2023-08-09 14:04:54 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
|
|
#
|
|
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
#
|
|
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
|
|
# information regarding copyright ownership.
|
|
|
|
|
|
|
|
# shellcheck source=conf.sh
|
|
|
|
. ../conf.sh
|
|
|
|
# shellcheck source=kasp.sh
|
|
|
|
. ../kasp.sh
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
2024-05-07 11:51:55 +02:00
|
|
|
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
|
|
|
|
|
2024-03-04 11:36:16 +01:00
|
|
|
CDS_SHA1="no"
|
|
|
|
CDS_SHA256="yes"
|
|
|
|
CDS_SHA384="no"
|
|
|
|
CDNSKEY="yes"
|
|
|
|
|
2023-08-09 14:04:54 +02:00
|
|
|
status=0
|
|
|
|
n=0
|
|
|
|
|
|
|
|
# Get timing metadata from a value plus additional time.
|
|
|
|
# $1: Value
|
|
|
|
# $2: Additional time
|
|
|
|
addtime() {
|
2024-02-26 16:29:59 +01:00
|
|
|
if [ -x "$PYTHON" ]; then
|
|
|
|
# Convert "%Y%m%d%H%M%S" format to epoch seconds.
|
|
|
|
# Then, add the additional time (can be negative).
|
|
|
|
_value=$1
|
|
|
|
_plus=$2
|
|
|
|
$PYTHON >python.out <<EOF
|
2023-08-09 14:04:54 +02:00
|
|
|
from datetime import datetime
|
|
|
|
from datetime import timedelta
|
|
|
|
_now = datetime.strptime("$_value", "%Y%m%d%H%M%S")
|
|
|
|
_delta = timedelta(seconds=$_plus)
|
|
|
|
_then = _now + _delta
|
|
|
|
print(_then.strftime("%Y%m%d%H%M%S"));
|
|
|
|
EOF
|
2024-02-26 16:29:59 +01:00
|
|
|
cat python.out
|
|
|
|
fi
|
2023-08-09 14:04:54 +02:00
|
|
|
}
|
|
|
|
|
2024-02-22 15:18:30 +01:00
|
|
|
# Check keys that were created. The keys created are listed in the latest ksr
|
|
|
|
# output file, ksr.keygen.out.$n.
|
2023-08-09 14:04:54 +02:00
|
|
|
# $1: zone name
|
|
|
|
# $2: key directory
|
2024-05-07 11:51:55 +02:00
|
|
|
# $3: offset
|
|
|
|
ksr_check_keys() (
|
2024-02-26 16:29:59 +01:00
|
|
|
zone=$1
|
|
|
|
dir=$2
|
2024-05-07 11:51:55 +02:00
|
|
|
offset=$3
|
2024-02-26 16:29:59 +01:00
|
|
|
lifetime=$LIFETIME
|
|
|
|
alg=$ALG
|
|
|
|
size=$SIZE
|
|
|
|
inception=0
|
|
|
|
pad=$(printf "%03d" "$alg")
|
|
|
|
|
|
|
|
num=0
|
|
|
|
for key in $(grep "K${zone}.+$pad+" ksr.keygen.out.$n); do
|
|
|
|
grep "; Created:" "${dir}/${key}.key" >created.out || return 1
|
|
|
|
created=$(awk '{print $3}' <created.out)
|
2024-05-07 11:51:55 +02:00
|
|
|
test "$num" -eq 0 && retired=$(addtime $created $offset)
|
2024-02-26 16:29:59 +01:00
|
|
|
# active: retired previous key
|
|
|
|
active=$retired
|
|
|
|
# published: 2h5m (dnskey-ttl + publish-safety + propagation)
|
|
|
|
published=$(addtime $active -7500)
|
|
|
|
# retired: zsk-lifetime
|
|
|
|
retired=$(addtime $active $lifetime)
|
|
|
|
# removed: 10d1h5m (ttlsig + retire-safety + sign-delay + propagation)
|
|
|
|
removed=$(addtime $retired 867900)
|
|
|
|
|
2024-05-07 11:51:55 +02:00
|
|
|
echo_i "check metadata on $key: $alg $size $lifetime $published $active $retired $removed"
|
2024-02-26 16:29:59 +01:00
|
|
|
statefile="${dir}/${key}.state"
|
|
|
|
grep "Algorithm: $alg" $statefile >/dev/null || return 1
|
|
|
|
grep "Length: $size" $statefile >/dev/null || return 1
|
|
|
|
grep "Lifetime: $lifetime" $statefile >/dev/null || return 1
|
|
|
|
grep "KSK: no" $statefile >/dev/null || return 1
|
|
|
|
grep "ZSK: yes" $statefile >/dev/null || return 1
|
|
|
|
grep "Published: $published" $statefile >/dev/null || return 1
|
|
|
|
grep "Active: $active" $statefile >/dev/null || return 1
|
|
|
|
grep "Retired: $retired" $statefile >/dev/null || return 1
|
|
|
|
grep "Removed: $removed" $statefile >/dev/null || return 1
|
|
|
|
|
|
|
|
inception=$((inception + lifetime))
|
|
|
|
num=$((num + 1))
|
|
|
|
|
|
|
|
# Save some information for testing
|
|
|
|
cp ${dir}/${key}.key ${key}.key.expect
|
|
|
|
cp ${dir}/${key}.private ${key}.private.expect
|
|
|
|
cp ${dir}/${key}.state ${key}.state.expect
|
|
|
|
cat ${dir}/${key}.key | grep -v ";.*" >"${zone}.${alg}.zsk${num}"
|
|
|
|
echo $key >"${zone}.${alg}.zsk${num}.id"
|
|
|
|
done
|
|
|
|
|
|
|
|
return 0
|
2023-08-09 14:04:54 +02:00
|
|
|
)
|
|
|
|
|
2023-08-15 11:56:06 +02:00
|
|
|
# Print the DNSKEY records for zone $1, which have keys listed in file $5
|
|
|
|
# that match the keys with numbers $2 and $3, and match algorithm number $4,
|
|
|
|
# sorted by keytag.
|
2024-02-26 16:29:59 +01:00
|
|
|
print_dnskeys() {
|
|
|
|
for key in $(cat $5 | sort); do
|
|
|
|
for num in $2 $3; do
|
|
|
|
zsk=$(cat $1.$4.zsk$num.id)
|
|
|
|
if [ "$key" = "$zsk" ]; then
|
|
|
|
cat $1.$4.zsk$num >>ksr.request.expect.$n
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
done
|
2023-08-15 11:56:06 +02:00
|
|
|
}
|
2023-08-09 14:04:54 +02:00
|
|
|
# Call the dnssec-ksr command:
|
|
|
|
# ksr <policy> [options] <command> <zone>
|
2024-02-26 16:29:59 +01:00
|
|
|
ksr() {
|
2024-05-07 11:51:55 +02:00
|
|
|
$KSR -l ns1/named.conf -k "$@"
|
2023-08-09 14:04:54 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Unknown action.
