mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

Adjust system test to expect CDS and CDNSKEY

Browse Source 
Requires storing the KSK keyfile identifier to calculate the expected
CDS and CDNSKEY.
This commit is contained in:
Matthijs Mekking 2024-03-01 14:51:11 +01:00
parent 83da52d6e4
commit cdf0fd2e5e
2 changed files with 89 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bin/tests/system/ksr/setup.sh
View File

@ -29,6 +29,7 @@ create_ksk() {
num=0 num=0
for ksk in $KSK; do for ksk in $KSK; do
num=$(($num + 1)) num=$(($num + 1))
echo $ksk >"${1}.ksk${num}.id"
cat "${ksk}.key" | grep -v ";.*" >"$1.ksk$num" cat "${ksk}.key" | grep -v ";.*" >"$1.ksk$num"
cp "${ksk}.key" offline/ cp "${ksk}.key" offline/
cp "${ksk}.private" offline/ cp "${ksk}.private" offline/

118
bin/tests/system/ksr/tests.sh
View File

@ -251,6 +251,8 @@ check_ksr() {
start=$3 start=$3
end=$4 end=$4
numzsks=$5 numzsks=$5
cds=$($DSFROMKEY -T 3600 -a SHA-256 -C -w $(cat "${zone}.ksk1.id"))
cdnskey=$(awk '{sub(/DNSKEY/,"CDNSKEY")}1' <${zone}.ksk1)
echo_i "check ksr: zone $1 file $2 from $3 to $4 num-zsk $5" echo_i "check ksr: zone $1 file $2 from $3 to $4 num-zsk $5"
@ -272,7 +274,11 @@ check_ksr() {
# ;; SignedKeyResponse (header) # ;; SignedKeyResponse (header)
# ;; DNSKEY 257 (ksk) # ;; DNSKEY 257 (ksk)
# ;; one or two (during rollover) DNSKEY 256 (zsk1, zsk2) # ;; one or two (during rollover) DNSKEY 256 (zsk1, zsk2)
# ;; RRSIG (rrsig) # ;; RRSIG(DNSKEY) (rrsig-dnskey)
# ;; CDNSKEY (cdnskey)
# ;; RRSIG(CDNSKEY) (rrsig-cdnskey)
# ;; CDS (cds)
# ;; RRSIG(CDS) (rrsig-cds)
err=0 err=0
lineno=$((lineno + 1)) lineno=$((lineno + 1))
@ -283,27 +289,47 @@ check_ksr() {
if [ "$expect" = "header" ]; then if [ "$expect" = "header" ]; then
expected=";; SignedKeyResponse 1.0 $inception" expected=";; SignedKeyResponse 1.0 $inception"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 echo $line | grep "$expected" >/dev/null || err=1
next_inception=$(addtime $inception 777600) next_inception=$(addtime $inception 777600)
expect="ksk" expect="ksk"
elif [ "$expect" = "ksk" ]; then elif [ "$expect" = "ksk" ]; then
expected="$(cat ${zone}.ksk1)" expected="$(cat ${zone}.ksk1)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 echo $line | grep "$expected" >/dev/null || err=1
expect="zsk1" expect="zsk1"
elif [ "$expect" = "cdnskey" ]; then
expected="$cdnskey"
echo $line | grep "$expected" >/dev/null || err=1
expect="rrsig-cdnskey"
elif [ "$expect" = "cds" ]; then
expected="$cds"
echo $line | grep "$expected" >/dev/null || err=1
expect="rrsig-cds"
elif [ "$expect" = "zsk1" ]; then elif [ "$expect" = "zsk1" ]; then
expected="$(cat $key1)" expected="$(cat $key1)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 echo $line | grep "$expected" >/dev/null || err=1
expect="rrsig" expect="rrsig-dnskey"
[ "$rollover" -eq 1 ] && expect="zsk2" [ "$rollover" -eq 1 ] && expect="zsk2"
elif [ "$expect" = "zsk2" ]; then elif [ "$expect" = "zsk2" ]; then
expected="$(cat $key2)" expected="$(cat $key2)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 echo $line | grep "$expected" >/dev/null || err=1
expect="rrsig" expect="rrsig-dnskey"
elif [ "$expect" = "rrsig" ]; then elif [ "$expect" = "rrsig-dnskey" ]; then
expiration=$(addtime $inception 1209600) # signature-validity 14 days exp=$(addtime $inception 1209600) # signature-validity 14 days
inception=$(addtime $inception -3600) # adjust for one hour clock skew inc=$(addtime $inception -3600) # adjust for one hour clock skew
expected="${zone}. 3600 IN RRSIG DNSKEY 13 2 3600 $expiration $inception" expected="${zone}. 3600 IN RRSIG DNSKEY 13 2 3600 $exp $inc"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 echo $line | grep "$expected" >/dev/null || err=1
expect="cdnskey"
elif [ "$expect" = "rrsig-cdnskey" ]; then
exp=$(addtime $inception 1209600) # signature-validity 14 days
inc=$(addtime $inception -3600) # adjust for one hour clock skew
expected="${zone}. 3600 IN RRSIG CDNSKEY 13 2 3600 $exp $inc"
echo $line | grep "$expected" >/dev/null || err=1
expect="cds"
elif [ "$expect" = "rrsig-cds" ]; then
exp=$(addtime $inception 1209600) # signature-validity 14 days
