02 04:08:58 +00:00
|
|
|
$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
|
2010-06-07 04:45:43 +00:00
|
|
|
grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
|
done
|
|
|
|
|
i=`expr $i + 1`
|
|
|
|
|
if [ $ret = 0 ]; then break; fi
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting ... ($i)"
|
2010-06-07 04:45:43 +00:00
|
|
|
sleep 2
|
|
|
|
|
done
|
2010-01-18 19:19:31 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "done"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2017-12-06 20:26:43 +11:00
|
|
|
#
|
|
|
|
|
# Check that DNSKEY is initially signed with a KSK and not a ZSK.
|
|
|
|
|
#
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "check that zone with active and inactive KSK and active ZSK is properly"
|
|
|
|
|
echo_i " resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
|
|
|
|
|
echo_i " is initially signed with a KSK and not a ZSK. ($n)"
|
2017-12-06 20:26:43 +11:00
|
|
|
ret=0
|
|
|
|
|
|
2018-02-24 00:48:50 -08:00
|
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
|
2017-12-06 20:26:43 +11:00
|
|
|
|
|
|
|
|
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
|
2018-02-24 00:48:50 -08:00
|
|
|
$DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'`
|
2017-12-06 20:26:43 +11:00
|
|
|
grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
|
|
|
|
|
|
pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
|
|
|
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
|
|
|
|
|
|
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
|
|
|
$4 == "RRSIG" && $5 == "DNSKEY" { count++ }
|
|
|
|
|
END {print count}' dig.out.ns3.test$n`
|
|
|
|
|
test $count -eq 1 || ret=1
|
|
|
|
|
|
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
|
|
|
$4 == "DNSKEY" { count++ }
|
|
|
|
|
END {print count}' dig.out.ns3.test$n`
|
|
|
|
|
test $count -eq 3 || ret=1
|
|
|
|
|
|
|
|
|
|
awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
|
|
|
|
|
id=`awk "${awk}" dig.out.ns3.test$n`
|
|
|
|
|
|
2018-02-24 00:48:50 -08:00
|
|
|
$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > /dev/null 2>&1
|
|
|
|
|
$RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i
|
2017-12-06 20:26:43 +11:00
|
|
|
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2017-12-06 20:26:43 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2017-12-05 16:09:47 +11:00
|
|
|
#
|
|
|
|
|
# Check that zone is initially signed with a ZSK and not a KSK.
|
|
|
|
|
#
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "check that zone with active and inactive ZSK and active KSK is properly"
|
|
|
|
|
echo_i " resigned after the active ZSK is deleted - stage 1: Verify that zone"
|
|
|
|
|
echo_i " is initially signed with a ZSK and not a KSK. ($n)"
|
2017-12-05 16:09:47 +11:00
|
|
|
ret=0
|
2018-02-24 00:48:50 -08:00
|
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
|
2017-12-05 16:09:47 +11:00
|
|
|
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
|
|
|
|
|
$DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
|
|
|
|
|
grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
|
grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
|
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
|
|
|
$4 == "RRSIG" && $5 == "CNAME" { count++ }
|
|
|
|
|
END {print count}' dig.out.ns3.test$n`
|
|
|
|
|
test $count -eq 1 || ret=1
|
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
|
|
|
$4 == "DNSKEY" { count++ }
|
|
|
|
|
END {print count}' dig.out.ns3.test$n`
|
|
|
|
|
test $count -eq 3 || ret=1
|
2017-12-05 21:38:28 +11:00
|
|
|
id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n`
|
2018-02-24 00:48:50 -08:00
|
|
|
$SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > /dev/null 2>&1
|
|
|
|
|
$RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i
|
2017-12-05 16:09:47 +11:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2017-12-05 16:09:47 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
ret=0
|
2011-06-10 01:51:09 +00:00
|
|
|
# these commands should result in an empty file:
|
|
|
|
|
$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
|
|
|
|
|
grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
|
|
|
|
|
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
|
|
|
|
|
grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
|
2010-01-18 19:19:31 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking NSEC3->NSEC conversion prerequisites ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "converting zones from nsec to nsec3"
|
2010-01-18 19:19:31 +00:00
|
|
|
$NSUPDATE > /dev/null 2>&1 <<END || status=1
|
2018-02-20 15:43:27 -08:00
|
|
|
server 10.53.0.3 ${PORT}
|
2009-11-30 21:00:48 +00:00
|
|
|
zone nsec3.nsec3.example.
|
|
|
|
|
update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
|
|
|
|
|
send
|
|
|
|
|
zone optout.nsec3.example.
|
|
|
|
|
update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
|
|
|
|
|
send
|
|
|
|
|
zone nsec3.example.
|
|
|
|
|
update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
|
|
|
|
|
send
|
2011-06-10 01:51:09 +00:00
|
|
|
zone autonsec3.example.
|
2011-10-28 06:20:07 +00:00
|
|
|
update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF
|
2011-06-10 01:51:09 +00:00
|
|
|
send
|
2009-11-30 21:00:48 +00:00
|
|
|
zone nsec3.optout.example.