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-09 14:04:54 +02:00
|
|
|
echo_i "check that 'dnssec-ksr' errors on unknown action ($n)"
|
|
|
|
ret=0
|
2024-02-26 16:29:59 +01:00
|
|
|
ksr common foobar common.test >ksr.foobar.out.$n 2>&1 && ret=1
|
|
|
|
grep "dnssec-ksr: fatal: unknown command 'foobar'" ksr.foobar.out.$n >/dev/null || ret=1
|
2023-08-09 14:04:54 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2023-08-15 11:56:06 +02:00
|
|
|
# Key generation: common
|
2024-02-26 16:29:59 +01:00
|
|
|
set_zsk() {
|
|
|
|
ALG=$1
|
|
|
|
SIZE=$2
|
|
|
|
LIFETIME=$3
|
2023-08-09 14:04:54 +02:00
|
|
|
}
|
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr keygen' errors on missing end date ($n)"
|
2023-08-09 14:04:54 +02:00
|
|
|
ret=0
|
2024-02-26 16:29:59 +01:00
|
|
|
ksr common keygen common.test >ksr.keygen.out.$n 2>&1 && ret=1
|
|
|
|
grep "dnssec-ksr: fatal: keygen requires an end date" ksr.keygen.out.$n >/dev/null || ret=1
|
2023-08-09 14:04:54 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr keygen' pregenerates right amount of keys in the common case ($n)"
|
2023-08-09 14:04:54 +02:00
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i now -e +1y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(cat ksr.keygen.out.$n | wc -l)
|
2023-08-09 14:04:54 +02:00
|
|
|
[ $num -eq 2 ] || ret=1
|
|
|
|
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr_check_keys common.test ns1 0 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
cp ksr.keygen.out.$n ksr.keygen.out.expect
|
2023-08-09 14:04:54 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
# save now time
|
|
|
|
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
grep "; Created:" "ns1/${key}.key" >now.out || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
now=$(awk '{print $3}' <now.out)
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr keygen' selects pregenerated keys for the same time bundle ($n)"
|
2023-08-09 14:04:54 +02:00
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -e +1y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
diff -w ksr.keygen.out.expect ksr.keygen.out.$n >/dev/null || ret=1
|
|
|
|
for key in $(cat ksr.keygen.out.$n); do
|
|
|
|
# Ensure the files are not modified.
|
2024-05-07 11:51:55 +02:00
|
|
|
diff ns1/${key}.key ${key}.key.expect >/dev/null || ret=1
|
|
|
|
diff ns1/${key}.private ${key}.private.expect >/dev/null || ret=1
|
|
|
|
diff ns1/${key}.state ${key}.state.expect >/dev/null || ret=1
|
2023-08-09 14:04:54 +02:00
|
|
|
done
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2023-08-15 11:56:06 +02:00
|
|
|
# Create request: common
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr request' errors on missing end date ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 request common.test >ksr.request.out.$n 2>&1 && ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
grep "dnssec-ksr: fatal: request requires an end date" ksr.request.out.$n >/dev/null || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr request' creates correct KSR in the common case ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i $now -e +1y request common.test >ksr.request.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
# Bundle 1: KSK + ZSK1
|
|
|
|
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Generated" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n
|
|
|
|
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
# Bundle 2: KSK + ZSK1 + ZSK2
|
|
|
|
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Published" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
print_dnskeys common.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect
|
|
|
|
# Bundle 3: KSK + ZSK2
|
|
|
|
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Removed" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
|
|
|
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
|
2023-12-21 11:16:40 +01:00
|
|
|
# Footer
|
|
|
|
cp ksr.request.expect.$n ksr.request.expect.base
|
2024-04-25 15:48:49 +02:00
|
|
|
grep ";; KeySigningRequest 1.0 generated at" ksr.request.out.$n >footer.$n || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
cat footer.$n >>ksr.request.expect.$n
|
2023-12-21 11:16:40 +01:00
|
|
|
# Check if request output is the same as expected.
|
2024-02-26 16:29:59 +01:00
|
|
|
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
|
2024-02-22 15:18:30 +01:00
|
|
|
# Save request for ksr sign operation.
|
2023-08-15 11:56:06 +02:00
|
|
|
cp ksr.request.expect.$n ksr.request.expect
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
2024-02-22 15:18:30 +01:00
|
|
|
# Sign request: common
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2024-02-22 15:18:30 +01:00
|
|
|
echo_i "check that 'dnssec-ksr sign' errors on missing KSR file ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i $now -e +1y sign common.test >ksr.sign.out.$n 2>&1 && ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
grep "dnssec-ksr: fatal: 'sign' requires a KSR file" ksr.sign.out.$n >/dev/null || ret=1
|
2024-02-22 15:18:30 +01:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2024-02-22 15:18:30 +01:00
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2024-02-22 15:18:30 +01:00
|
|
|
echo_i "check that 'dnssec-ksr sign' creates correct SKR in the common case ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i $now -e +1y -K ns1/offline -f ksr.request.expect sign common.test >ksr.sign.out.$n 2>&1 || ret=1
|
2024-02-22 15:18:30 +01:00
|
|
|
|
|
|
|
_update_expected_zsks() {
|
2024-02-26 16:29:59 +01:00
|
|
|
zsk=$((zsk + 1))
|
|
|
|
next=$((next + 1))
|
|
|
|
inception=$rollover_done
|
|
|
|
if [ "$next" -le "$numzsks" ]; then
|
|
|
|
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
|
|
|
|
key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}"
|
|
|
|
zsk1=$(cat $key1.id)
|
|
|
|
zsk2=$(cat $key2.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
rollover_start=$(cat ns1/$zsk2.state | grep "Published" | awk '{print $2}')
|
|
|
|
rollover_done=$(cat ns1/$zsk1.state | grep "Removed" | awk '{print $2}')
|
2024-02-26 16:29:59 +01:00
|
|
|
else
|
|
|
|
# No more expected rollovers.
|
|
|
|
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
|
|
|
|
zsk1=$(cat $key1.id)
|
|
|
|
rollover_start=$((end + 1))
|
|
|
|
rollover_done=$((end + 1))
|
|
|
|
fi
|
2024-02-22 15:18:30 +01:00
|
|
|
}
|
|
|
|
|
2024-04-25 16:00:09 +02:00
|
|
|
check_skr() {
|
2024-02-26 16:29:59 +01:00
|
|
|
_ret=0
|
|
|
|
zone=$1
|
2024-05-07 11:51:55 +02:00
|
|
|
dir=$2
|
|
|
|
file=$3
|
|
|
|
start=$4
|
|
|
|
end=$5
|
|
|
|
numzsks=$6
|
|
|
|
cds1=$($DSFROMKEY -T 3600 -a SHA-1 -C -w $dir/$(cat "${zone}.ksk1.id"))
|
|
|
|
cds2=$($DSFROMKEY -T 3600 -a SHA-256 -C -w $dir/$(cat "${zone}.ksk1.id"))
|
|
|
|
cds4=$($DSFROMKEY -T 3600 -a SHA-384 -C -w $dir/$(cat "${zone}.ksk1.id"))
|
2024-03-01 14:51:11 +01:00
|
|
|
cdnskey=$(awk '{sub(/DNSKEY/,"CDNSKEY")}1' <${zone}.ksk1)
|
2024-02-26 16:29:59 +01:00
|
|
|
|
2024-04-25 16:00:09 +02:00
|
|
|
echo_i "check skr: zone $1 file $2 from $3 to $4 num-zsk $5"
