mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

4840. [test] Add tests to cover fallback to using ZSK on inactive

Browse Source 
KSK. [RT #46787]
This commit is contained in:
Mark Andrews
2017-12-06 20:26:43 +11:00
parent 7308316d92
commit 32d09cd7e0
15 changed files with 379 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
4840. [test] Add tests to cover fallback to using ZSK on inactive
KSK. [RT #46787]
4839. [bug] zone.c:zone_sign was not properly determining 4839. [bug] zone.c:zone_sign was not properly determining
if there were active KSK and ZSK keys for if there were active KSK and ZSK keys for
a algorithm when update-check-ksk is true a algorithm when update-check-ksk is true

1
bin/tests/system/autosign/clean.sh
View File

@@ -28,6 +28,7 @@ rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
rm -f ns3/*.nzf rm -f ns3/*.nzf
rm -f ns3/autonsec3.example.db rm -f ns3/autonsec3.example.db
rm -f ns3/inacksk2.example.db
rm -f ns3/inaczsk2.example.db rm -f ns3/inaczsk2.example.db
rm -f ns3/inaczsk3.example.db rm -f ns3/inaczsk3.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kg.out ns3/s.out ns3/st.out

21
bin/tests/system/autosign/ns3/inacksk2.example.db.in Normal file
View File

@@ -0,0 +1,21 @@
; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

143
bin/tests/system/autosign/ns3/inacksk3.example.db Normal file
View File

@@ -0,0 +1,143 @@
$ORIGIN .
$TTL 300 ; 5 minutes
inacksk3.example IN SOA mname1. . (
6 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
RRSIG SOA 7 2 300 (
20180105040253 20171206030253 17570 inacksk3.example.
QptO/kcVg8pxOQNW11fUYTTXqzc8CjiXAVBSi1szdibP
xGY37+9F1NaQijAA/L1WOGuO446EXbCD4lVUqJyrP6PY
08Uo8YKO/OMP6/m8WztEBzTVaYEyINgz+tF7HzBt0/I6
Tn1Fh8uj4uKA3qhXGO7ssUmRcdi1fZB2h3hphUU= )
NS ns.inacksk3.example.
RRSIG NS 7 2 300 (
20180105034827 20171206030233 17570 inacksk3.example.
bM2qP+npbdkpkFvf6r7Mnt36FePrVDtdepetnDLVBtfP
lSRCkg8XUWC2MzR0wCbVEeH111PlySZUVywNMXECfFFX
1/mc6F+nEI1sPaXdU6vTrymJW+MENdn5KV/1Ve1+i38a
w6h5FeRUoNe9w3ItKmJmxeOKQ4mK7wA/bbcncwo= )
$TTL 3600 ; 1 hour
NSEC a.inacksk3.example. NS SOA RRSIG NSEC DNSKEY TYPE65534
RRSIG NSEC 7 2 3600 (
20180105034827 20171206030233 17570 inacksk3.example.
swiYw7bMGxEJJzu7KWFUTpMH7cCFdDTy+FVhVFrScjOG
