mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Check if the RRSIG jitter falls into mean+-2.5*stddev range

Browse Source
This commit is contained in:
Ondřej Surý 2019-11-07 14:54:24 +01:00
parent 25800c892f
commit 0480a95ddf
2 changed files with 43 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bin/tests/system/autosign/ns3/keygen.sh
View File

@ -58,7 +58,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
setup jitter.nsec3.example setup jitter.nsec3.example
cp $infile $zonefile cp $infile $zonefile
count=1 count=1
while [ $count -le 100 ] while [ $count -le 1000 ]
do do
echo "label${count} IN TXT label${count}" >> $zonefile echo "label${count} IN TXT label${count}" >> $zonefile
count=`expr $count + 1` count=`expr $count + 1`
@ -166,7 +166,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
setup oldsigs.example setup oldsigs.example
cp $infile $zonefile cp $infile $zonefile
count=1 count=1
while [ $count -le 100 ] while [ $count -le 1000 ]
do do
echo "label${count} IN TXT label${count}" >> $zonefile echo "label${count} IN TXT label${count}" >> $zonefile
count=`expr $count + 1` count=`expr $count + 1`

55
bin/tests/system/autosign/tests.sh
View File

@ -50,6 +50,11 @@ checkprivate () {
return 1 return 1
} }
freq() {
_file=$1
# remove first and last line that has incomplete set and skews the distribution
awk '$4 == "RRSIG" {print substr($9,1,8)}' < "$_file" | sort | uniq -c | sed '1d;$d'
}
# Check the signatures expiration times. First check how many signatures # Check the signatures expiration times. First check how many signatures
# there are in total ($rrsigs). Then see what the distribution of signature # there are in total ($rrsigs). Then see what the distribution of signature
# expiration times is ($expiretimes). Ignore the time part for a better # expiration times is ($expiretimes). Ignore the time part for a better
@ -58,27 +63,49 @@ checkjitter () {
_file=$1 _file=$1
_ret=0 _ret=0
cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | cat_i if ! command -v bc >/dev/null 2>&1; then
_rrsigs=$(cat $_file | awk '$4 == "RRSIG" {print $4}' | cat_i | wc -l) echo_i "skip: bc not available"
_expiretimes=$(cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | awk '{print $1}') return 0
fi
freq "$_file" | cat_i
_expiretimes=$(freq "$_file" | awk '{print $1}')
_count=0 _count=0
# Check if we have at least 8 days
for _num in $_expiretimes
do
_count=$((_count+1))
done
if [ "$_count" -lt 8 ]; then
echo_i "error: not enough categories"
fi
# Calculate mean
_total=0 _total=0
for _num in $_expiretimes for _num in $_expiretimes
do do
_total=$(($_total + $_num)) _total=$((_total+_num))
done done
# Make sure the total number of numbers matches the number of RRSIGs. _mean=$(($_total / $_count))
test $_total -eq $_rrsigs || _ret=1
# Calculate mean: The number of signatures divided over 8 days. # Calculate stddev
_mean=$(($_total / 8)) _stddev=0
# We expect the number of signatures not to exceed twice the mean.
_limit=$(($_mean * 2))
# Add an additional margin.
_limit=$(($_limit + 10))
# Find outliers.
for _num in $_expiretimes for _num in $_expiretimes
do do
if [ $_num -gt $_limit ]; then _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc)
done
_stddev=$(echo "sqrt($_stddev/$_count)" | bc)
# We expect the number of signatures not to exceed the mean +- 2.5 * stddev.
_limit=$(((_stddev*25)/10))
_low=$((_mean-_limit))
_high=$((_mean+_limit))
# Find outliers.
echo_i "checking whether all frequencies falls into <$_low;$_high> interval"
for _num in $_expiretimes
do
if [ $_num -gt $_high ] || [ $_num -lt $_low ]; then
echo_i "error: too many RRSIG records ($_num) with the same expiration time" echo_i "error: too many RRSIG records ($_num) with the same expiration time"
_ret=1 _ret=1
fi fi