|
2024-02-26 16:29:59 +01:00
|
|
|
|
|
|
|
# Initial state: not in a rollover, expect a SignedKeyResponse header
|
|
|
|
# on the first line, start with the first ZSK (set zsk=0 so when we
|
|
|
|
# call _update_expected_zsks, zsk is set to 1.
|
|
|
|
rollover=0
|
|
|
|
expect="header"
|
|
|
|
zsk=0
|
|
|
|
next=1
|
|
|
|
rollover_done=$start
|
|
|
|
_update_expected_zsks
|
|
|
|
|
2024-04-25 16:00:09 +02:00
|
|
|
echo_i "check skr: inception $inception rollover-start $rollover_start rollover-done $rollover_done"
|
2024-02-26 16:29:59 +01:00
|
|
|
|
|
|
|
lineno=0
|
2024-03-04 11:36:16 +01:00
|
|
|
complete=0
|
2024-02-26 16:29:59 +01:00
|
|
|
while IFS= read -r line; do
|
2024-03-04 11:36:16 +01:00
|
|
|
# A single signed key response may consist of:
|
2024-02-26 16:29:59 +01:00
|
|
|
# ;; SignedKeyResponse (header)
|
|
|
|
# ;; DNSKEY 257 (ksk)
|
|
|
|
# ;; one or two (during rollover) DNSKEY 256 (zsk1, zsk2)
|
2024-03-01 14:51:11 +01:00
|
|
|
# ;; RRSIG(DNSKEY) (rrsig-dnskey)
|
|
|
|
# ;; CDNSKEY (cdnskey)
|
|
|
|
# ;; RRSIG(CDNSKEY) (rrsig-cdnskey)
|
|
|
|
# ;; CDS (cds)
|
|
|
|
# ;; RRSIG(CDS) (rrsig-cds)
|
2024-02-26 16:29:59 +01:00
|
|
|
err=0
|
|
|
|
lineno=$((lineno + 1))
|
|
|
|
|
|
|
|
# skip empty lines
|
|
|
|
if [ -z "$line" ]; then
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$expect" = "header" ]; then
|
|
|
|
expected=";; SignedKeyResponse 1.0 $inception"
|
2024-03-01 14:51:11 +01:00
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
2024-02-26 16:29:59 +01:00
|
|
|
next_inception=$(addtime $inception 777600)
|
|
|
|
expect="ksk"
|
|
|
|
elif [ "$expect" = "ksk" ]; then
|
|
|
|
expected="$(cat ${zone}.ksk1)"
|
2024-03-01 14:51:11 +01:00
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
2024-02-26 16:29:59 +01:00
|
|
|
expect="zsk1"
|
2024-03-01 14:51:11 +01:00
|
|
|
elif [ "$expect" = "cdnskey" ]; then
|
|
|
|
expected="$cdnskey"
|
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
|
|
|
expect="rrsig-cdnskey"
|
2024-03-04 11:36:16 +01:00
|
|
|
elif [ "$expect" = "cds1" ]; then
|
|
|
|
expected="$cds1"
|
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
|
|
|
if [ "$CDS_SHA256" = "yes" ]; then
|
|
|
|
expect="cds2"
|
|
|
|
elif [ "$CDS_SHA384" = "yes" ]; then
|
|
|
|
expect="cds4"
|
|
|
|
else
|
|
|
|
expect="rrsig-cds"
|
|
|
|
fi
|
|
|
|
elif [ "$expect" = "cds2" ]; then
|
|
|
|
expected="$cds2"
|
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
|
|
|
if [ "$CDS_SHA384" = "yes" ]; then
|
|
|
|
expect="cds4"
|
|
|
|
else
|
|
|
|
expect="rrsig-cds"
|
|
|
|
fi
|
|
|
|
elif [ "$expect" = "cds4" ]; then
|
|
|
|
expected="$cds4"
|
2024-03-01 14:51:11 +01:00
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
|
|
|
expect="rrsig-cds"
|
2024-02-26 16:29:59 +01:00
|
|
|
elif [ "$expect" = "zsk1" ]; then
|
|
|
|
expected="$(cat $key1)"
|
2024-03-01 14:51:11 +01:00
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
|
|
|
expect="rrsig-dnskey"
|
2024-02-26 16:29:59 +01:00
|
|
|
[ "$rollover" -eq 1 ] && expect="zsk2"
|
|
|
|
elif [ "$expect" = "zsk2" ]; then
|
|
|
|
expected="$(cat $key2)"
|
2024-03-01 14:51:11 +01:00
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
|
|
|
expect="rrsig-dnskey"
|
|
|
|
elif [ "$expect" = "rrsig-dnskey" ]; then
|
|
|
|
exp=$(addtime $inception 1209600) # signature-validity 14 days
|
|
|
|
inc=$(addtime $inception -3600) # adjust for one hour clock skew
|
|
|
|
expected="${zone}. 3600 IN RRSIG DNSKEY 13 2 3600 $exp $inc"
|
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
2024-03-04 11:36:16 +01:00
|
|
|
if [ "$CDNSKEY" = "yes" ]; then
|
|
|
|
expect="cdnskey"
|
|
|
|
elif [ "$CDS_SHA1" = "yes" ]; then
|
|
|
|
expect="cds1"
|
|
|
|
elif [ "$CDS_SHA256" = "yes" ]; then
|
|
|
|
expect="cds2"
|
|
|
|
elif [ "$CDS_SHA384" = "yes" ]; then
|
|
|
|
expect="cds4"
|
|
|
|
else
|
|
|
|
complete=1
|
|
|
|
fi
|
2024-03-01 14:51:11 +01:00
|
|
|
elif [ "$expect" = "rrsig-cdnskey" ]; then
|
|
|
|
exp=$(addtime $inception 1209600) # signature-validity 14 days
|
|
|
|
inc=$(addtime $inception -3600) # adjust for one hour clock skew
|
|
|
|
expected="${zone}. 3600 IN RRSIG CDNSKEY 13 2 3600 $exp $inc"
|
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
2024-03-04 11:36:16 +01:00
|
|
|
if [ "$CDS_SHA1" = "yes" ]; then
|
|
|
|
expect="cds1"
|
|
|
|
elif [ "$CDS_SHA256" = "yes" ]; then
|
|
|
|
expect="cds2"
|
|
|
|
elif [ "$CDS_SHA384" = "yes" ]; then
|
|
|
|
expect="cds4"
|
|
|
|
else
|
|
|
|
complete=1
|
|
|
|
fi
|
2024-03-01 14:51:11 +01:00
|
|
|
elif [ "$expect" = "rrsig-cds" ]; then
|
|
|
|
exp=$(addtime $inception 1209600) # signature-validity 14 days
|
|
|
|
inc=$(addtime $inception -3600) # adjust for one hour clock skew
|
|
|
|
expected="${zone}. 3600 IN RRSIG CDS 13 2 3600 $exp $inc"
|
|
|
|
echo $line | grep "$expected" >/dev/null || err=1
|
2024-03-04 11:36:16 +01:00
|
|
|
complete=1
|
|
|
|
elif [ "$expect" = "footer" ]; then
|
|
|
|
expected=";; SignedKeyResponse 1.0 generated at"
|
|
|
|
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
|
|
|
|
|
|
|
|
expect="eof"
|
|
|
|
elif [ "$expect" = "eof" ]; then
|
|
|
|
expected="EOF"
|
|
|
|
echo_i "failed: expected EOF"
|
|
|
|
err=1
|
|
|
|
else
|
|
|
|
echo_i "failed: bad expect value $expect"
|
|
|
|
err=1
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
|
|
|
|
if [ "$err" -ne 0 ]; then
|
|
|
|
echo_i "unexpected data on line $lineno:"
|
|
|
|
echo_i "line: $(echo $line | tr -s ' ')"
|
|
|
|
echo_i "expected: $expected"
|
|
|
|
fi
|
2024-02-26 16:29:59 +01:00
|
|
|
|
2024-03-04 11:36:16 +01:00
|
|
|
if [ "$complete" -eq 1 ]; then
|
2024-02-26 16:29:59 +01:00
|
|
|
inception=$next_inception
|
|
|
|
expect="header"
|
|
|
|
|
|
|
|
# Update rollover status if required.
|
|
|
|
if [ "$inception" -ge "$end" ]; then
|
|
|
|
expect="footer"