OCObJzYQ7lhmXxuH8Eu161nE6mIKAXpjcehSj3h6litO
qow/8BErFwMnMjTbdZUFKZ9nW4TLBRji/bOgkfIppR0K
aUxWHMCtQiNquwgPC+rKwE40yQw1KlgDP5tt55Y= )
$TTL 300 ; 5 minutes
DNSKEY 257 3 7 (
AwEAAaG9OVHHQEw4I8QRRWXHDZG1eiAbPiPspACwXyxE
eVICN0UcY5l4jO09YfiUxdRN8RSSwVcW3aVT71saO30b
mrY4SOcERnNRPfU3F2J0riv9UISE4HDR5tvypQ+R6R/r
vIcmu178qUCCKroGvVb7iYJuphhdEMPFE6nyAbk5euhq
vE3O3Rb1niMoDJhuapi/oioDR1X4Cfkj27DSa4UoE8Hg
QfCRir20jx9RJ7IjDaXX9KhB8dJOAb0HM49PacRU3Ep5
Vsvwc2+MSU/9n+KxvLSaOZuHmFknOEwftaMzble12VQj
D0BfUWOEQ7VPneija6Pnt3iM1z6V6J1b+nJ1SMc=
) ; KSK; alg = NSEC3RSASHA1 ; key id = 7761
DNSKEY 256 3 7 (
AwEAAcRfrYZNp3gdpEG+DLouFLrih+lPp/fByO+IfUwx
yOsBVzrCaXk7wtI8Czt6RB/CVBj//DHnTQ60xP9sNIB3
9aaqaXfz+Qi/+65dVME8sE+IwphZI2tI1lJCN9rMYs+/
zngHdbWqYGGl4kdmRWnYeEupmoGy9N5oavsZOXQ5aGyZ
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 17570
RRSIG DNSKEY 7 2 300 (
20180105040253 20171206030253 17570 inacksk3.example.
TjaNk52XyZJTtBT+7UizX6To6KVPQO4/q0fQ2f1YOY53
XbWIqW1ZEu7dtM/E9MRh7lRBJxD1slKwzWgK9qrCHQUT
zdyaupE865KAO8CJKpEa5uyEoByI4K9smsmwt9JOqJrF
E/nqYmg/DIvxSWqvnZCQLy+pxR9Q04Cu0dvNW1o= )
$TTL 0 ; 0 seconds
TYPE65534 \# 5 ( 071E510000 )
TYPE65534 \# 5 ( 0744A20001 )
RRSIG TYPE65534 7 2 0 (
20180105035556 20171206030253 17570 inacksk3.example.
Te0JxpcV+HTzJRfIxMDermiHxrezqRaHXuqPZC3OPpWV
uJVXZLcEUXsdotW9YetIwe+P2BYWx9SkX6zm96EwENqF
Ma12Ne7gZixOfW7V4CTlSmp8rmj6aWxudhP2QzZm7zU7
VEyId+oYlMUmDbMdtBV6MKdFbogZ1eoMfN602Sg= )
$ORIGIN inacksk3.example.
$TTL 300 ; 5 minutes
a A 10.0.0.1
RRSIG A 7 3 300 (
20180105034827 20171206030233 17570 inacksk3.example.
Ias4wKqOvivZdxsQwIDgtbMfw1DITPJlAGNfGRFkYUMC
+gVZy9KtvEXN8+omy4DwfObokPr2NgFsj3XNJTTss+RW
0Aljxku5HjiLO4OfWjLgNgfvjnDC+q/VcCuqJJrpON61
KDAQuMJ7T28uPngdx5yXWAk0e365CXS9vmS4pWc= )
$TTL 3600 ; 1 hour
NSEC b.inacksk3.example. A RRSIG NSEC
RRSIG NSEC 7 3 3600 (
20180105034827 20171206030233 17570 inacksk3.example.
i+KCoLtBQb1EqC2e2OVz1MSLNGU3xLeYkQtdl5Y6hgpB
wyMI7/16mQwNak5bvIm7/lX7viVcavuFVs/ae9a0hxqg
NHYv6UeHg8Txi0j1CQr5Fozmif3zSBsB3tO9IvQLpF1c
KQIe6VqNJKuzMvnF06DpL9qnsiC60+1KcCtDNeU= )
$TTL 300 ; 5 minutes
b A 10.0.0.2
RRSIG A 7 3 300 (
20180105034827 20171206030233 17570 inacksk3.example.
deawm0L4aD7k79cnqslJ4pSBk+MYSdv1iUEnlPy6pSrG