|
|
|
|
|
update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
|
|
|
|
|
send
|
|
|
|
|
zone optout.optout.example.
|
|
|
|
|
update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
|
|
|
|
|
send
|
|
|
|
|
zone optout.example.
|
|
|
|
|
update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
|
|
|
|
|
send
|
|
|
|
|
END
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
# try to convert nsec.example; this should fail due to non-NSEC key
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
$NSUPDATE > nsupdate.out 2>&1 <<END
|
2018-02-20 15:43:27 -08:00
|
|
|
server 10.53.0.3 ${PORT}
|
2010-01-18 19:19:31 +00:00
|
|
|
zone nsec.example.
|
|
|
|
|
update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
|
|
|
|
|
send
|
|
|
|
|
END
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking for nsec3param in unsigned zone ($n)"
|
2011-06-10 01:51:09 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-06-10 01:51:09 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking for nsec3param signing record ($n)"
|
2011-10-28 06:20:07 +00:00
|
|
|
ret=0
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 | sed 's/^/ns3 /' | cat_i
|
2011-10-28 06:20:07 +00:00
|
|
|
grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-10-28 06:20:07 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "resetting nsec3param via rndc signing ($n)"
|
2011-10-28 06:20:07 +00:00
|
|
|
ret=0
|
2018-02-20 15:43:27 -08:00
|
|
|
$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1
|
|
|
|
|
$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
|
2012-06-20 14:13:12 -05:00
|
|
|
for i in 0 1 2 3 4 5 6 7 8 9; do
|
|
|
|
|
ret=0
|
2018-02-20 15:43:27 -08:00
|
|
|
$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
|
2012-06-20 14:13:12 -05:00
|
|
|
grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
|
|
|
|
|
num=`grep "Pending " signing.out.test$n | wc -l`
|
|
|
|
|
[ $num -eq 1 ] || ret=1
|
|
|
|
|
[ $ret -eq 0 ] && break
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting ... ($i)"
|
2012-06-20 14:13:12 -05:00
|
|
|
sleep 2
|
|
|
|
|
done
|
2011-10-28 06:20:07 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-10-28 06:20:07 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "signing preset nsec3 zone"
|
2011-06-10 01:51:09 +00:00
|
|
|
zsk=`cat autozsk.key`
|
|
|
|
|
ksk=`cat autoksk.key`
|
|
|
|
|
$SETTIME -K ns3 -P now -A now $zsk > /dev/null 2>&1
|
|
|
|
|
$SETTIME -K ns3 -P now -A now $ksk > /dev/null 2>&1
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
|
2011-06-10 01:51:09 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting for changes to take effect"
|
2010-01-18 19:19:31 +00:00
|
|
|
sleep 3
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "converting zone from nsec3 to nsec"
|
2010-01-18 19:19:31 +00:00
|
|
|
$NSUPDATE > /dev/null 2>&1 << END || status=1
|
2018-02-20 15:43:27 -08:00
|
|
|
server 10.53.0.3 ${PORT}
|
2010-01-18 19:19:31 +00:00
|
|
|
zone nsec3-to-nsec.example.
|
|
|
|
|
update delete nsec3-to-nsec.example. NSEC3PARAM
|
|
|
|
|
send
|
|
|
|
|
END
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting for change to take effect"
|
2010-01-18 19:19:31 +00:00
|
|
|
sleep 3
|
2009-11-30 21:00:48 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that expired RRSIGs from missing key are not deleted ($n)"
|
2011-07-08 01:43:26 +00:00
|
|
|
ret=0
|
|
|
|
|
missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
|
|
|
|
|
$JOURNALPRINT ns3/nozsk.example.db.jnl | \
|
|
|
|
|
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
|
2013-08-15 13:37:07 +10:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-07-08 01:43:26 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)"
|
2011-07-08 01:43:26 +00:00
|
|
|
ret=0
|
|
|
|
|
inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
|
|
|
|
|
$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
|
|
|
|
|
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
|
2013-08-15 13:37:07 +10:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-07-08 01:43:26 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)"
|
2011-07-08 01:43:26 +00:00
|
|
|
ret=0
|
|
|
|
|
loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
|
|
|
|
|
[ "$loglines" -eq 1 ] || ret=1
|
2013-08-15 13:37:07 +10:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-07-08 01:43:26 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)"
|
2011-07-08 01:43:26 +00:00
|
|
|
ret=0
|
2013-08-15 13:37:07 +10:00
|
|
|
loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
|
|
|
|
|
[ "$loglines" -eq 1 ] || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-07-08 01:43:26 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2011-03-21 16:53:44 +00:00
|
|
|
# Send rndc sync command to ns1, ns2 and ns3, to force the dynamically
|
2009-11-30 21:00:48 +00:00
|
|
|
# signed zones to be dumped to their zone files
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "dumping zone files"
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.1 sync 2>&1 | sed 's/^/ns1 /' | cat_i
|
|
|
|
|
$RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i
|
|
|
|
|
$RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i
|
2009-11-30 21:00:48 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking expired signatures were updated ($n)"
|
2012-12-03 09:30:38 +11:00
|
|
|
for i in 1 2 3 4 5 6 7 8 9
|
|
|
|
|
do
|
|
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2012-12-03 09:30:38 +11:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
[ $ret = 0 ] && break
|
|
|
|
|
sleep 1
|
|
|
|
|
done
|
2010-01-18 19:19:31 +00:00
|
|
|
n=`expr $n + 1`
|
|
|
|
|
status=`expr $status + $ret`
|
2009-11-30 21:00:48 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
2010-01-18 19:19:31 +00:00
|
|
|
$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
|
|
|
|
|
grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2010-01-18 19:19:31 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking direct NSEC3 autosigning succeeded ($n)"
|
2011-06-10 01:51:09 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
|
|
|
|
|
[ -s dig.out.ns3.ok.test$n ] || ret=1
|
|
|
|
|
grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2011-06-10 01:51:09 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-06-10 01:51:09 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
ret=0
|
|
|
|
|
grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking NSEC3->NSEC conversion succeeded ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
ret=0
|
|
|
|
|
# this command should result in an empty file:
|
|
|
|
|
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
|
|
|
|
|
grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2010-01-18 19:19:31 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
|
2011-10-28 06:20:07 +00:00
|
|
|
ret=0
|
2018-02-20 15:43:27 -08:00
|
|
|
$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
|
2011-10-28 06:20:07 +00:00
|
|
|
sleep 2
|
|
|
|
|
# this command should result in an empty file:
|
|
|
|
|
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
|
|
|
|
|
grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2011-10-28 06:20:07 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-10-28 06:20:07 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking TTLs of imported DNSKEYs (no default) ($n)"
|
2011-03-17 01:40:40 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
[ -s dig.out.ns3.test$n ] || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
|
2011-03-17 01:40:40 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-03-17 01:40:40 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking TTLs of imported DNSKEYs (with default) ($n)"
|
2011-03-17 01:40:40 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
[ -s dig.out.ns3.test$n ] || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
|
2011-03-17 01:40:40 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-03-17 01:40:40 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)"
|
2011-03-17 01:40:40 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
[ -s dig.out.ns3.test$n ] || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
|
2011-03-17 01:40:40 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-03-17 01:40:40 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)"
|
2011-03-17 01:40:40 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
[ -s dig.out.ns3.test$n ] || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
|
2011-03-17 01:40:40 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-03-17 01:40:40 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking positive validation NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking positive validation NSEC3 ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking positive validation OPTOUT ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking negative validation NXDOMAIN NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth q.nsec3.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.nsec3.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth q.optout.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.optout.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
# Note - this is looking for failure, hence the &&
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking negative validation NODATA NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking negative validation NODATA NSEC3 ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.example. \
|
|
|
|
|
@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.example. \
|
|
|
|
|
@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking negative validation NODATA OPTOUT ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.example. \
|
|
|
|
|
@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.example. \
|
|
|
|
|
@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
|
|
|
|
# Check the insecure.example domain
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking 1-server insecurity proof NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
# Note - this is looking for failure, hence the &&
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking 1-server negative insecurity proof NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
|
|
|
|
|
> dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
|
|
|
|
|
> dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
# Note - this is looking for failure, hence the &&
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
|
|
|
|
# Check the secure.example domain
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.secure.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.secure.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.secure.optout.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.secure.optout.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.optout.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.optout.optout.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking empty NODATA OPTOUT ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth empty.optout.example. \
|
|
|
|
|
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth empty.optout.example. \
|
|
|
|
|
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
|
|
|
|
# Check the insecure.secure.example domain (insecurity proof)
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking 2-server insecurity proof ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
|
|
|
|
|
> dig.out.ns2.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
|
|
|
|
|
> dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
# Note - this is looking for failure, hence the &&
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
|
|
|
|
# Check a negative response in insecure.secure.example
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking 2-server insecurity proof with a negative answer ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
|
|
|
|
|
|| ret=1
|
|
|
|
|
$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
|
|
|
|
|
|| ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
# Note - this is looking for failure, hence the &&
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking security root query ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
|
|
|
|
|
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking positive validation RSASHA256 NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking positive validation RSASHA512 NSEC ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that positive validation in a privately secure zone works ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
|
|
|
|
|
> dig.out.ns2.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
|
|
|
|
|
> dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
2017-04-22 08:25:10 +05:30
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that negative validation in a privately secure zone works ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
|
|
|
|
|
> dig.out.ns2.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
|
|
|
|
|
> dig.out.ns4.test$n || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
# Note - this is looking for failure, hence the &&
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking privately secure to nxdomain works ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