|
|
|
|
elif [ "$inception" -ge "$rollover_done" ]; then
|
|
|
|
[ "$rollover" -eq 1 ] && inception=$rollover_done
|
|
|
|
rollover=0
|
|
|
|
_update_expected_zsks
|
|
|
|
elif [ "$inception" -ge "$rollover_start" ]; then
|
|
|
|
[ "$rollover" -eq 0 ] && inception=$rollover_start
|
|
|
|
rollover=1
|
|
|
|
# Keys will be sorted, so during a rollover a key with a
|
|
|
|
# lower keytag will be printed first. Update key1/key2 and
|
|
|
|
# zsk1/zsk2 accordingly.
|
|
|
|
id1=$(keyfile_to_key_id "$zsk1")
|
|
|
|
id2=$(keyfile_to_key_id "$zsk2")
|
|
|
|
if [ $id1 -gt $id2 ]; then
|
|
|
|
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}"
|
|
|
|
key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
|
|
|
|
zsk1=$(cat $key1.id)
|
|
|
|
zsk2=$(cat $key2.id)
|
|
|
|
fi
|
|
|
|
fi
|
2024-03-04 11:36:16 +01:00
|
|
|
complete=0
|
2024-02-26 16:29:59 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
_ret=$((_ret + err))
|
2024-03-04 11:36:16 +01:00
|
|
|
test "$_ret" -eq 0 || exit $_ret
|
2024-02-26 16:29:59 +01:00
|
|
|
done <$file
|
|
|
|
|
|
|
|
return $_ret
|
2024-02-22 15:18:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
zsk1=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
start=$(cat ns1/$zsk1.state | grep "Generated" | awk '{print $2}')
|
2024-02-22 15:18:30 +01:00
|
|
|
end=$(addtime $start 31536000) # one year
|
2024-05-07 11:51:55 +02:00
|
|
|
check_skr "common.test" "ns1/offline" "ksr.sign.out.$n" $start $end 2 || ret=1
|
2024-02-22 15:18:30 +01:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2024-02-22 15:18:30 +01:00
|
|
|
|
2023-08-15 11:56:06 +02:00
|
|
|
# Key generation: common (2)
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr keygen' pregenerates keys in the given key-directory ($n)"
|
2023-08-09 14:04:54 +02:00
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1/keydir -e +1y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(cat ksr.keygen.out.$n | wc -l)
|
|
|
|
[ $num -eq 2 ] || ret=1
|
|
|
|
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr_check_keys common.test ns1/keydir 0 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr keygen' selects generates only necessary keys for overlapping time bundle ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -e +2y -v 1 keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(cat ksr.keygen.out.$n | wc -l)
|
2023-08-09 14:04:54 +02:00
|
|
|
[ $num -eq 4 ] || ret=1
|
|
|
|
# 2 selected, 2 generated
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(grep "Selecting" ksr.keygen.out.$n | wc -l)
|
2023-08-09 14:04:54 +02:00
|
|
|
[ $num -eq 2 ] || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(grep "Generating" ksr.keygen.out.$n | wc -l)
|
2023-08-09 14:04:54 +02:00
|
|
|
[ $num -eq 2 ] || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
cp ksr.keygen.out.$n ksr.keygen.out.expect
|
2023-08-09 14:04:54 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "run 'dnssec-ksr keygen' again with verbosity 0 ($n)"
|
2023-08-09 14:04:54 +02:00
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i $now -e +2y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(cat ksr.keygen.out.$n | wc -l)
|
|
|
|
[ $num -eq 4 ] || ret=1
|
2023-08-09 14:04:54 +02:00
|
|
|
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr_check_keys common.test ns1 0 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
cp ksr.keygen.out.$n ksr.keygen.out.expect
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
|
|
|
# Create request: common (2)
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr request' creates correct KSR if the interval is shorter ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i $now -e +1y request common.test >ksr.request.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
# Same as earlier.
|
2023-12-21 11:16:40 +01:00
|
|
|
cp ksr.request.expect.base ksr.request.expect.$n
|
2024-04-25 15:48:49 +02:00
|
|
|
grep ";; KeySigningRequest 1.0 generated at" ksr.request.out.$n >footer.$n || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
cat footer.$n >>ksr.request.expect.$n
|
|
|
|
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr request' creates correct KSR with new interval ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i $now -e +2y request common.test >ksr.request.out.$n 2>&1 || ret=1
|
2023-12-21 11:16:40 +01:00
|
|
|
cp ksr.request.expect.base ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
# Bundle 4: KSK + ZSK2 + ZSK3
|
|
|
|
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Published" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
print_dnskeys common.test 2 3 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect
|
|
|
|
# Bundle 5: KSK + ZSK3
|
|
|
|
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Removed" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
|
|
|
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3 >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
# Bundle 6: KSK + ZSK3 + ZSK4
|
|
|
|
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Published" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
print_dnskeys common.test 3 4 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect
|
|
|
|
# Bundle 7: KSK + ZSK4
|
|
|
|
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Removed" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
|
|
|
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4 >>ksr.request.expect.$n
|
2023-12-21 11:16:40 +01:00
|
|
|
# Footer
|
|
|
|
cp ksr.request.expect.$n ksr.request.expect.base
|
2024-04-25 15:48:49 +02:00
|
|
|
grep ";; KeySigningRequest 1.0 generated at" ksr.request.out.$n >footer.$n || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
cat footer.$n >>ksr.request.expect.$n
|
|
|
|
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
|
2024-02-22 15:18:30 +01:00
|
|
|
# Save request for ksr sign operation.
|
|
|
|
cp ksr.request.expect.$n ksr.request.expect
|
2023-08-09 14:04:54 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr request' errors if there are not enough keys ($n)"
|
2023-08-09 14:04:54 +02:00
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i $now -e +3y request common.test >ksr.request.out.$n 2>ksr.request.err.$n && ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
grep "dnssec-ksr: fatal: no common.test/ECDSAP256SHA256 zsk key pair found for bundle" ksr.request.err.$n >/dev/null || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
2024-02-22 15:18:30 +01:00
|
|
|
# Sign request: common (2)
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2024-02-22 15:18:30 +01:00
|
|
|
echo_i "check that 'dnssec-ksr sign' creates correct SKR with the new interval ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr common -K ns1 -i $now -e +2y -K ns1/offline -f ksr.request.expect sign common.test >ksr.sign.out.$n 2>&1 || ret=1
|
|
|
|
start=$(cat ns1/$zsk1.state | grep "Generated" | awk '{print $2}')
|
2024-02-22 15:18:30 +01:00
|
|
|
end=$(addtime $start 63072000) # two years
|
2024-05-07 11:51:55 +02:00
|
|
|
check_skr "common.test" "ns1/offline" "ksr.sign.out.$n" $start $end 4 || ret=1
|
2024-05-22 11:19:20 +02:00
|
|
|
# Save response for skr import operation.
|
|
|
|
cp ksr.sign.out.$n ns1/common.test.skr
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Add zone: common
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "add zone 'common.test' ($n)"
|
|
|
|
ret=0
|
|
|
|
$RNDCCMD 10.53.0.1 addzone 'common.test { type primary; file "common.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Import skr: common
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "import ksr to zone 'common.test' ($n)"
|
|
|
|
ret=0
|
|
|
|
sleep 2
|
|
|
|
$RNDCCMD 10.53.0.1 skr -import common.test.skr common.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Test that common.test is signed and uses the right DNSKEY and RRSIG records.
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "test zone 'common.test' is correctly signed ($n)"
|
|
|
|
ret=0
|
|
|
|
|
|
|
|
set_zone "common.test"
|
|
|
|
set_policy "common" "4" "3600"
|
|
|
|
set_server "ns1" "10.53.0.1"
|
|
|
|
# Only ZSKs
|
|
|
|
set_keyrole "KEY1" "zsk"
|
|
|
|
set_keylifetime "KEY1" "16070400"
|
|
|
|
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY1" "no"
|
|
|
|
set_zonesigning "KEY1" "yes"
|
|
|
|
set_keystate "KEY1" "GOAL" "omnipresent"
|
|
|
|
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
|
|
|
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
|
|
|
|
|
|
|
|
set_keyrole "KEY2" "zsk"
|
|
|
|
set_keylifetime "KEY2" "16070400"
|
|
|
|
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY2" "no"
|
|
|
|
set_zonesigning "KEY2" "no"
|
|
|
|
set_keystate "KEY2" "GOAL" "hidden"
|
|
|
|
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
|
|
|
|
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
|
|
|
|
|
|
|
|
set_keyrole "KEY3" "zsk"
|
|
|
|
set_keylifetime "KEY3" "16070400"
|
|
|
|
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY3" "no"
|
|
|
|
set_zonesigning "KEY3" "no"
|
|
|
|
set_keystate "KEY3" "GOAL" "hidden"
|
|
|
|
set_keystate "KEY3" "STATE_DNSKEY" "hidden"
|
|
|
|
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
|
|
|
|
|
|
|
|
set_keyrole "KEY4" "zsk"
|
|
|
|
set_keylifetime "KEY4" "16070400"
|
|
|
|
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY4" "no"
|
|
|
|
set_zonesigning "KEY4" "no"
|
|
|
|
set_keystate "KEY4" "GOAL" "hidden"
|
|
|
|
set_keystate "KEY4" "STATE_DNSKEY" "hidden"