+kHt44gc/XjlO/FAPrinUuH/tiFtQk9CvU1jcGvdvIOL
gtzVOrzWoOVJzwYS4IwFtcoviLUPK8stoFrsU+w5bUH/
t7mrDa3Lal3smsfvfW4qvCjDkYk4vyRw42AW7P0= )
$TTL 3600 ; 1 hour
NSEC d.inacksk3.example. A RRSIG NSEC
RRSIG NSEC 7 3 3600 (
20180105034827 20171206030233 17570 inacksk3.example.
pfOlptbgbK6Lx9wGJ5IyGzupu7vcwRoPJyyx3fjLwt9B
+hu+emnJTn0chLMEygs1A73+gw2JebwRwPpHWd4dP8lg
WsF4obvAKy8lWxKPiVP6w5VBDDNPq8lKaTUeu3a7wLYO
IsAiGO3FBqh5hDLS0KKDJydA+zEl5ckDGgwOwm8= )
$TTL 300 ; 5 minutes
d A 10.0.0.4
RRSIG A 7 3 300 (
20180105030702 20171206030233 17570 inacksk3.example.
qPALj6QLsAxU4aV4KXYIPANHA0SjJtd/e08nPyfs+wIC
Z8OhHanTsf5jJuMO15bcbzJ0/4gIYv4gWdR+RuVLy3EY
JomX0PeZe13LupitSAx+JoeG7PMus2H3Oux4pUaAoUpQ
Wrs/nL/sgA8IUgJZMac5GoAnLU5YtwqidEne1HI= )
$TTL 3600 ; 1 hour
NSEC ns.inacksk3.example. A RRSIG NSEC
RRSIG NSEC 7 3 3600 (
20180105030702 20171206030233 17570 inacksk3.example.
XxbkRkob3CgJBV++MMvCLinETtUIUdi4Uy1gXB/zPloa
muSHcFuYKqygmDYGQ/VTan06CHSgZoGVOfPQ2KhX8Oks
OV7rqKr8pJo3gseHgjh7xLyhvzZJqgT+y30i+BQRCMzT
XOF0hcxOxBiTNgRojSPcrorMtbl+AE53RxIQCms= )
$TTL 300 ; 5 minutes
ns A 10.53.0.3
RRSIG A 7 3 300 (
20180105030702 20171206030233 17570 inacksk3.example.
t8MnYJIoiCza5jbNZWCrc2Q3zIJ+RiefjzKqPg8d+MzL
tRU5miy9W+B7LrWrql6+XwFzoFlcwsGoZq2Ht0PiHK7w
qgO63ojvhIcO5E5St80KD5oyhVHpsQ4td6+5GhJCkGl1
3o4vLKyebrp7Zq9y954zk43/Xl2FqDc22HX5f7o= )
$TTL 3600 ; 1 hour
NSEC x.inacksk3.example. A RRSIG NSEC
RRSIG NSEC 7 3 3600 (
20180105030702 20171206030233 17570 inacksk3.example.
PKB66godfxMCZvf6E6BAizHXc9+K21KoMJJQp0lek2IC
BkmgdTH/INvS/cH81S1un8NCW6vhucr79+ntwxYGwNJB
0KQoIVNHIKg+tiiJquTvvDV1PfPFEDps59BzsN7vZnXS
iTxrncJj1dqG9EG0NcpYpsOf7WG7Yo8GrNkgZ7Q= )
$TTL 300 ; 5 minutes
x CNAME a
RRSIG CNAME 7 3 300 (
20180105030702 20171206030233 17570 inacksk3.example.
o42+o7Li+ZQYbltwYjnP2A0sSoDrBugPYhL+V2XfchUS
bANJntJu3GxGdEUJ52eunx4EL25wCR0yjCj8xQaQp3Pf
mTeB8+pkvlnekLTxQy8ZxFUvWFKBRz5ZkhzJoHLP+GPi
OfpU4XnGVrbly+ZFkfiTre+C245pPu8/fo4W/wg= )
$TTL 3600 ; 1 hour
NSEC inacksk3.example. CNAME RRSIG NSEC
RRSIG NSEC 7 3 3600 (
20180105030702 20171206030233 17570 inacksk3.example.
l4KfYcCXDjvKdy+l1PnWkKFgR4QI2fdcDFbIqQd6QPxO
mdsqIn2qWLpGTuXxhzQRR+yof7EHuUxXAmUDqo3d6rJl
VW3YzsHFmQpL0vU9E/RWcK/+lCak7IUo3O8OaCrekktF
++vPFmNWdDIMmFwCID8cwW3DU8TC2hga/jO0KMU= )