2017-04-22 08:25:10 +05:30
|
|
|
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
|
|
|
|
|
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
|
|
|
|
# Try validating with a revoked trusted key.
|
|
|
|
|
# This should fail.
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that validation returns insecure due to revoked trusted key ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
|
2010-05-14 04:38:52 +00:00
|
|
|
grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
|
|
|
|
|
grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
|
2009-11-30 21:00:48 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that revoked key is present ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
2011-10-20 21:20:02 +00:00
|
|
|
id=`cat rev.key`
|
2009-11-30 21:00:48 +00:00
|
|
|
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that revoked key self-signs ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
2011-10-20 21:20:02 +00:00
|
|
|
id=`cat rev.key`
|
2009-11-30 21:00:48 +00:00
|
|
|
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking for unpublished key ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
2011-07-08 01:43:26 +00:00
|
|
|
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key`
|
2009-11-30 21:00:48 +00:00
|
|
|
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking for activated but unpublished key ($n)"
|
2014-06-04 14:31:42 +05:30
|
|
|
ret=0
|
|
|
|
|
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key`
|
|
|
|
|
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2014-06-04 14:31:42 +05:30
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that standby key does not sign records ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
2011-07-26 04:28:35 +00:00
|
|
|
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
|
2009-11-30 21:00:48 +00:00
|
|
|
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that deactivated key does not sign records ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
2011-07-08 01:43:26 +00:00
|
|
|
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key`
|
2009-11-30 21:00:48 +00:00
|
|
|
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking insertion of public-only key ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
ret=0
|
2011-07-08 01:43:26 +00:00
|
|
|
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key`
|
2010-01-18 19:19:31 +00:00
|
|
|
file="ns1/`cat nopriv.key`.key"
|
|
|
|
|
keydata=`grep DNSKEY $file`
|
|
|
|
|
$NSUPDATE > /dev/null 2>&1 <<END || status=1
|
2018-02-20 15:43:27 -08:00
|
|
|
server 10.53.0.1 ${PORT}
|
2010-01-18 19:19:31 +00:00
|
|
|
zone .
|
|
|
|
|
ttl 3600
|
|
|
|
|
update add $keydata
|
|
|
|
|
send
|
|
|
|
|
END
|
|
|
|
|
sleep 1
|
|
|
|
|
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking key deletion ($n)"
|
2009-11-30 21:00:48 +00:00
|
|
|
ret=0
|
2011-07-08 01:43:26 +00:00
|
|
|
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < del.key`
|
2009-11-30 21:00:48 +00:00
|
|
|
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2009-11-30 21:00:48 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking secure-to-insecure transition, nsupdate ($n)"
|
2012-06-20 14:13:12 -05:00
|
|
|
ret=0
|
2010-01-18 19:19:31 +00:00
|
|
|
$NSUPDATE > /dev/null 2>&1 <<END || status=1
|
2018-02-20 15:43:27 -08:00
|
|
|
server 10.53.0.3 ${PORT}
|
2010-01-18 19:19:31 +00:00
|
|
|
zone secure-to-insecure.example
|
|
|
|
|
update delete secure-to-insecure.example dnskey
|
|
|
|
|
send
|
|
|
|
|
END
|
2012-06-20 14:13:12 -05:00
|
|
|
for i in 0 1 2 3 4 5 6 7 8 9; do
|
|
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
egrep '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
|
|
|
|
|
[ $ret -eq 0 ] && break
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting ... ($i)"
|
2012-06-20 14:13:12 -05:00
|
|
|
sleep 2
|
|
|
|
|
done
|
2010-01-18 19:19:31 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking secure-to-insecure transition, scheduled ($n)"
|
2011-06-10 01:51:09 +00:00
|
|
|
ret=0
|
2010-05-19 07:45:38 +00:00
|
|
|
file="ns3/`cat del1.key`.key"
|
|
|
|
|
$SETTIME -I now -D now $file > /dev/null
|
|
|
|
|
file="ns3/`cat del2.key`.key"
|
|
|
|
|
$SETTIME -I now -D now $file > /dev/null
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i
|
2012-06-20 14:13:12 -05:00
|
|
|
for i in 0 1 2 3 4 5 6 7 8 9; do
|
|
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
egrep '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
|
|
|
|
|
[ $ret -eq 0 ] && break
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting ... ($i)"
|
2012-06-20 14:13:12 -05:00
|
|
|
sleep 2
|
|
|
|
|
done
|
2010-05-19 07:45:38 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-05-19 07:45:38 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)"
|
2010-12-15 18:44:37 +00:00
|
|
|
ret=0
|
|
|
|
|
oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
|
|
|
|
|
oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
|
|
|
|
|
|
2018-04-24 16:01:23 +02:00
|
|
|
$KEYGEN -a rsasha1 -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
|
2010-12-15 18:44:37 +00:00
|
|
|
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i
|
2010-12-15 18:44:37 +00:00
|
|
|
newserial=$oldserial
|
|
|
|
|
try=0
|
|
|
|
|
while [ $oldserial -eq $newserial -a $try -lt 42 ]
|
|
|
|
|
do
|
|
|
|
|
newserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 |
|
|
|
|
|