|
|
|
|
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
|
|
|
|
|
|
|
|
MAXDEPTH=1
|
|
|
|
check_keys
|
|
|
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
|
|
check_subdomain
|
|
|
|
dnssec_verify
|
|
|
|
|
|
|
|
# For checking the apex, we need to store the expected KSK metadata.
|
|
|
|
key_clear "KEY2"
|
|
|
|
key_clear "KEY3"
|
|
|
|
key_clear "KEY4"
|
|
|
|
|
|
|
|
set_policy "common" "1" "3600"
|
|
|
|
set_server "ns1/offline" "10.53.0.1"
|
|
|
|
set_keyrole "KEY2" "ksk"
|
|
|
|
set_keylifetime "KEY2" "0"
|
|
|
|
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY2" "yes"
|
|
|
|
set_zonesigning "KEY2" "no"
|
|
|
|
check_keys "keep"
|
|
|
|
|
|
|
|
DIR="ns1"
|
|
|
|
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
|
|
|
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
|
|
|
|
set_keystate "KEY2" "STATE_DS" "omnipresent"
|
|
|
|
check_apex
|
|
|
|
|
|
|
|
# Check that key id's match expected keys
|
|
|
|
n=$((n + 1))
|
|
|
|
zsk1=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
|
|
|
key1=$(key_get "KEY1" BASEFILE)
|
|
|
|
echo_i "check that published zsk $zsk1 matches first key $key1 in bundle ($n)"
|
|
|
|
ret=0
|
|
|
|
[ "ns1/$zsk1" = "$key1" ] || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
n=$((n + 1))
|
|
|
|
ksk=$(cat common.test.ksk1.id)
|
|
|
|
key2=$(key_get "KEY2" BASEFILE)
|
|
|
|
echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
|
|
|
|
ret=0
|
|
|
|
[ "ns1/offline/$ksk" = "$key2" ] || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Key generation: last-bundle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "generate keys for testing an SKR that is in the last bundle ($n)"
|
|
|
|
ret=0
|
|
|
|
ksr common -K ns1 -i -1y -e +1d keygen last-bundle.test >ksr.keygen.out.$n 2>&1 || ret=1
|
|
|
|
num=$(cat ksr.keygen.out.$n | wc -l)
|
|
|
|
[ $num -eq 2 ] || ret=1
|
|
|
|
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
|
|
|
ksr_check_keys last-bundle.test ns1 -31536000 || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
# Create request: last-bundle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "create ksr for last bundle test ($n)"
|
|
|
|
ret=0
|
|
|
|
ksr common -K ns1 -i -1y -e +1d request last-bundle.test >ksr.request.out.$n 2>&1 || ret=1
|
|
|
|
cp ksr.request.out.$n last-bundle.test.ksr
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
# Sign request: last-bundle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "create skr for last bundle test ($n)"
|
|
|
|
ret=0
|
|
|
|
ksr common -i -1y -e +1d -K ns1/offline -f last-bundle.test.ksr sign last-bundle.test >ksr.sign.out.$n 2>&1 || ret=1
|
|
|
|
cp ksr.sign.out.$n ns1/last-bundle.test.skr
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
# Add zone: last-bundle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "add zone 'last-bundle.test' ($n)"
|
|
|
|
ret=0
|
|
|
|
$RNDCCMD 10.53.0.1 addzone 'last-bundle.test { type primary; file "last-bundle.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
# Import skr: last-bundle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "import ksr to zone 'last-bundle.test' ($n)"
|
|
|
|
ret=0
|
|
|
|
sleep 2
|
|
|
|
$RNDCCMD 10.53.0.1 skr -import last-bundle.test.skr last-bundle.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Test that last-bundle.test is signed and uses the right DNSKEY and RRSIG records.
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "test zone 'last-bundle.test' is correctly signed ($n)"
|
|
|
|
ret=0
|
|
|
|
|
|
|
|
set_zone "last-bundle.test"
|
|
|
|
set_policy "common" "2" "3600"
|
|
|
|
set_server "ns1" "10.53.0.1"
|
|
|
|
# Only ZSKs
|
|
|
|
key_clear "KEY1"
|
|
|
|
set_keyrole "KEY1" "zsk"
|
|
|
|
set_keylifetime "KEY1" "16070400"
|
|
|
|
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY1" "no"
|
|
|
|
set_zonesigning "KEY1" "yes"
|
|
|
|
set_keystate "KEY1" "GOAL" "omnipresent"
|
|
|
|
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
|
|
|
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
|
|
|
|
|
|
|
|
key_clear "KEY2"
|
|
|
|
set_keyrole "KEY2" "zsk"
|
|
|
|
set_keylifetime "KEY2" "16070400"
|
|
|
|
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY2" "no"
|
|
|
|
set_zonesigning "KEY2" "no"
|
|
|
|
set_keystate "KEY2" "GOAL" "hidden"
|
|
|
|
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
|
|
|
|
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
|
|
|
|
|
|
|
|
MAXDEPTH=1
|
|
|
|
check_keys
|
|
|
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
|
|
check_subdomain
|
|
|
|
dnssec_verify
|
|
|
|
|
|
|
|
# For checking the apex, we need to store the expected KSK metadata.
|
|
|
|
key_clear "KEY2"
|
|
|
|
key_clear "KEY3"
|
|
|
|
key_clear "KEY4"
|
|
|
|
|
|
|
|
set_policy "common" "1" "3600"
|
|
|
|
set_server "ns1/offline" "10.53.0.1"
|
|
|
|
set_keyrole "KEY2" "ksk"
|
|
|
|
set_keylifetime "KEY2" "0"
|
|
|
|
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY2" "yes"
|
|
|
|
set_zonesigning "KEY2" "no"
|
|
|
|
check_keys "keep"
|
|
|
|
|
|
|
|
DIR="ns1"
|
|
|
|
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
|
|
|
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
|
|
|
|
set_keystate "KEY2" "STATE_DS" "omnipresent"
|
|
|
|
check_apex
|
|
|
|
|
|
|
|
# Check that key id's match expected keys
|
|
|
|
n=$((n + 1))
|
|
|
|
zsk2=$(cat last-bundle.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
|
|
|
|
key1=$(key_get "KEY1" BASEFILE)
|
|
|
|
echo_i "check that published zsk $zsk2 matches first key $key1 in bundle ($n)"
|
|
|
|
ret=0
|
|
|
|
[ "ns1/$zsk2" = "$key1" ] || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
n=$((n + 1))
|
|
|
|
ksk=$(cat last-bundle.test.ksk1.id)
|
|
|
|
key2=$(key_get "KEY2" BASEFILE)
|
|
|
|
echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
|
|
|
|
ret=0
|
|
|
|
[ "ns1/offline/$ksk" = "$key2" ] || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "check that last bundle warning is logged ($n)"
|
|
|
|
wait_for_log 3 "zone last-bundle.test/IN (signed): zone_rekey: last bundle in skr, please import new skr file" ns1/named.run || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Key generation: in-the-middle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "generate keys for testing an SKR that is in the middle ($n)"
|
|
|
|
ret=0
|
|
|
|
ksr common -K ns1 -i -1y -e +1y keygen in-the-middle.test >ksr.keygen.out.$n 2>&1 || ret=1
|
|
|
|
num=$(cat ksr.keygen.out.$n | wc -l)
|
|
|
|
[ $num -eq 4 ] || ret=1
|
|
|
|
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
|
|
|
ksr_check_keys in-the-middle.test ns1 -31536000 || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
# Create request: in-the-middle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "create ksr for in the middle test ($n)"
|
|
|
|
ret=0
|
|
|
|
ksr common -K ns1 -i -1y -e +1y request in-the-middle.test >ksr.request.out.$n 2>&1 || ret=1
|
|
|
|
cp ksr.request.out.$n in-the-middle.test.ksr
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
# Sign request: in-the-middle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "create skr for in the middle test ($n)"
|
|
|
|
ret=0
|
|
|
|
ksr common -i -1y -e +1y -K ns1/offline -f in-the-middle.test.ksr sign in-the-middle.test >ksr.sign.out.$n 2>&1 || ret=1
|
|
|
|
cp ksr.sign.out.$n ns1/in-the-middle.test.skr
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
# Add zone: in-the-middle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "add zone 'in-the-middle.test' ($n)"
|
|
|
|
ret=0
|
|
|
|
$RNDCCMD 10.53.0.1 addzone 'in-the-middle.test { type primary; file "in-the-middle.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
# Import skr: in-the-middle
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "import ksr to zone 'in-the-middle.test' ($n)"
|
|
|
|
ret=0
|
|
|
|
sleep 2
|
|
|
|
$RNDCCMD 10.53.0.1 skr -import in-the-middle.test.skr in-the-middle.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Test that in-the-middle.test is signed and uses the right DNSKEY and RRSIG records.