inc=$(addtime $inception -3600) # adjust for one hour clock skew
expected="${zone}. 3600 IN RRSIG CDS 13 2 3600 $exp $inc"
echo $line | grep "$expected" >/dev/null || err=1
inception=$next_inception inception=$next_inception
expect="header" expect="header"
@ -630,33 +656,65 @@ cp ksr.request.expect.$n ksr.request.expect
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
num_occurrences() {
count="$1"
file="$2"
line="$3"
exclude="$4"
if [ -z "$exclude" ]; then
lines=$(cat "$file" | while read line; do echo $line; done | grep "$line" | wc -l)
echo_i "$lines occurrences: $1 $2 $3"
else
lines=$(cat "$file" | while read line; do echo $line; done | grep -v "$exclude" | grep "$line" | wc -l)
echo_i "$lines occurrences: $1 $2 $3 (exclude $4)"
fi
test "$lines" -eq "$count" || return 1
}
# Sign request: two-tone # Sign request: two-tone
n=$((n + 1)) n=$((n + 1))
echo_i "check that 'dnssec-ksr sign' creates correct SKR with multiple algorithms ($n)" echo_i "check that 'dnssec-ksr sign' creates correct SKR with multiple algorithms ($n)"
ret=0 ret=0
ksr two-tone -i $created -e +6mo -K offline -f ksr.request.expect sign two-tone.test >ksr.sign.out.$n 2>&1 || ret=1 ksr two-tone -i $created -e +6mo -K offline -f ksr.request.expect sign two-tone.test >ksr.sign.out.$n 2>&1 || ret=1
test "$ret" -eq 0 || echo_i "failed"
# Weak testing: # Weak testing:
zone="two-tone.test" zone="two-tone.test"
# expect 24 headers (including the footer) # expect 24 headers (including the footer)
lines=$(grep ";; SignedKeyResponse 1.0" ksr.sign.out.$n | wc -l) num_occurrences 24 ksr.sign.out.$n ";; SignedKeyResponse 1.0" || ret=1
test "$lines" -eq 24 || ret=1 # expect 23 KSKs and its signatures (for each header one)
# expect 23 KSKs (for each header one) num_occurrences 23 ksr.sign.out.$n "DNSKEY 257 3 8" "CDNSKEY" || ret=1 # exclude CDNSKEY lines
lines=$(grep "DNSKEY.*257 3 8" ksr.sign.out.$n | wc -l) test "$ret" -eq 0 || echo_i "2 failed"
test "$lines" -eq 23 || ret=1 num_occurrences 23 ksr.sign.out.$n "DNSKEY 257 3 13" "CDNSKEY" || ret=1 # exclude CDNSKEY lines
lines=$(grep "DNSKEY.*257 3 13" ksr.sign.out.$n | wc -l) test "$ret" -eq 0 || echo_i "3 failed"
test "$lines" -eq 23 || ret=1 num_occurrences 23 ksr.sign.out.$n "RRSIG DNSKEY 8" "CDNSKEY" || ret=1 # exclude CDNSKEY lines
# and thus 23 signatures test "$ret" -eq 0 || echo_i "4 failed"
lines=$(grep "RRSIG.*DNSKEY 8" ksr.sign.out.$n | wc -l) num_occurrences 23 ksr.sign.out.$n "RRSIG DNSKEY 13" "CDNSKEY" || ret=1 # exclude CDNSKEY lines
test "$lines" -eq 23 || ret=1 test "$ret" -eq 0 || echo_i "5 failed"
lines=$(grep "RRSIG.*DNSKEY 13" ksr.sign.out.$n | wc -l) # ... 23 CDNSKEY records and its signatures
test "$lines" -eq 23 || ret=1 num_occurrences 23 ksr.sign.out.$n "CDNSKEY 257 3 8" || ret=1
test "$ret" -eq 0 || echo_i "6 failed"
num_occurrences 23 ksr.sign.out.$n "CDNSKEY 257 3 13" || ret=1
test "$ret" -eq 0 || echo_i "7 failed"
num_occurrences 23 ksr.sign.out.$n "RRSIG CDNSKEY 8" || ret=1
test "$ret" -eq 0 || echo_i "8 failed"
num_occurrences 23 ksr.sign.out.$n "RRSIG CDNSKEY 13" || ret=1
test "$ret" -eq 0 || echo_i "9 failed"
# ... 23 CDS records and its signatures
num_occurrences 23 ksr.sign.out.$n "CDS 8 2" || ret=1
test "$ret" -eq 0 || echo_i "10 failed"
num_occurrences 23 ksr.sign.out.$n "CDS 13 2" || ret=1
test "$ret" -eq 0 || echo_i "11 failed"
num_occurrences 23 ksr.sign.out.$n "RRSIG CDS 8" || ret=1
test "$ret" -eq 0 || echo_i "12 failed"
num_occurrences 23 ksr.sign.out.$n "RRSIG CDS 13" || ret=1
test "$ret" -eq 0 || echo_i "13 failed"
# expect 25 ZSK (two more for double keys during the rollover) # expect 25 ZSK (two more for double keys during the rollover)
lines=$(grep "DNSKEY.*256 3 8" ksr.sign.out.$n | wc -l) num_occurrences 25 ksr.sign.out.$n "DNSKEY 256 3 8" || ret=1
test "$lines" -eq 25 || ret=1 test "$ret" -eq 0 || echo_i "14 failed"
lines=$(grep "DNSKEY.*256 3 13" ksr.sign.out.$n | wc -l) num_occurrences 25 ksr.sign.out.$n "DNSKEY 256 3 13" || ret=1
test "$lines" -eq 25 || ret=1 test "$ret" -eq 0 || echo_i "15 failed"
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
echo_i "exit status: $status" echo_i "exit status: $status"