awk '$0 !~ /SOA/ {print $3}'`
|
|
|
|
|
sleep 1
|
|
|
|
|
try=`expr $try + 1`
|
|
|
|
|
done
|
|
|
|
|
newinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
|
|
|
|
|
#echo "$oldserial : $newserial"
|
|
|
|
|
#echo "$oldinception : $newinception"
|
|
|
|
|
|
|
|
|
|
[ "$oldserial" = "$newserial" ] && ret=1
|
|
|
|
|
[ "$oldinception" = "$newinception" ] && ret=1
|
2017-12-08 14:48:31 +11:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-12-15 18:44:37 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "preparing to test key change corner cases"
|
|
|
|
|
echo_i "removing a private key file"
|
2010-01-18 19:19:31 +00:00
|
|
|
file="ns1/`cat vanishing.key`.private"
|
|
|
|
|
rm -f $file
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "preparing ZSK roll"
|
2011-05-30 22:32:06 +00:00
|
|
|
starttime=`$PERL -e 'print time(), "\n";'`
|
2010-08-16 22:21:07 +00:00
|
|
|
oldfile=`cat active.key`
|
2011-07-08 01:43:26 +00:00
|
|
|
oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key`
|
2010-08-16 22:21:07 +00:00
|
|
|
newfile=`cat standby.key`
|
2011-07-08 01:43:26 +00:00
|
|
|
newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
|
2011-05-30 07:25:19 +00:00
|
|
|
$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null
|
2010-08-16 22:21:07 +00:00
|
|
|
$SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null
|
2010-01-18 19:19:31 +00:00
|
|
|
|
2010-12-15 18:44:37 +00:00
|
|
|
# note previous zone serial number
|
|
|
|
|
oldserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'`
|
|
|
|
|
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i
|
2011-05-26 04:25:47 +00:00
|
|
|
sleep 4
|
2010-01-18 19:19:31 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "revoking key to duplicated key ID"
|
2018-02-24 00:48:50 -08:00
|
|
|
$SETTIME -R now -K ns2 Kbar.+005+30676.key > /dev/null 2>&1
|
2010-01-18 19:19:31 +00:00
|
|
|
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i
|
2010-01-18 19:19:31 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting for changes to take effect"
|
2010-01-18 19:19:31 +00:00
|
|
|
sleep 5
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking former standby key is now active ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking former standby key has only signed incrementally ($n)"
|
2010-08-16 22:21:07 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
|
|
|
|
|
grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-08-16 22:21:07 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that signing records have been marked as complete ($n)"
|
2011-05-26 04:25:47 +00:00
|
|
|
ret=0
|
|
|
|
|
checkprivate . 10.53.0.1 || ret=1
|
|
|
|
|
checkprivate bar 10.53.0.2 || ret=1
|
|
|
|
|
checkprivate example 10.53.0.2 || ret=1
|
|
|
|
|
checkprivate private.secure.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate nsec3.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate nsec3.optout.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate nsec.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate oldsigs.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate optout.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate optout.nsec3.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate optout.optout.example 10.53.0.3 || ret=1
|
2013-08-15 13:37:07 +10:00
|
|
|
checkprivate prepub.example 10.53.0.3 1 || ret=1
|
2011-05-26 04:25:47 +00:00
|
|
|
checkprivate rsasha256.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate rsasha512.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate secure.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate secure.nsec3.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate secure.optout.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate secure-to-insecure2.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate secure-to-insecure.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate ttl1.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate ttl2.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate ttl3.example 10.53.0.3 || ret=1
|
|
|
|
|
checkprivate ttl4.example 10.53.0.3 || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
|
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "forcing full sign"
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i
|
2010-08-16 22:21:07 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting for change to take effect"
|
2010-08-16 22:21:07 +00:00
|
|
|
sleep 5
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking former standby key has now signed fully ($n)"
|
2010-08-16 22:21:07 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-08-16 22:21:07 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking SOA serial number has been incremented ($n)"
|
2010-12-15 18:44:37 +00:00
|
|
|
ret=0
|
|
|
|
|
newserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'`
|
|
|
|
|
[ "$newserial" != "$oldserial" ] || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-12-15 18:44:37 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking delayed key publication/activation ($n)"
|
2011-03-25 23:53:02 +00:00
|
|
|
ret=0
|
|
|
|
|
zsk=`cat delayzsk.key`
|
|
|
|
|
ksk=`cat delayksk.key`
|
|
|
|
|
# publication and activation times should be unset
|
|
|
|
|
$SETTIME -K ns3 -pA -pP $zsk | grep -v UNSET > /dev/null 2>&1 && ret=1
|
|
|
|
|
$SETTIME -K ns3 -pA -pP $ksk | grep -v UNSET > /dev/null 2>&1 && ret=1