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "test zone 'in-the-middle.test' is correctly signed ($n)"
|
|
|
|
ret=0
|
|
|
|
|
|
|
|
set_zone "in-the-middle.test"
|
|
|
|
set_policy "common" "4" "3600"
|
|
|
|
set_server "ns1" "10.53.0.1"
|
|
|
|
# Only ZSKs
|
|
|
|
key_clear "KEY1"
|
|
|
|
set_keyrole "KEY1" "zsk"
|
|
|
|
set_keylifetime "KEY1" "16070400"
|
|
|
|
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY1" "no"
|
|
|
|
set_zonesigning "KEY1" "yes"
|
|
|
|
set_keystate "KEY1" "GOAL" "omnipresent"
|
|
|
|
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
|
|
|
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
|
|
|
|
|
|
|
|
key_clear "KEY2"
|
|
|
|
set_keyrole "KEY2" "zsk"
|
|
|
|
set_keylifetime "KEY2" "16070400"
|
|
|
|
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY2" "no"
|
|
|
|
set_zonesigning "KEY2" "no"
|
|
|
|
set_keystate "KEY2" "GOAL" "hidden"
|
|
|
|
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
|
|
|
|
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
|
|
|
|
|
|
|
|
key_clear "KEY3"
|
|
|
|
set_keyrole "KEY3" "zsk"
|
|
|
|
set_keylifetime "KEY3" "16070400"
|
|
|
|
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY3" "no"
|
|
|
|
set_zonesigning "KEY3" "no"
|
|
|
|
set_keystate "KEY3" "GOAL" "hidden"
|
|
|
|
set_keystate "KEY3" "STATE_DNSKEY" "hidden"
|
|
|
|
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
|
|
|
|
|
|
|
|
key_clear "KEY4"
|
|
|
|
set_keyrole "KEY4" "zsk"
|
|
|
|
set_keylifetime "KEY4" "16070400"
|
|
|
|
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY4" "no"
|
|
|
|
set_zonesigning "KEY4" "no"
|
|
|
|
set_keystate "KEY4" "GOAL" "hidden"
|
|
|
|
set_keystate "KEY4" "STATE_DNSKEY" "hidden"
|
|
|
|
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
|
|
|
|
|
|
|
|
MAXDEPTH=1
|
|
|
|
check_keys
|
|
|
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
|
|
check_subdomain
|
|
|
|
dnssec_verify
|
|
|
|
|
|
|
|
# For checking the apex, we need to store the expected KSK metadata.
|
|
|
|
key_clear "KEY2"
|
|
|
|
key_clear "KEY3"
|
|
|
|
key_clear "KEY4"
|
|
|
|
|
|
|
|
set_policy "common" "1" "3600"
|
|
|
|
set_server "ns1/offline" "10.53.0.1"
|
|
|
|
set_keyrole "KEY2" "ksk"
|
|
|
|
set_keylifetime "KEY2" "0"
|
|
|
|
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
|
|
|
set_keysigning "KEY2" "yes"
|
|
|
|
set_zonesigning "KEY2" "no"
|
|
|
|
check_keys "keep"
|
|
|
|
|
|
|
|
DIR="ns1"
|
|
|
|
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
|
|
|
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
|
|
|
|
set_keystate "KEY2" "STATE_DS" "omnipresent"
|
|
|
|
check_apex
|
|
|
|
|
|
|
|
# Check that key id's match expected keys
|
|
|
|
n=$((n + 1))
|
|
|
|
zsk2=$(cat in-the-middle.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
|
|
|
|
key1=$(key_get "KEY1" BASEFILE)
|
|
|
|
echo_i "check that published zsk $zsk2 matches first key $key1 in bundle ($n)"
|
|
|
|
ret=0
|
|
|
|
[ "ns1/$zsk2" = "$key1" ] || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
n=$((n + 1))
|
|
|
|
ksk=$(cat in-the-middle.test.ksk1.id)
|
|
|
|
key2=$(key_get "KEY2" BASEFILE)
|
|
|
|
echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
|
|
|
|
ret=0
|
|
|
|
[ "ns1/offline/$ksk" = "$key2" ] || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "check that no last bundle warning is logged ($n)"
|
|
|
|
grep "zone $zone/IN (signed): zone_rekey failure: no available SKR bundle" ns1/named.run && ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Test error conditions
|
|
|
|
check_rekey_logs_error() {
|
|
|
|
zone=$1
|
|
|
|
inc=$2
|
|
|
|
exp=$3
|
|
|
|
offset=$4
|
|
|
|
|
|
|
|
# Key generation
|
|
|
|
ksr common -K ns1 -i $inc -e $exp keygen $zone >ksr.keygen.out.$n 2>&1 || return 1
|
|
|
|
num=$(cat ksr.keygen.out.$n | wc -l)
|
|
|
|
[ $num -eq 2 ] || return 1
|
|
|
|
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
|
|
|
ksr_check_keys $zone ns1 $offset || return 1
|
|
|
|
# Create request
|
|
|
|
ksr common -K ns1 -i $inc -e $exp request $zone >ksr.request.out.$n 2>&1 || return 1
|
|
|
|
cp ksr.request.out.$n $zone.ksr
|
|
|
|
# Sign request
|
|
|
|
ksr common -K ns1/offline -i $inc -e $exp -f $zone.ksr sign $zone >ksr.sign.out.$n 2>&1 || return 1
|
|
|
|
cp ksr.sign.out.$n ns1/$zone.skr
|
|
|
|
# Import skr
|
|
|
|
$RNDCCMD 10.53.0.1 skr -import $zone.skr $zone 2>&1 | sed 's/^/I:ns1 /' || return 1
|
|
|
|
# Test that rekey logs error
|
|
|
|
wait_for_log 3 "zone $zone/IN (signed): zone_rekey failure: no available SKR bundle" ns1/named.run || return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "check that an SKR that is too old logs error ($n)"
|
|
|
|
$RNDCCMD 10.53.0.1 addzone 'past.test { type primary; file "past.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
|
|
|
check_rekey_logs_error "past.test" -2y -1y -63072000 || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "check that an SKR that is too new logs error ($n)"
|
|
|
|
$RNDCCMD 10.53.0.1 addzone 'future.test { type primary; file "future.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
|
|
|
check_rekey_logs_error "future.test" +1mo +1y 2592000 || ret=1
|
2024-02-22 15:18:30 +01:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2024-02-22 15:18:30 +01:00
|
|
|
|
2023-08-15 11:56:06 +02:00
|
|
|
# Key generation: csk
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr keygen' creates no keys for policy with csk ($n)"
|
|
|
|
ret=0
|
2024-02-26 16:29:59 +01:00
|
|
|
ksr csk -e +2y keygen csk.test >ksr.keygen.out.$n 2>&1 && ret=1
|
|
|
|
grep "dnssec-ksr: fatal: policy 'csk' has no zsks" ksr.keygen.out.$n >/dev/null || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
|
|
|
# Key generation: unlimited
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr keygen' creates only one key for zsk with unlimited lifetime ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr unlimited -K ns1 -e +2y keygen unlimited.test >ksr.keygen.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(cat ksr.keygen.out.$n | wc -l)
|
2023-08-09 14:04:54 +02:00
|
|
|
[ $num -eq 1 ] || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
key=$(cat ksr.keygen.out.$n)
|
2024-05-07 11:51:55 +02:00
|
|
|
grep "; Created:" "ns1/${key}.key" >created.out || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
created=$(awk '{print $3}' <created.out)
|
2023-08-09 14:04:54 +02:00
|
|
|
active=$created
|
|
|
|
published=$(addtime $active -7500)
|
|
|
|
echo_i "check metadata on $key"
|
2024-05-07 11:51:55 +02:00
|
|
|
grep "Algorithm: $DEFAULT_ALGORITHM_NUMBER" ns1/${key}.state >/dev/null || ret=1
|
|
|
|
grep "Length: $DEFAULT_BITS" ns1/${key}.state >/dev/null || ret=1
|
|
|
|
grep "Lifetime: 0" ns1/${key}.state >/dev/null || ret=1
|
|
|
|
grep "KSK: no" ns1/${key}.state >/dev/null || ret=1
|
|
|
|
grep "ZSK: yes" ns1/${key}.state >/dev/null || ret=1
|
|
|
|
grep "Published: $published" ns1/${key}.state >/dev/null || ret=1
|
|
|
|
grep "Active: $active" ns1/${key}.state >/dev/null || ret=1
|
|
|
|
grep "Retired:" ns1/${key}.state >/dev/null && ret=1
|
|
|
|
grep "Removed:" ns1/${key}.state >/dev/null && ret=1
|
|
|
|
cat ns1/${key}.key | grep -v ";.*" >unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1
|
2024-02-26 16:29:59 +01:00
|
|
|
echo $key >"unlimited.test.${DEFAULT_ALGORITHM_NUMBER}.zsk1.id"
|
2023-08-09 14:04:54 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2023-08-15 11:56:06 +02:00
|
|
|
# Create request: unlimited
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr request' creates correct KSR with unlimited zsk ($n)"
|
2023-08-09 14:04:54 +02:00
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr unlimited -K ns1 -i $created -e +4y request unlimited.test >ksr.request.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
# Only one bundle: KSK + ZSK
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Generated" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n
|
|
|
|
cat unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
|
2023-12-21 11:16:40 +01:00
|
|
|
# Footer
|
2024-04-25 15:48:49 +02:00
|
|
|
grep ";; KeySigningRequest 1.0 generated at" ksr.request.out.$n >footer.$n || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
cat footer.$n >>ksr.request.expect.$n
|
|
|
|
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
|
2024-02-22 15:18:30 +01:00
|
|
|
# Save request for ksr sign operation.
|
|
|
|
cp ksr.request.expect.$n ksr.request.expect
|
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2024-02-22 15:18:30 +01:00
|
|
|
|
|
|
|
# Sign request: unlimited
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2024-02-22 15:18:30 +01:00
|
|
|
echo_i "check that 'dnssec-ksr sign' creates correct SKR with unlimited zsk ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr unlimited -K ns1 -i $created -e +4y -K ns1/offline -f ksr.request.expect sign unlimited.test >ksr.sign.out.$n 2>&1 || ret=1
|
|
|
|
start=$(cat ns1/$key.state | grep "Generated" | awk '{print $2}')
|
2024-02-22 15:18:30 +01:00
|
|
|
end=$(addtime $start 126144000) # four years
|
2024-05-07 11:51:55 +02:00
|
|
|
check_skr "unlimited.test" "ns1/offline" "ksr.sign.out.$n" $start $end 1 || ret=1
|
2023-08-09 14:04:54 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2024-03-04 11:36:16 +01:00
|
|
|
# Sign request: unlimited (no-cdnskey)
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "check that 'dnssec-ksr sign' creates correct SKR with unlimited zsk, no cdnskey ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr no-cdnskey -K ns1 -i $created -e +4y -K ns1/offline -f ksr.request.expect sign unlimited.test >ksr.sign.out.$n 2>&1 || ret=1
|
|
|
|
start=$(cat ns1/$key.state | grep "Generated" | awk '{print $2}')
|
2024-03-04 11:36:16 +01:00
|
|
|
end=$(addtime $start 126144000) # four years
|
|
|
|
CDNSKEY="no"
|
|
|
|
CDS_SHA1="yes"
|
|
|
|
CDS_SHA256="yes"
|
|
|
|
CDS_SHA384="yes"
|
2024-05-07 11:51:55 +02:00
|
|
|
check_skr "unlimited.test" "ns1/offline" "ksr.sign.out.$n" $start $end 1 || ret=1
|
2024-03-04 11:36:16 +01:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Sign request: unlimited (no-cds)
|
|
|
|
n=$((n + 1))
|
|
|
|
echo_i "check that 'dnssec-ksr sign' creates correct SKR with unlimited zsk, no cds ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr no-cds -K ns1 -i $created -e +4y -K ns1/offline -f ksr.request.expect sign unlimited.test >ksr.sign.out.$n 2>&1 || ret=1
|
|
|
|
start=$(cat ns1/$key.state | grep "Generated" | awk '{print $2}')
|
2024-03-04 11:36:16 +01:00
|
|
|
end=$(addtime $start 126144000) # four years
|
|
|
|
CDNSKEY="yes"
|
|
|
|
CDS_SHA1="no"
|
|
|
|
CDS_SHA256="no"
|
|
|
|
CDS_SHA384="no"
|
2024-05-07 11:51:55 +02:00
|
|
|
check_skr "unlimited.test" "ns1/offline" "ksr.sign.out.$n" $start $end 1 || ret=1
|
2024-03-04 11:36:16 +01:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
|
|
status=$((status + ret))
|
|
|
|
|
|
|
|
# Reset CDS and CDNSKEY to default values
|
|
|
|
CDNSKEY="yes"
|
|
|
|
CDS_SHA1="no"
|
|
|
|
CDS_SHA256="yes"
|
|
|
|
CDS_SHA384="no"
|
|
|
|
|
2023-08-15 11:56:06 +02:00
|
|
|
# Key generation: two-tone
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr keygen' creates keys for different algorithms ($n)"
|
2023-08-09 14:04:54 +02:00
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr two-tone -K ns1 -e +1y keygen two-tone.test >ksr.keygen.out.$n 2>&1 || ret=1
|
2023-08-09 14:04:54 +02:00
|
|
|
# First algorithm keys have a lifetime of 3 months, so there should be 4 created keys.
|
|
|
|
alg=$(printf "%03d" "$DEFAULT_ALGORITHM_NUMBER")
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(grep "Ktwo-tone.test.+$alg+" ksr.keygen.out.$n | wc -l)
|
2023-08-09 14:04:54 +02:00
|
|
|
[ $num -eq 4 ] || ret=1
|
|
|
|
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 8035200
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr_check_keys two-tone.test ns1 0 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
cp ksr.keygen.out.$n ksr.keygen.out.expect.$DEFAULT_ALGORITHM_NUMBER
|
2023-08-09 14:04:54 +02:00
|
|
|
# Second algorithm keys have a lifetime of 5 months, so there should be 3 created keys.
|
|
|
|
# While only two time bundles of 5 months fit into one year, we need to create an
|
|
|
|
# extra key for the remainder of the bundle.
|
|
|
|
alg=$(printf "%03d" "$ALTERNATIVE_ALGORITHM_NUMBER")
|
2023-08-15 11:56:06 +02:00
|
|
|
num=$(grep "Ktwo-tone.test.+$alg+" ksr.keygen.out.$n | wc -l)
|
2023-08-09 14:04:54 +02:00
|
|
|
[ $num -eq 3 ] || ret=1
|
|
|
|
set_zsk $ALTERNATIVE_ALGORITHM_NUMBER $ALTERNATIVE_BITS 13392000
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr_check_keys two-tone.test ns1 0 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
cp ksr.keygen.out.$n ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER
|
2023-08-09 14:04:54 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-09 14:04:54 +02:00
|
|
|
|
2023-08-15 11:56:06 +02:00
|
|
|
# Create request: two-tone
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2023-08-15 11:56:06 +02:00
|
|
|
echo_i "check that 'dnssec-ksr request' creates correct KSR with multiple algorithms ($n)"
|
|
|
|
ret=0
|
|
|
|
key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
grep "; Created:" "ns1/${key}.key" >created.out || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
created=$(awk '{print $3}' <created.out)
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr two-tone -K ns1 -i $created -e +6mo request two-tone.test >ksr.request.out.$n 2>&1 || ret=1
|
2023-08-15 11:56:06 +02:00
|
|
|
# The two-tone policy uses two sets of KSK/ZSK with different algorithms. One
|
|
|
|
# set uses the default algorithm (denoted as A below), the other is using the
|
|
|
|
# alternative algorithm (denoted as B). The A-ZSKs roll every three months,
|
|
|
|
# so in the second bundle there should be a new DNSKEY prepublished, and the
|
|
|
|
# predecessor is removed in the third bundle. Then, after five months the
|
|
|
|
# ZSK for the B set is rolled, adding the successor in bundle 4 and removing
|
|
|
|
# its predecessor in bundle 5.
|
|
|
|
#
|
|
|
|
# Bundle 1: KSK-A1, KSK-B1, ZSK-A1, ZSK-B1
|
|
|
|
key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Generated" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n
|
|
|
|
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
|
|
|
|
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
# Bundle 2: KSK-A1, KSK-B1, ZSK-A1 + ZSK-A2, ZSK-B1
|
|
|
|
key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Published" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
|
|
|
print_dnskeys two-tone.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect.$DEFAULT_ALGORITHM_NUMBER >>ksr.request.expect.$n
|
|
|
|
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
# Bundle 3: KSK-A1, KSK-B1, ZSK-A2, ZSK-B1
|
|
|
|
key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Removed" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
|
|
|
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
|
|
|
|
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
# Bundle 4: KSK-A1, KSK-B1, ZSK-A2, ZSK-B1 + ZSK-B2
|
|
|
|
key=$(cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Published" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
|
|
|
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
|
|
|
|
print_dnskeys two-tone.test 1 2 $ALTERNATIVE_ALGORITHM_NUMBER ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
# Bundle 5: KSK-A1, KSK-B1, ZSK-A2, ZSK-B2
|
|
|
|
key=$(cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1.id)
|
2024-05-07 11:51:55 +02:00
|
|
|
inception=$(cat ns1/$key.state | grep "Removed" | cut -d' ' -f 2-)
|
2024-02-26 16:29:59 +01:00
|
|
|
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
|
|
|
|
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
|
|
|
|
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
|
2023-12-21 11:16:40 +01:00
|
|
|
# Footer
|
2024-04-25 15:48:49 +02:00
|
|
|
grep ";; KeySigningRequest 1.0 generated at" ksr.request.out.$n >footer.$n || ret=1
|
2024-02-26 16:29:59 +01:00
|
|
|
cat footer.$n >>ksr.request.expect.$n
|
2023-08-15 11:56:06 +02:00
|
|
|
# Check the KSR request against the expected request.
|
2024-02-26 16:29:59 +01:00
|
|
|
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
|
2024-02-22 15:18:30 +01:00
|
|
|
# Save request for ksr sign operation.
|
|
|
|
cp ksr.request.expect.$n ksr.request.expect
|
2023-08-15 11:56:06 +02:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
2024-03-01 14:51:11 +01:00
|
|
|
num_occurrences() {
|
|
|
|
count="$1"
|
|
|
|
file="$2"
|
|
|
|
line="$3"
|
|
|
|
exclude="$4"
|
|
|
|
|
|
|
|
if [ -z "$exclude" ]; then
|
|
|
|
lines=$(cat "$file" | while read line; do echo $line; done | grep "$line" | wc -l)
|
|
|
|
echo_i "$lines occurrences: $1 $2 $3"
|
|
|
|
else
|
|
|
|
lines=$(cat "$file" | while read line; do echo $line; done | grep -v "$exclude" | grep "$line" | wc -l)
|
|
|
|
echo_i "$lines occurrences: $1 $2 $3 (exclude $4)"
|
|
|
|
fi
|
|
|
|
|
|
|
|
test "$lines" -eq "$count" || return 1
|
|
|
|
}
|
|
|
|
|
2024-02-22 15:18:30 +01:00
|
|
|
# Sign request: two-tone
|
2024-02-26 16:29:59 +01:00
|
|
|
n=$((n + 1))
|
2024-02-22 15:18:30 +01:00
|
|
|
echo_i "check that 'dnssec-ksr sign' creates correct SKR with multiple algorithms ($n)"
|
|
|
|
ret=0
|
2024-05-07 11:51:55 +02:00
|
|
|
ksr two-tone -i $created -e +6mo -K ns1/offline -f ksr.request.expect sign two-tone.test >ksr.sign.out.$n 2>&1 || ret=1
|
2024-03-01 14:51:11 +01:00
|
|
|
test "$ret" -eq 0 || echo_i "failed"
|
2024-02-22 15:18:30 +01:00
|
|
|
# Weak testing:
|
|
|
|
zone="two-tone.test"
|
|
|
|
# expect 24 headers (including the footer)
|
2024-03-01 14:51:11 +01:00
|
|
|
num_occurrences 24 ksr.sign.out.$n ";; SignedKeyResponse 1.0" || ret=1
|
|
|
|
# expect 23 KSKs and its signatures (for each header one)
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "DNSKEY 257 3 8" "CDNSKEY" || ret=1 # exclude CDNSKEY lines
|
|
|
|
test "$ret" -eq 0 || echo_i "2 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "DNSKEY 257 3 13" "CDNSKEY" || ret=1 # exclude CDNSKEY lines
|
|
|
|
test "$ret" -eq 0 || echo_i "3 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "RRSIG DNSKEY 8" "CDNSKEY" || ret=1 # exclude CDNSKEY lines
|
|
|
|
test "$ret" -eq 0 || echo_i "4 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "RRSIG DNSKEY 13" "CDNSKEY" || ret=1 # exclude CDNSKEY lines
|
|
|
|
test "$ret" -eq 0 || echo_i "5 failed"
|
|
|
|
# ... 23 CDNSKEY records and its signatures
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "CDNSKEY 257 3 8" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "6 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "CDNSKEY 257 3 13" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "7 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "RRSIG CDNSKEY 8" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "8 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "RRSIG CDNSKEY 13" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "9 failed"
|
|
|
|
# ... 23 CDS records and its signatures
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "CDS 8 2" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "10 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "CDS 13 2" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "11 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "RRSIG CDS 8" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "12 failed"
|
|
|
|
num_occurrences 23 ksr.sign.out.$n "RRSIG CDS 13" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "13 failed"
|
2024-02-22 15:18:30 +01:00
|
|
|
# expect 25 ZSK (two more for double keys during the rollover)
|
2024-03-01 14:51:11 +01:00
|
|
|
num_occurrences 25 ksr.sign.out.$n "DNSKEY 256 3 8" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "14 failed"
|
|
|
|
num_occurrences 25 ksr.sign.out.$n "DNSKEY 256 3 13" || ret=1
|
|
|
|
test "$ret" -eq 0 || echo_i "15 failed"
|
2024-02-26 16:29:59 +01:00
|
|
|
status=$((status + ret))
|
2023-08-15 11:56:06 +02:00
|
|
|
|
2023-08-09 14:04:54 +02:00
|
|
|
echo_i "exit status: $status"
|
|
|
|
[ $status -eq 0 ] || exit 1
|