diff --git a/bin/tests/system/ksr/ns1/setup.sh b/bin/tests/system/ksr/ns1/setup.sh index ee3a8b738b..c17c43de2e 100644 --- a/bin/tests/system/ksr/ns1/setup.sh +++ b/bin/tests/system/ksr/ns1/setup.sh @@ -20,6 +20,10 @@ mkdir offline # Zone files cp template.db.in common.test.db +cp template.db.in past.test.db +cp template.db.in future.test.db +cp template.db.in last-bundle.test.db +cp template.db.in in-the-middle.test.db # Create KSK for the various policies. create_ksk() { @@ -35,5 +39,9 @@ create_ksk() { done } create_ksk common.test common +create_ksk past.test common +create_ksk future.test common +create_ksk last-bundle.test common +create_ksk in-the-middle.test common create_ksk unlimited.test unlimited create_ksk two-tone.test two-tone diff --git a/bin/tests/system/ksr/tests.sh b/bin/tests/system/ksr/tests.sh index a8c8068095..4fb9f9fac5 100644 --- a/bin/tests/system/ksr/tests.sh +++ b/bin/tests/system/ksr/tests.sh @@ -544,6 +544,420 @@ ksr common -K ns1 -i $now -e +2y -K ns1/offline -f ksr.request.expect sign commo start=$(cat ns1/$zsk1.state | grep "Generated" | awk '{print $2}') end=$(addtime $start 63072000) # two years check_skr "common.test" "ns1/offline" "ksr.sign.out.$n" $start $end 4 || ret=1 +# Save response for skr import operation. +cp ksr.sign.out.$n ns1/common.test.skr +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Add zone: common +n=$((n + 1)) +echo_i "add zone 'common.test' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 addzone 'common.test { type primary; file "common.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Import skr: common +n=$((n + 1)) +echo_i "import ksr to zone 'common.test' ($n)" +ret=0 +sleep 2 +$RNDCCMD 10.53.0.1 skr -import common.test.skr common.test 2>&1 | sed 's/^/I:ns1 /' || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Test that common.test is signed and uses the right DNSKEY and RRSIG records. +n=$((n + 1)) +echo_i "test zone 'common.test' is correctly signed ($n)" +ret=0 + +set_zone "common.test" +set_policy "common" "4" "3600" +set_server "ns1" "10.53.0.1" +# Only ZSKs +set_keyrole "KEY1" "zsk" +set_keylifetime "KEY1" "16070400" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "no" +set_zonesigning "KEY1" "yes" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" + +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "16070400" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "hidden" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" + +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "16070400" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" +set_keystate "KEY3" "GOAL" "hidden" +set_keystate "KEY3" "STATE_DNSKEY" "hidden" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" + +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "16070400" +set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "no" +set_keystate "KEY4" "GOAL" "hidden" +set_keystate "KEY4" "STATE_DNSKEY" "hidden" +set_keystate "KEY4" "STATE_ZRRSIG" "hidden" + +MAXDEPTH=1 +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_subdomain +dnssec_verify + +# For checking the apex, we need to store the expected KSK metadata. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_policy "common" "1" "3600" +set_server "ns1/offline" "10.53.0.1" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" +check_keys "keep" + +DIR="ns1" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" +check_apex + +# Check that key id's match expected keys +n=$((n + 1)) +zsk1=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) +key1=$(key_get "KEY1" BASEFILE) +echo_i "check that published zsk $zsk1 matches first key $key1 in bundle ($n)" +ret=0 +[ "ns1/$zsk1" = "$key1" ] || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +ksk=$(cat common.test.ksk1.id) +key2=$(key_get "KEY2" BASEFILE) +echo_i "check that published ksk $ksk matches ksk $key2 ($n)" +ret=0 +[ "ns1/offline/$ksk" = "$key2" ] || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Key generation: last-bundle +n=$((n + 1)) +echo_i "generate keys for testing an SKR that is in the last bundle ($n)" +ret=0 +ksr common -K ns1 -i -1y -e +1d keygen last-bundle.test >ksr.keygen.out.$n 2>&1 || ret=1 +num=$(cat ksr.keygen.out.