|
|
|
|
|
$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
# DNSKEY not expected:
|
|
|
|
|
awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-03-25 23:53:02 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking scheduled key publication, not activation ($n)"
|
2011-03-25 23:53:02 +00:00
|
|
|
ret=0
|
|
|
|
|
$SETTIME -K ns3 -P now+3s -A none $zsk > /dev/null 2>&1
|
|
|
|
|
$SETTIME -K ns3 -P now+3s -A none $ksk > /dev/null 2>&1
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i
|
2011-03-25 23:53:02 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting for changes to take effect"
|
2011-03-25 23:53:02 +00:00
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
|
|
|
# DNSKEY expected:
|
|
|
|
|
awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1
|
|
|
|
|
# RRSIG not expected:
|
|
|
|
|
awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-03-25 23:53:02 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking scheduled key activation ($n)"
|
2011-03-25 23:53:02 +00:00
|
|
|
ret=0
|
|
|
|
|
$SETTIME -K ns3 -A now+3s $zsk > /dev/null 2>&1
|
|
|
|
|
$SETTIME -K ns3 -A now+3s $ksk > /dev/null 2>&1
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i
|
2011-03-25 23:53:02 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting for changes to take effect"
|
2011-03-25 23:53:02 +00:00
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
|
|
|
|
|
# DNSKEY expected:
|
|
|
|
|
awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
|
|
|
|
|
# RRSIG expected:
|
|
|
|
|
awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
|
|
|
|
|
$DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
|
|
|
|
|
# A expected:
|
|
|
|
|
awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
|
|
|
|
|
# RRSIG expected:
|
|
|
|
|
awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-03-25 23:53:02 +00:00
|
|
|
status=`expr $status + $ret`
|
2010-01-18 19:19:31 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking former active key was removed ($n)"
|
2011-05-30 07:25:19 +00:00
|
|
|
#
|
|
|
|
|
# Work out how long we need to sleep. Allow 4 seconds for the records
|
|
|
|
|
# to be removed.
|
|
|
|
|
#
|
2011-05-30 22:32:06 +00:00
|
|
|
now=`$PERL -e 'print time(), "\n";'`
|
2011-05-30 07:25:19 +00:00
|
|
|
sleep=`expr $starttime + 29 - $now`
|
|
|
|
|
case $sleep in
|
|
|
|
|
-*|0);;
|
2018-02-20 15:43:27 -08:00
|
|
|
*) echo_i "waiting for timer to have activated"; sleep $sleep;;
|
2011-05-30 07:25:19 +00:00
|
|
|
esac
|
2010-01-18 19:19:31 +00:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
2011-11-27 12:04:27 +00:00
|
|
|
grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
|
2010-01-18 19:19:31 +00:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking private key file removal caused no immediate harm ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
ret=0
|
2011-07-08 01:43:26 +00:00
|
|
|
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key`
|
2010-01-18 19:19:31 +00:00
|
|
|
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking revoked key with duplicate key ID (failure expected) ($n)"
|
2010-01-18 19:19:31 +00:00
|
|
|
lret=0
|
|
|
|
|
id=30676
|
|
|
|
|
$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
|
2011-11-27 12:04:27 +00:00
|
|
|
grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1
|
2010-01-18 19:19:31 +00:00
|
|
|
$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
|
|
|
|
|
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $lret != 0 ]; then echo_i "not yet implemented"; fi
|
2010-01-18 19:19:31 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking key event timers are always set ($n)"
|
2011-04-29 21:37:15 +00:00
|
|
|
# this is a regression test for a bug in which the next key event could
|
|
|
|
|
# be scheduled for the present moment, and then never fire. check for
|
|
|
|
|
# visible evidence of this error in the logs:
|
|
|
|
|
awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-04-29 21:37:15 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
|
|
|
|
# this confirms that key events are never scheduled more than
|
|
|
|
|
# 'dnssec-loadkeys-interval' minutes in the future, and that the
|
2011-12-12 06:51:12 +00:00
|
|
|
# event scheduled is within 10 seconds of expected interval.
|
2011-04-29 21:37:15 +00:00
|
|
|
check_interval () {
|
|
|
|
|
awk '/next key event/ {print $2 ":" $9}' $1/named.run |
|
2011-05-01 11:29:20 +00:00
|
|
|
sed 's/\.//g' |
|
|
|
|
|
awk -F: '
|
2011-04-29 21:37:15 +00:00
|
|
|
{
|
2011-05-01 21:36:33 +00:00
|
|
|
x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000);
|
2011-12-22 02:15:24 +00:00
|
|
|
# abs(x) < 1000 ms treat as 'now'
|
|
|
|
|
if (x < 1000 && x > -1000)
|
2011-05-02 23:56:59 +00:00
|
|
|
x = 0;
|
|
|
|
|
# convert to seconds
|
2011-05-01 11:29:20 +00:00
|
|
|
x = x/1000;
|
2011-05-02 23:56:59 +00:00
|
|
|
# handle end of day roll over
|
2011-05-02 01:35:04 +00:00
|
|
|
if (x < 0)
|
|
|
|
|
x = x + 24*3600;
|
2011-05-02 23:56:59 +00:00
|
|
|
# handle log timestamp being a few milliseconds later
|
2011-04-29 21:37:15 +00:00
|
|
|
if (x != int(x))
|
|
|
|
|
x = int(x + 1);
|
2011-05-02 05:05:05 +00:00
|
|
|
if (int(x) > int(interval))
|
2011-04-29 21:37:15 +00:00
|
|
|
exit (1);
|
|
|
|
|
}
|
2011-12-12 12:08:09 +00:00
|
|
|
END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2
|
2011-04-29 21:37:15 +00:00
|
|
|
return $?
