diff --git a/CHANGES b/CHANGES index 289fa89e84..2ff6d371de 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4840. [test] Add tests to cover fallback to using ZSK on inactive + KSK. [RT #46787] + 4839. [bug] zone.c:zone_sign was not properly determining if there were active KSK and ZSK keys for a algorithm when update-check-ksk is true diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index c29497fcbb..7ca0471d1c 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -28,6 +28,7 @@ rm -f ns2/private.secure.example.db ns2/bar.db rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf rm -f ns3/autonsec3.example.db +rm -f ns3/inacksk2.example.db rm -f ns3/inaczsk2.example.db rm -f ns3/inaczsk3.example.db rm -f ns3/kg.out ns3/s.out ns3/st.out diff --git a/bin/tests/system/autosign/ns3/inacksk2.example.db.in b/bin/tests/system/autosign/ns3/inacksk2.example.db.in new file mode 100644 index 0000000000..8a7f25cee8 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inacksk2.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/inacksk3.example.db b/bin/tests/system/autosign/ns3/inacksk3.example.db new file mode 100644 index 0000000000..0a048ec090 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inacksk3.example.db @@ -0,0 +1,143 @@ +$ORIGIN . +$TTL 300 ; 5 minutes +inacksk3.example IN SOA mname1. . ( + 6 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + RRSIG SOA 7 2 300 ( + 20180105040253 20171206030253 17570 inacksk3.example. + QptO/kcVg8pxOQNW11fUYTTXqzc8CjiXAVBSi1szdibP + xGY37+9F1NaQijAA/L1WOGuO446EXbCD4lVUqJyrP6PY + 08Uo8YKO/OMP6/m8WztEBzTVaYEyINgz+tF7HzBt0/I6 + Tn1Fh8uj4uKA3qhXGO7ssUmRcdi1fZB2h3hphUU= ) + NS ns.inacksk3.example. + RRSIG NS 7 2 300 ( + 20180105034827 20171206030233 17570 inacksk3.example. + bM2qP+npbdkpkFvf6r7Mnt36FePrVDtdepetnDLVBtfP + lSRCkg8XUWC2MzR0wCbVEeH111PlySZUVywNMXECfFFX + 1/mc6F+nEI1sPaXdU6vTrymJW+MENdn5KV/1Ve1+i38a + w6h5FeRUoNe9w3ItKmJmxeOKQ4mK7wA/bbcncwo= ) +$TTL 3600 ; 1 hour + NSEC a.inacksk3.example. NS SOA RRSIG NSEC DNSKEY TYPE65534 + RRSIG NSEC 7 2 3600 ( + 20180105034827 20171206030233 17570 inacksk3.example. + swiYw7bMGxEJJzu7KWFUTpMH7cCFdDTy+FVhVFrScjOG + OCObJzYQ7lhmXxuH8Eu161nE6mIKAXpjcehSj3h6litO + qow/8BErFwMnMjTbdZUFKZ9nW4TLBRji/bOgkfIppR0K + aUxWHMCtQiNquwgPC+rKwE40yQw1KlgDP5tt55Y= ) +$TTL 300 ; 5 minutes + DNSKEY 257 3 7 ( + AwEAAaG9OVHHQEw4I8QRRWXHDZG1eiAbPiPspACwXyxE + eVICN0UcY5l4jO09YfiUxdRN8RSSwVcW3aVT71saO30b + mrY4SOcERnNRPfU3F2J0riv9UISE4HDR5tvypQ+R6R/r + vIcmu178qUCCKroGvVb7iYJuphhdEMPFE6nyAbk5euhq + vE3O3Rb1niMoDJhuapi/oioDR1X4Cfkj27DSa4UoE8Hg + QfCRir20jx9RJ7IjDaXX9KhB8dJOAb0HM49PacRU3Ep5 + Vsvwc2+MSU/9n+KxvLSaOZuHmFknOEwftaMzble12VQj + D0BfUWOEQ7VPneija6Pnt3iM1z6V6J1b+nJ1SMc= + ) ; KSK; alg = NSEC3RSASHA1 ; key id = 7761 + DNSKEY 256 3 7 ( + AwEAAcRfrYZNp3gdpEG+DLouFLrih+lPp/fByO+IfUwx + yOsBVzrCaXk7wtI8Czt6RB/CVBj//DHnTQ60xP9sNIB3 + 9aaqaXfz+Qi/+65dVME8sE+IwphZI2tI1lJCN9rMYs+/ + zngHdbWqYGGl4kdmRWnYeEupmoGy9N5oavsZOXQ5aGyZ + ) ; ZSK; alg = NSEC3RSASHA1 ; key id = 17570 + RRSIG DNSKEY 7 2 300 ( + 20180105040253 20171206030253 17570 inacksk3.example. + TjaNk52XyZJTtBT+7UizX6To6KVPQO4/q0fQ2f1YOY53 + XbWIqW1ZEu7dtM/E9MRh7lRBJxD1slKwzWgK9qrCHQUT + zdyaupE865KAO8CJKpEa5uyEoByI4K9smsmwt9JOqJrF + E/nqYmg/DIvxSWqvnZCQLy+pxR9Q04Cu0dvNW1o= ) +$TTL 0 ; 0 seconds + TYPE65534 \# 5 ( 071E510000 ) + TYPE65534 \# 5 ( 0744A20001 ) + RRSIG TYPE65534 7 2 0 ( + 20180105035556 20171206030253 17570 inacksk3.example. + Te0JxpcV+HTzJRfIxMDermiHxrezqRaHXuqPZC3OPpWV + uJVXZLcEUXsdotW9YetIwe+P2BYWx9SkX6zm96EwENqF + Ma12Ne7gZixOfW7V4CTlSmp8rmj6aWxudhP2QzZm7zU7 + VEyId+oYlMUmDbMdtBV6MKdFbogZ1eoMfN602Sg= ) +$ORIGIN inacksk3.example. +$TTL 300 ; 5 minutes +a A 10.0.0.1 + RRSIG A 7 3 300 ( + 20180105034827 20171206030233 17570 inacksk3.example. + Ias4wKqOvivZdxsQwIDgtbMfw1DITPJlAGNfGRFkYUMC + +gVZy9KtvEXN8+omy4DwfObokPr2NgFsj3XNJTTss+RW + 0Aljxku5HjiLO4OfWjLgNgfvjnDC+q/VcCuqJJrpON61 + KDAQuMJ7T28uPngdx5yXWAk0e365CXS9vmS4pWc= ) +$TTL 3600 ; 1 hour + NSEC b.inacksk3.example. A RRSIG NSEC + RRSIG NSEC 7 3 3600 ( + 20180105034827 20171206030233 17570 inacksk3.example. + i+KCoLtBQb1EqC2e2OVz1MSLNGU3xLeYkQtdl5Y6hgpB + wyMI7/16mQwNak5bvIm7/lX7viVcavuFVs/ae9a0hxqg + NHYv6UeHg8Txi0j1CQr5Fozmif3zSBsB3tO9IvQLpF1c + KQIe6VqNJKuzMvnF06DpL9qnsiC60+1KcCtDNeU= ) +$TTL 300 ; 5 minutes +b A 10.0.0.2 + RRSIG A 7 3 300 ( + 20180105034827 20171206030233 17570 inacksk3.example. + deawm0L4aD7k79cnqslJ4pSBk+MYSdv1iUEnlPy6pSrG + +kHt44gc/XjlO/FAPrinUuH/tiFtQk9CvU1jcGvdvIOL + gtzVOrzWoOVJzwYS4IwFtcoviLUPK8stoFrsU+w5bUH/ + t7mrDa3Lal3smsfvfW4qvCjDkYk4vyRw42AW7P0= ) +$TTL 3600 ; 1 hour + NSEC d.inacksk3.example. A RRSIG NSEC + RRSIG NSEC 7 3 3600 ( + 20180105034827 20171206030233 17570 inacksk3.example. + pfOlptbgbK6Lx9wGJ5IyGzupu7vcwRoPJyyx3fjLwt9B + +hu+emnJTn0chLMEygs1A73+gw2JebwRwPpHWd4dP8lg + WsF4obvAKy8lWxKPiVP6w5VBDDNPq8lKaTUeu3a7wLYO + IsAiGO3FBqh5hDLS0KKDJydA+zEl5ckDGgwOwm8= ) +$TTL 300 ; 5 minutes +d A 10.0.0.4 + RRSIG A 7 3 300 ( + 20180105030702 20171206030233 17570 inacksk3.example. + qPALj6QLsAxU4aV4KXYIPANHA0SjJtd/e08nPyfs+wIC + Z8OhHanTsf5jJuMO15bcbzJ0/4gIYv4gWdR+RuVLy3EY + JomX0PeZe13LupitSAx+JoeG7PMus2H3Oux4pUaAoUpQ + Wrs/nL/sgA8IUgJZMac5GoAnLU5YtwqidEne1HI= ) +$TTL 3600 ; 1 hour + NSEC ns.inacksk3.example. A RRSIG NSEC + RRSIG NSEC 7 3 3600 ( + 20180105030702 20171206030233 17570 inacksk3.example. + XxbkRkob3CgJBV++MMvCLinETtUIUdi4Uy1gXB/zPloa + muSHcFuYKqygmDYGQ/VTan06CHSgZoGVOfPQ2KhX8Oks + OV7rqKr8pJo3gseHgjh7xLyhvzZJqgT+y30i+BQRCMzT + XOF0hcxOxBiTNgRojSPcrorMtbl+AE53RxIQCms= ) +$TTL 300 ; 5 minutes +ns A 10.53.0.3 + RRSIG A 7 3 300 ( + 20180105030702 20171206030233 17570 inacksk3.example. + t8MnYJIoiCza5jbNZWCrc2Q3zIJ+RiefjzKqPg8d+MzL + tRU5miy9W+B7LrWrql6+XwFzoFlcwsGoZq2Ht0PiHK7w + qgO63ojvhIcO5E5St80KD5oyhVHpsQ4td6+5GhJCkGl1 + 3o4vLKyebrp7Zq9y954zk43/Xl2FqDc22HX5f7o= ) +$TTL 3600 ; 1 hour + NSEC x.inacksk3.example. A RRSIG NSEC + RRSIG NSEC 7 3 3600 ( + 20180105030702 20171206030233 17570 inacksk3.example. + PKB66godfxMCZvf6E6BAizHXc9+K21KoMJJQp0lek2IC + BkmgdTH/INvS/cH81S1un8NCW6vhucr79+ntwxYGwNJB + 0KQoIVNHIKg+tiiJquTvvDV1PfPFEDps59BzsN7vZnXS + iTxrncJj1dqG9EG0NcpYpsOf7WG7Yo8GrNkgZ7Q= ) +$TTL 300 ; 5 minutes +x CNAME a + RRSIG CNAME 7 3 300 ( + 20180105030702 20171206030233 17570 inacksk3.example. + o42+o7Li+ZQYbltwYjnP2A0sSoDrBugPYhL+V2XfchUS + bANJntJu3GxGdEUJ52eunx4EL25wCR0yjCj8xQaQp3Pf + mTeB8+pkvlnekLTxQy8ZxFUvWFKBRz5ZkhzJoHLP+GPi + OfpU4XnGVrbly+ZFkfiTre+C245pPu8/fo4W/wg= ) +$TTL 3600 ; 1 hour + NSEC inacksk3.example. CNAME RRSIG NSEC + RRSIG NSEC 7 3 3600 ( + 20180105030702 20171206030233 17570 inacksk3.example. + l4KfYcCXDjvKdy+l1PnWkKFgR4QI2fdcDFbIqQd6QPxO + mdsqIn2qWLpGTuXxhzQRR+yof7EHuUxXAmUDqo3d6rJl + VW3YzsHFmQpL0vU9E/RWcK/+lCak7IUo3O8OaCrekktF + ++vPFmNWdDIMmFwCID8cwW3DU8TC2hga/jO0KMU= ) diff --git a/bin/tests/system/autosign/ns3/inacksk3.example.db.in b/bin/tests/system/autosign/ns3/inacksk3.example.db.in new file mode 100644 index 0000000000..8a7f25cee8 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inacksk3.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 5fa09c76a8..192f3705ba 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -274,6 +274,15 @@ ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || d $KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP +# +# A zone that has a published inactive key that is autosigned. +# +setup inacksk2.example +cp $infile $zonefile +ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + # # A zone that has a published inactive key that is autosigned. # @@ -283,6 +292,16 @@ ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out $KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP +# +# A zone that starts with a active KSK + ZSK and a inactive ZSK. +# +setup inacksk3.example +cp $infile $zonefile +$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index 7ca8823b3c..8bbd2f23fb 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -249,6 +249,22 @@ zone "kskonly.example" { auto-dnssec maintain; }; +zone "inacksk2.example" { + type master; + file "inacksk2.example.db"; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + auto-dnssec maintain; +}; + +zone "inacksk3.example" { + type master; + file "inacksk3.example.db"; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + auto-dnssec maintain; +}; + zone "inaczsk2.example" { type master; file "inaczsk2.example.db"; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index dee2c65158..8e8d2bbaf0 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -72,7 +72,8 @@ do $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 done - for z in bar. example. inaczsk2.example. inaczsk3.example + for z in bar. example. inacksk2.example. inacksk3.example \ + inaczsk2.example. inaczsk3.example do $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 @@ -86,6 +87,43 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; else echo "I:done"; fi status=`expr $status + $ret` +# +# Check that DNSKEY is initially signed with a KSK and not a ZSK. +# +echo "I:check that zone with active and inactive KSK and active ZSK is properly" +echo "I: resigned after the active KSK is deleted - stage 1: Verify that DNSKEY" +echo "I: is initially signed with a KSK and not a ZSK. ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n + +zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ` +grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1 + +pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " +grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 + +count=`awk 'BEGIN { count = 0 } + $4 == "RRSIG" && $5 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n` +test $count -eq 1 || ret=1 + +count=`awk 'BEGIN { count = 0 } + $4 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n` +test $count -eq 3 || ret=1 + +awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }' +id=`awk "${awk}" dig.out.ns3.test$n` + +$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys inacksk3.example + +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + # # Check that zone is initially signed with a ZSK and not a KSK. # @@ -1258,10 +1296,57 @@ if [ "$lret" != 0 ]; then ret=$lret; fi if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check that zone with inactive KSK and active ZSK is properly autosigned ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n + +zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ` +pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " +grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 + +kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ` +pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} " +grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 + +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:check that zone with inactive ZSK and active KSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.out -grep "SOA 7 2" dig.out.ns3.out > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n +grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# +# Check that DNSKEY is now signed with the ZSK. +# +echo "I:check that zone with active and inactive KSK and active ZSK is properly" +echo "I: resigned after the active KSK is deleted - stage 2: Verify that DNSKEY" +echo "I: is now signed with the ZSK. ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n + +zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ` +pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " +grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 + +count=`awk 'BEGIN { count = 0 } + $4 == "RRSIG" && $5 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n` +test $count -eq 1 || ret=1 + +count=`awk 'BEGIN { count = 0 } + $4 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n` +test $count -eq 2 || ret=1 + n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index 86f43bb70a..44ee6e8973 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -15,6 +15,8 @@ rm -f ns1/root.db.signed rm -f ns2/bits.db rm -f ns2/bits.db.jnl rm -f ns1/signer.out +rm -f ns2/inactiveksk.db +rm -f ns2/inactiveksk.db.jnl rm -f ns2/inactivezsk.db rm -f ns2/inactivezsk.db.jnl rm -f ns2/retransfer.db @@ -46,6 +48,10 @@ rm -f ns3/expired.db rm -f ns3/expired.db.jnl rm -f ns3/expired.db.signed rm -f ns3/expired.db.signed.jnl +rm -f ns3/inactiveksk.bk +rm -f ns3/inactiveksk.bk.jnl +rm -f ns3/inactiveksk.bk.signed +rm -f ns3/inactiveksk.bk.signed.jnl rm -f ns3/inactivezsk.bk rm -f ns3/inactivezsk.bk.jnl rm -f ns3/inactivezsk.bk.signed diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in index 009773aa92..ac0a5ff51b 100644 --- a/bin/tests/system/inline/ns1/root.db.in +++ b/bin/tests/system/inline/ns1/root.db.in @@ -49,5 +49,8 @@ ns3.externalkey. A 10.53.0.3 retransfer3. NS ns3.retransfer. ns3.retransfer3. A 10.53.0.3 +inactiveksk. NS ns3.inactiveksk. +ns3.inactiveksk. A 10.53.0.3 + inactivezsk. NS ns3.inactivezsk. ns3.inactivezsk. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns2/named.conf b/bin/tests/system/inline/ns2/named.conf index d236fc72d6..b63d8ead6a 100644 --- a/bin/tests/system/inline/ns2/named.conf +++ b/bin/tests/system/inline/ns2/named.conf @@ -54,6 +54,12 @@ zone "nsec3-loop" { notify no; }; +zone "inactiveksk" { + type master; + file "inactiveksk.db"; + allow-update { any; }; +}; + zone "inactivezsk" { type master; file "inactivezsk.db"; diff --git a/bin/tests/system/inline/ns3/named.conf b/bin/tests/system/inline/ns3/named.conf index 85e4a0411a..052fbe21ac 100644 --- a/bin/tests/system/inline/ns3/named.conf +++ b/bin/tests/system/inline/ns3/named.conf @@ -113,6 +113,15 @@ zone "retransfer3" { file "retransfer3.bk"; }; +zone "inactiveksk" { + type slave; + masters { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + dnssec-dnskey-kskonly yes; + file "inactiveksk.bk"; +}; + zone "inactivezsk" { type slave; masters { 10.53.0.2; }; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index d64daa04a5..0981712ec2 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -75,6 +75,15 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +zone=inactiveksk +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 -f KSK $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + zone=inactivezsk rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index b590860704..fd3badc59e 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -16,6 +16,7 @@ rm -f ns1/root.db.signed touch ns2/trusted.conf cp ns2/bits.db.in ns2/bits.db +cp ns2/bits.db.in ns2/inactiveksk.db cp ns2/bits.db.in ns2/inactivezsk.db cp ns2/bits.db.in ns2/retransfer.db cp ns2/bits.db.in ns2/retransfer3.db diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index 6b4042f3f3..f5b4de7cac 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -1051,5 +1051,38 @@ grep "TXT 8 2" dig.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:testing that inline signing works with inactive KSK and active ZSK ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 -p 5300 axfr inactiveksk > dig.out.ns3.test$n + +# +# check that DNSKEY is signed with ZSK for algorithm 7 +# +awk='$4 == "DNSKEY" && $5 == 256 && $7 == 7 { print }' +zskid=`awk "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ` +grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 +awk='$4 == "DNSKEY" && $5 == 257 && $7 == 7 { print }' +kskid=`awk "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ` +grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 + +# +# check that DNSKEY is signed with KSK for algorithm 8 +# +awk='$4 == "DNSKEY" && $5 == 256 && $7 == 8 { print }' +zskid=`awk "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ` +grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 +awk='$4 == "DNSKEY" && $5 == 257 && $7 == 8 { print }' +kskid=`awk "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ` +grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" [ $status -eq 0 ] || exit 1