21
bin/tests/system/autosign/ns3/inacksk3.example.db.in Normal file
View File

@@ -0,0 +1,21 @@
; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

19
bin/tests/system/autosign/ns3/keygen.sh
View File

@@ -274,6 +274,15 @@ ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || d
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
# A zone that has a published inactive key that is autosigned.
#
setup inacksk2.example
cp $infile $zonefile
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
# #
# A zone that has a published inactive key that is autosigned. # A zone that has a published inactive key that is autosigned.
# #
@@ -283,6 +292,16 @@ ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
# A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inacksk3.example
cp $infile $zonefile
$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
# #
# A zone that starts with a active KSK + ZSK and a inactive ZSK. # A zone that starts with a active KSK + ZSK and a inactive ZSK.
# #

16
bin/tests/system/autosign/ns3/named.conf
View File

@@ -249,6 +249,22 @@ zone "kskonly.example" {
auto-dnssec maintain; auto-dnssec maintain;
}; };
zone "inacksk2.example" {
type master;
file "inacksk2.example.db";
allow-update { any; };
dnssec-dnskey-kskonly yes;
auto-dnssec maintain;
};
zone "inacksk3.example" {
type master;
file "inacksk3.example.db";
allow-update { any; };
dnssec-dnskey-kskonly yes;
auto-dnssec maintain;
};
zone "inaczsk2.example" { zone "inaczsk2.example" {
type master; type master;
file "inaczsk2.example.db"; file "inaczsk2.example.db";

91
bin/tests/system/autosign/tests.sh
View File

@@ -72,7 +72,8 @@ do
$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
done done
for z in bar. example. inaczsk2.example. inaczsk3.example for z in bar. example. inacksk2.example. inacksk3.example \
inaczsk2.example. inaczsk3.example
do do
$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
@@ -86,6 +87,43 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; else echo "I:done"; fi if [ $ret != 0 ]; then echo "I:failed"; else echo "I:done"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
#
# Check that DNSKEY is initially signed with a KSK and not a ZSK.
#
echo "I:check that zone with active and inactive KSK and active ZSK is properly"
echo "I: resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
echo "I: is initially signed with a KSK and not a ZSK. ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1
pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
count=`awk 'BEGIN { count = 0 }
$4 == "RRSIG" && $5 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n`
test $count -eq 1 || ret=1
count=`awk 'BEGIN { count = 0 }
$4 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n`
test $count -eq 3 || ret=1
awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
id=`awk "${awk}" dig.out.ns3.test$n`
$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id}
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys inacksk3.example
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# #
# Check that zone is initially signed with a ZSK and not a KSK. # Check that zone is initially signed with a ZSK and not a KSK.
# #
@@ -1258,10 +1296,57 @@ if [ "$lret" != 0 ]; then ret=$lret; fi
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:check that zone with inactive KSK and active ZSK is properly autosigned ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' `
pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
$DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' `
pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that zone with inactive ZSK and active KSK is properly autosigned ($n)" echo "I:check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.out $DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
grep "SOA 7 2" dig.out.ns3.out > /dev/null || ret=1 grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#
# Check that DNSKEY is now signed with the ZSK.
#
echo "I:check that zone with active and inactive KSK and active ZSK is properly"
echo "I: resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
echo "I: is now signed with the ZSK. ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
count=`awk 'BEGIN { count = 0 }
$4 == "RRSIG" && $5 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n`
test $count -eq 1 || ret=1
count=`awk 'BEGIN { count = 0 }
$4 == "DNSKEY" { count++ }
END {print count}' dig.out.ns3.test$n`
test $count -eq 2 || ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`

6
bin/tests/system/inline/clean.sh
View File

@@ -15,6 +15,8 @@ rm -f ns1/root.db.signed
rm -f ns2/bits.db rm -f ns2/bits.db
rm -f ns2/bits.db.jnl rm -f ns2/bits.db.jnl
rm -f ns1/signer.out rm -f ns1/signer.out
rm -f ns2/inactiveksk.db
rm -f ns2/inactiveksk.db.jnl
rm -f ns2/inactivezsk.db rm -f ns2/inactivezsk.db
rm -f ns2/inactivezsk.db.jnl rm -f ns2/inactivezsk.db.jnl
rm -f ns2/retransfer.db rm -f ns2/retransfer.db
@@ -46,6 +48,10 @@ rm -f ns3/expired.db
rm -f ns3/expired.db.jnl rm -f ns3/expired.db.jnl
rm -f ns3/expired.db.signed rm -f ns3/expired.db.signed
rm -f ns3/expired.db.signed.jnl rm -f ns3/expired.db.signed.jnl
rm -f ns3/inactiveksk.bk
rm -f ns3/inactiveksk.bk.jnl
rm -f ns3/inactiveksk.bk.signed
rm -f ns3/inactiveksk.bk.signed.jnl
rm -f ns3/inactivezsk.bk rm -f ns3/inactivezsk.bk
rm -f ns3/inactivezsk.bk.jnl rm -f ns3/inactivezsk.bk.jnl
rm -f ns3/inactivezsk.bk.signed rm -f ns3/inactivezsk.bk.signed