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking automatic key reloading interval ($n)"
|
2011-04-29 21:37:15 +00:00
|
|
|
ret=0
|
|
|
|
|
check_interval ns1 3600 || ret=1
|
|
|
|
|
check_interval ns2 1800 || ret=1
|
|
|
|
|
check_interval ns3 600 || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-04-29 21:37:15 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking for key reloading loops ($n)"
|
2011-06-10 01:32:38 +00:00
|
|
|
ret=0
|
|
|
|
|
# every key event should schedule a successor, so these should be equal
|
|
|
|
|
rekey_calls=`grep "reconfiguring zone keys" ns*/named.run | wc -l`
|
|
|
|
|
rekey_events=`grep "next key event" ns*/named.run | wc -l`
|
|
|
|
|
[ "$rekey_calls" = "$rekey_events" ] || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-06-10 01:32:38 +00:00
|
|
|
status=`expr $status + $ret`
|
2009-11-30 21:00:48 +00:00
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "forcing full sign with unreadable keys ($n)"
|
2012-02-02 03:47:39 +00:00
|
|
|
ret=0
|
|
|
|
|
chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i
|
2011-12-22 11:57:30 +00:00
|
|
|
$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
|
|
|
|
|
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2011-12-22 11:57:30 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "test turning on auto-dnssec during reconfig ($n)"
|
2012-02-06 21:33:50 +00:00
|
|
|
ret=0
|
|
|
|
|
# first create a zone that doesn't have auto-dnssec
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i
|
2012-02-06 21:33:50 +00:00
|
|
|
rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
|
2012-02-07 00:33:19 +00:00
|
|
|
[ "$rekey_calls" -eq 0 ] || ret=1
|
2012-02-06 21:33:50 +00:00
|
|
|
# ...then we add auto-dnssec and reconfigure
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 modzone reconf.example '{ type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i
|
|
|
|
|
$RNDCCMD 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
|
2012-02-06 21:33:50 +00:00
|
|
|
for i in 0 1 2 3 4 5 6 7 8 9; do
|
|
|
|
|
lret=0
|
|
|
|
|
rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
|
|
|
|
|
[ "$rekey_calls" -gt 0 ] || lret=1
|
2012-06-20 14:13:12 -05:00
|
|
|
if [ "$lret" -eq 0 ]; then break; fi
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting ... ($i)"
|
2012-02-06 21:33:50 +00:00
|
|
|
sleep 1
|
|
|
|
|
done
|
|
|
|
|
n=`expr $n + 1`
|
|
|
|
|
if [ "$lret" != 0 ]; then ret=$lret; fi
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2012-02-06 21:33:50 +00:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "test CDS and CDNSKEY auto generation ($n)"
|
2015-11-05 12:09:48 +11:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
|
|
|
|
|
grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1
|
|
|
|
|
grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
|
|
|
|
if [ "$lret" != 0 ]; then ret=$lret; fi
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2015-11-05 12:09:48 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)"
|
2017-09-12 23:09:48 -07:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
|
|
|
|
|
lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l`
|
|
|
|
|
test ${lines:-0} -eq 2 || ret=1
|
|
|
|
|
lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l`
|
|
|
|
|
test ${lines:-0} -eq 2 || ret=1
|
|
|
|
|
lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l`
|
|
|
|
|
test ${lines:-0} -eq 2 || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2017-09-12 23:09:48 -07:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)"
|
2017-09-12 23:09:48 -07:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n
|
|
|
|
|
lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l`
|
|
|
|
|
test ${lines:-0} -eq 1 || ret=1
|
|
|
|
|
lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l`
|
|
|
|
|
test ${lines:-0} -eq 1 || ret=1
|
|
|
|
|
lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l`
|
|
|
|
|
test ${lines:-0} -eq 1 || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2017-09-12 23:09:48 -07:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
|
2017-09-12 23:09:48 -07:00
|
|
|
$SETTIME -D sync now+2 `cat sync.key` > /dev/null
|
2018-02-24 00:48:50 -08:00
|
|
|
$RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "waiting for deletion to occur"
|
2015-11-05 12:09:48 +11:00
|
|
|
sleep 3
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "checking that the CDS and CDNSKEY are deleted ($n)"
|
2015-11-05 12:09:48 +11:00
|
|
|
ret=0
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
|
|
|
|
|
$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
|
|
|
|
|
grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null && ret=1
|
|
|
|
|
grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null && ret=1
|
|
|
|
|
n=`expr $n + 1`
|
|
|
|
|
if [ "$lret" != 0 ]; then ret=$lret; fi
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2015-11-05 12:09:48 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "check that dnssec-settime -p Dsync works ($n)"
|
2016-01-26 00:27:44 +11:00
|
|
|
ret=0
|
|
|
|
|
$SETTIME -p Dsync `cat sync.key` > settime.out.$n|| ret=0
|
|
|
|
|
grep "SYNC Delete:" settime.out.$n >/dev/null || ret=0
|
|
|
|
|
n=`expr $n + 1`
|
|
|
|
|
if [ "$lret" != 0 ]; then ret=$lret; fi
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2016-01-26 00:27:44 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "check that dnssec-settime -p Psync works ($n)"
|
2016-01-26 00:27:44 +11:00
|
|
|
ret=0
|
|
|
|
|
$SETTIME -p Psync `cat sync.key` > settime.out.$n|| ret=0
|
|
|
|
|
grep "SYNC Publish:" settime.out.$n >/dev/null || ret=0
|
|
|
|
|
n=`expr $n + 1`
|
|
|
|
|
if [ "$lret" != 0 ]; then ret=$lret; fi
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2016-01-26 00:27:44 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)"
|
2017-12-06 20:26:43 +11:00
|
|
|
ret=0
|
2018-02-24 00:48:50 -08:00
|
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
|
2017-12-06 20:26:43 +11:00
|
|
|
|
|
|
|
|
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
|
|
|
|
|
$DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' `
|
|
|
|
|
pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
|
|
|
grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
|
|
|
|
|
|
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
|
|
|
|
|
$DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' `
|
|
|
|
|
pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} "
|
|
|
|
|
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
|
|
|
|
|
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2017-12-06 20:26:43 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
|
2017-12-05 09:25:09 +11:00
|
|
|
ret=0
|
2018-02-24 00:48:50 -08:00
|
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
|
2017-12-06 20:26:43 +11:00
|
|
|
grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2017-12-06 20:26:43 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Check that DNSKEY is now signed with the ZSK.
|
|
|
|
|
#
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "check that zone with active and inactive KSK and active ZSK is properly"
|
|
|
|
|
echo_i " resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
|
|
|
|
|
echo_i " is now signed with the ZSK. ($n)"
|
2017-12-06 20:26:43 +11:00
|
|
|
ret=0
|
|
|
|
|
|
2018-02-24 00:48:50 -08:00
|
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
|
2017-12-06 20:26:43 +11:00
|
|
|
|
|
|
|
|
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
|
|
|
|
|
$DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
|
|
|
|
|
pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
|
|
|
grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
|
|
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
|
|
|
$4 == "RRSIG" && $5 == "DNSKEY" { count++ }
|
|
|
|
|
END {print count}' dig.out.ns3.test$n`
|
|
|
|
|
test $count -eq 1 || ret=1
|
|
|
|
|
|
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
|
|
|
$4 == "DNSKEY" { count++ }
|
|
|
|
|
END {print count}' dig.out.ns3.test$n`
|
|
|
|
|
test $count -eq 2 || ret=1
|
|
|
|
|
|
2017-12-05 09:25:09 +11:00
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2017-12-05 09:25:09 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2017-12-05 16:09:47 +11:00
|
|
|
#
|
|
|
|
|
# Check that zone is now signed with the KSK.
|
|
|
|
|
#
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "check that zone with active and inactive ZSK and active KSK is properly"
|
|
|
|
|
echo_i " resigned after the active ZSK is deleted - stage 2: Verify that zone"
|
|
|
|
|
echo_i " is now signed with the KSK. ($n)"
|
2017-12-05 16:09:47 +11:00
|
|
|
ret=0
|
2018-02-24 00:48:50 -08:00
|
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
|
2017-12-05 16:09:47 +11:00
|
|
|
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
|
|
|
|
|
$DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
|
|
|
|
|
grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
|
|
|
$4 == "RRSIG" && $5 == "CNAME" { count++ }
|
|
|
|
|
END {print count}' dig.out.ns3.test$n`
|
|
|
|
|
test $count -eq 1 || ret=1
|
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
|
|
|
$4 == "DNSKEY" { count++ }
|
|
|
|
|
END {print count}' dig.out.ns3.test$n`
|
|
|
|
|
test $count -eq 2 || ret=1
|
|
|
|
|
n=`expr $n + 1`
|
2018-02-20 15:43:27 -08:00
|
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
2017-12-05 16:09:47 +11:00
|
|
|
status=`expr $status + $ret`
|
|
|
|
|
|
2018-02-20 15:43:27 -08:00
|
|
|
echo_i "exit status: $status"
|
2016-06-14 13:48:39 +10:00
|
|
|
[ $status -eq 0 ] || exit 1
|