$n | wc -l) +[ $num -eq 2 ] || ret=1 +set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 +ksr_check_keys last-bundle.test ns1 -31536000 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) +# Create request: last-bundle +n=$((n + 1)) +echo_i "create ksr for last bundle test ($n)" +ret=0 +ksr common -K ns1 -i -1y -e +1d request last-bundle.test >ksr.request.out.$n 2>&1 || ret=1 +cp ksr.request.out.$n last-bundle.test.ksr +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) +# Sign request: last-bundle +n=$((n + 1)) +echo_i "create skr for last bundle test ($n)" +ret=0 +ksr common -i -1y -e +1d -K ns1/offline -f last-bundle.test.ksr sign last-bundle.test >ksr.sign.out.$n 2>&1 || ret=1 +cp ksr.sign.out.$n ns1/last-bundle.test.skr +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) +# Add zone: last-bundle +n=$((n + 1)) +echo_i "add zone 'last-bundle.test' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 addzone 'last-bundle.test { type primary; file "last-bundle.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) +# Import skr: last-bundle +n=$((n + 1)) +echo_i "import ksr to zone 'last-bundle.test' ($n)" +ret=0 +sleep 2 +$RNDCCMD 10.53.0.1 skr -import last-bundle.test.skr last-bundle.test 2>&1 | sed 's/^/I:ns1 /' || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Test that last-bundle.test is signed and uses the right DNSKEY and RRSIG records. +n=$((n + 1)) +echo_i "test zone 'last-bundle.test' is correctly signed ($n)" +ret=0 + +set_zone "last-bundle.test" +set_policy "common" "2" "3600" +set_server "ns1" "10.53.0.1" +# Only ZSKs +key_clear "KEY1" +set_keyrole "KEY1" "zsk" +set_keylifetime "KEY1" "16070400" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "no" +set_zonesigning "KEY1" "yes" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "16070400" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "hidden" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" + +MAXDEPTH=1 +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_subdomain +dnssec_verify + +# For checking the apex, we need to store the expected KSK metadata. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_policy "common" "1" "3600" +set_server "ns1/offline" "10.53.0.1" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" +check_keys "keep" + +DIR="ns1" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" +check_apex + +# Check that key id's match expected keys +n=$((n + 1)) +zsk2=$(cat last-bundle.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id) +key1=$(key_get "KEY1" BASEFILE) +echo_i "check that published zsk $zsk2 matches first key $key1 in bundle ($n)" +ret=0 +[ "ns1/$zsk2" = "$key1" ] || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +ksk=$(cat last-bundle.test.ksk1.id) +key2=$(key_get "KEY2" BASEFILE) +echo_i "check that published ksk $ksk matches ksk $key2 ($n)" +ret=0 +[ "ns1/offline/$ksk" = "$key2" ] || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that last bundle warning is logged ($n)" +wait_for_log 3 "zone last-bundle.test/IN (signed): zone_rekey: last bundle in skr, please import new skr file" ns1/named.run || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Key generation: in-the-middle +n=$((n + 1)) +echo_i "generate keys for testing an SKR that is in the middle ($n)" +ret=0 +ksr common -K ns1 -i -1y -e +1y keygen in-the-middle.test >ksr.keygen.out.$n 2>&1 || ret=1 +num=$(cat ksr.keygen.out.$n | wc -l) +[ $num -eq 4 ] || ret=1 +set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 +ksr_check_keys in-the-middle.test ns1 -31536000 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) +# Create request: in-the-middle +n=$((n + 1)) +echo_i "create ksr for in the middle test ($n)" +ret=0 +ksr common -K ns1 -i -1y -e +1y request in-the-middle.test >ksr.request.out.$n 2>&1 || ret=1 +cp ksr.request.out.$n in-the-middle.test.ksr +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) +# Sign request: in-the-middle +n=$((n + 1)) +echo_i "create skr for in the middle test ($n)" +ret=0 +ksr common -i -1y -e +1y -K ns1/offline -f in-the-middle.test.ksr sign in-the-middle.test >ksr.sign.out.$n 2>&1 || ret=1 +cp ksr.sign.out.$n ns1/in-the-middle.test.skr +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) +# Add zone: in-the-middle +n=$((n + 1)) +echo_i "add zone 'in-the-middle.test' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 addzone 'in-the-middle.test { type primary; file "in-the-middle.