3
bin/tests/system/inline/ns1/root.db.in
View File

@@ -49,5 +49,8 @@ ns3.externalkey. A 10.53.0.3
retransfer3. NS ns3.retransfer. retransfer3. NS ns3.retransfer.
ns3.retransfer3. A 10.53.0.3 ns3.retransfer3. A 10.53.0.3
inactiveksk. NS ns3.inactiveksk.
ns3.inactiveksk. A 10.53.0.3
inactivezsk. NS ns3.inactivezsk. inactivezsk. NS ns3.inactivezsk.
ns3.inactivezsk. A 10.53.0.3 ns3.inactivezsk. A 10.53.0.3

6
bin/tests/system/inline/ns2/named.conf
View File

@@ -54,6 +54,12 @@ zone "nsec3-loop" {
notify no; notify no;
}; };
zone "inactiveksk" {
type master;
file "inactiveksk.db";
allow-update { any; };
};
zone "inactivezsk" { zone "inactivezsk" {
type master; type master;
file "inactivezsk.db"; file "inactivezsk.db";

9
bin/tests/system/inline/ns3/named.conf
View File

@@ -113,6 +113,15 @@ zone "retransfer3" {
file "retransfer3.bk"; file "retransfer3.bk";
}; };
zone "inactiveksk" {
type slave;
masters { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
dnssec-dnskey-kskonly yes;
file "inactiveksk.bk";
};
zone "inactivezsk" { zone "inactivezsk" {
type slave; type slave;
masters { 10.53.0.2; }; masters { 10.53.0.2; };

9
bin/tests/system/inline/ns3/sign.sh
View File

@@ -75,6 +75,15 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=inactiveksk
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 -f KSK $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=inactivezsk zone=inactivezsk
rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private rm -f K${zone}.+*+*.private

1
bin/tests/system/inline/setup.sh
View File

@@ -16,6 +16,7 @@ rm -f ns1/root.db.signed
touch ns2/trusted.conf touch ns2/trusted.conf
cp ns2/bits.db.in ns2/bits.db cp ns2/bits.db.in ns2/bits.db
cp ns2/bits.db.in ns2/inactiveksk.db
cp ns2/bits.db.in ns2/inactivezsk.db cp ns2/bits.db.in ns2/inactivezsk.db
cp ns2/bits.db.in ns2/retransfer.db cp ns2/bits.db.in ns2/retransfer.db
cp ns2/bits.db.in ns2/retransfer3.db cp ns2/bits.db.in ns2/retransfer3.db

33
bin/tests/system/inline/tests.sh
View File

@@ -1051,5 +1051,38 @@ grep "TXT 8 2" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:testing that inline signing works with inactive KSK and active ZSK ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 axfr inactiveksk > dig.out.ns3.test$n
#
# check that DNSKEY is signed with ZSK for algorithm 7
#
awk='$4 == "DNSKEY" && $5 == 256 && $7 == 7 { print }'
zskid=`awk "${awk}" dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' `
grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
awk='$4 == "DNSKEY" && $5 == 257 && $7 == 7 { print }'
kskid=`awk "${awk}" dig.out.ns3.test$n |
$DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' `
grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
#
# check that DNSKEY is signed with KSK for algorithm 8
#
awk='$4 == "DNSKEY" && $5 == 256 && $7 == 8 { print }'
zskid=`awk "${awk}" dig.out.ns3.test$n |
$DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' `
grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
awk='$4 == "DNSKEY" && $5 == 257 && $7 == 8 { print }'
kskid=`awk "${awk}" dig.out.ns3.test$n |
$DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' `
grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status" echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1