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) +# Import skr: in-the-middle +n=$((n + 1)) +echo_i "import ksr to zone 'in-the-middle.test' ($n)" +ret=0 +sleep 2 +$RNDCCMD 10.53.0.1 skr -import in-the-middle.test.skr in-the-middle.test 2>&1 | sed 's/^/I:ns1 /' || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Test that in-the-middle.test is signed and uses the right DNSKEY and RRSIG records. +n=$((n + 1)) +echo_i "test zone 'in-the-middle.test' is correctly signed ($n)" +ret=0 + +set_zone "in-the-middle.test" +set_policy "common" "4" "3600" +set_server "ns1" "10.53.0.1" +# Only ZSKs +key_clear "KEY1" +set_keyrole "KEY1" "zsk" +set_keylifetime "KEY1" "16070400" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "no" +set_zonesigning "KEY1" "yes" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "16070400" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "hidden" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" + +key_clear "KEY3" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "16070400" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" +set_keystate "KEY3" "GOAL" "hidden" +set_keystate "KEY3" "STATE_DNSKEY" "hidden" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" + +key_clear "KEY4" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "16070400" +set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "no" +set_keystate "KEY4" "GOAL" "hidden" +set_keystate "KEY4" "STATE_DNSKEY" "hidden" +set_keystate "KEY4" "STATE_ZRRSIG" "hidden" + +MAXDEPTH=1 +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_subdomain +dnssec_verify + +# For checking the apex, we need to store the expected KSK metadata. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_policy "common" "1" "3600" +set_server "ns1/offline" "10.53.0.1" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" +check_keys "keep" + +DIR="ns1" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" +check_apex + +# Check that key id's match expected keys +n=$((n + 1)) +zsk2=$(cat in-the-middle.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id) +key1=$(key_get "KEY1" BASEFILE) +echo_i "check that published zsk $zsk2 matches first key $key1 in bundle ($n)" +ret=0 +[ "ns1/$zsk2" = "$key1" ] || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +ksk=$(cat in-the-middle.test.ksk1.id) +key2=$(key_get "KEY2" BASEFILE) +echo_i "check that published ksk $ksk matches ksk $key2 ($n)" +ret=0 +[ "ns1/offline/$ksk" = "$key2" ] || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that no last bundle warning is logged ($n)" +grep "zone $zone/IN (signed): zone_rekey failure: no available SKR bundle" ns1/named.run && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Test error conditions +check_rekey_logs_error() { + zone=$1 + inc=$2 + exp=$3 + offset=$4 + + # Key generation + ksr common -K ns1 -i $inc -e $exp keygen $zone >ksr.keygen.out.$n 2>&1 || return 1 + num=$(cat ksr.keygen.out.$n | wc -l) + [ $num -eq 2 ] || return 1 + set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 + ksr_check_keys $zone ns1 $offset || return 1 + # Create request + ksr common -K ns1 -i $inc -e $exp request $zone >ksr.request.out.$n 2>&1 || return 1 + cp ksr.request.out.$n $zone.ksr + # Sign request + ksr common -K ns1/offline -i $inc -e $exp -f $zone.ksr sign $zone >ksr.sign.out.$n 2>&1 || return 1 + cp ksr.sign.out.$n ns1/$zone.skr + # Import skr + $RNDCCMD 10.53.0.1 skr -import $zone.skr $zone 2>&1 | sed 's/^/I:ns1 /' || return 1 + # Test that rekey logs error + wait_for_log 3 "zone $zone/IN (signed): zone_rekey failure: no available SKR bundle" ns1/named.run || return 1 +} + +n=$((n + 1)) +echo_i "check that an SKR that is too old logs error ($n)" +$RNDCCMD 10.53.0.1 addzone 'past.test { type primary; file "past.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1 +check_rekey_logs_error "past.test" -2y -1y -63072000 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that an SKR that is too new logs error ($n)" +$RNDCCMD 10.53.0.1 addzone 'future.test { type primary; file "future.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1 +check_rekey_logs_error "future.test" +1mo +1y 2592000 || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret))