mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 22:15:20 +00:00
Update dnssec system test
The dnssec system test has some tests that use auto-dnssec. Update these tests to make use of dnssec-policy. Remove any 'rndc signing -nsec3param' commands because with dnssec-policy you set the NSEC3 parameters in the configuration. Remove now duplicate tests that checked if CDS and CDNSKEY RRsets are signed with KSK only (the dnssec-dnskey-kskonly option worked in combination with auto-dnssec). Also remove the publish-inactive.example test case because such use cases are no longer supported (only with manual signing). The auto-nsec and auto-nsec3 zones need to use an alternative algorithm because duplicate lines in dnssec-policy/keys are ignored.
This commit is contained in:
Matthijs Mekking
@@ -13,7 +13,7 @@
|
||||
|
||||
set -e
|
||||
|
||||
rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed
|
||||
rm -f ./K* ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed
|
||||
rm -f ./*/example.bk
|
||||
rm -f ./*/named.conf
|
||||
rm -f ./*/named.memstats
|
||||
@@ -40,18 +40,17 @@ rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db
|
||||
rm -f ./ns1/trusted.keys
|
||||
rm -f ./ns2/algroll.db
|
||||
rm -f ./ns2/badparam.db ./ns2/badparam.db.bad
|
||||
rm -f ./ns2/cdnskey-kskonly.secure.db
|
||||
rm -f ./ns2/cdnskey-kskonly.secure.id
|
||||
rm -f ./ns2/cdnskey-update.secure.db
|
||||
rm -f ./ns2/cdnskey-update.secure.id
|
||||
rm -f ./ns2/cdnskey-x.secure.db
|
||||
rm -f ./ns2/cdnskey.secure.db
|
||||
rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl
|
||||
rm -f ./ns2/cds-kskonly.secure.db
|
||||
rm -f ./ns2/cds-kskonly.secure.id
|
||||
rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl
|
||||
rm -f ./ns2/cds-update.secure.id
|
||||
rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
|
||||
rm -f ./ns2/in-addr.arpa.db
|
||||
rm -f ./ns2/nsec3chain-test.db
|
||||
rm -f ./ns2/settime.out.*
|
||||
rm -f ./ns2/single-nsec3.db
|
||||
rm -f ./ns2/too-many-iterations.db
|
||||
rm -f ./ns2/updatecheck-kskonly.secure.*
|
||||
@@ -82,7 +81,6 @@ rm -f ./ns3/occluded.example.db
|
||||
rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db
|
||||
rm -f ./ns3/optout.nsec3.example.db
|
||||
rm -f ./ns3/optout.optout.example.db
|
||||
rm -f ./ns3/publish-inactive.example.db
|
||||
rm -f ./ns3/revkey.example.db
|
||||
rm -f ./ns3/rsasha1-1024.example.tmp
|
||||
rm -f ./ns3/rsasha1.example.tmp
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 3600
|
||||
@ SOA ns2.example. . 1 3600 1200 86400 1200
|
||||
@ NS ns2.example.
|
||||
@@ -1,14 +0,0 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 3600
|
||||
@ SOA ns2.example. . 1 3600 1200 86400 1200
|
||||
@ NS ns2.example.
|
||||
@@ -37,6 +37,35 @@ controls {
|
||||
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
dnssec-policy "dnssec" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
};
|
||||
|
||||
dnssec-policy "kskonly" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
signatures-validity 10d;
|
||||
signatures-validity-dnskey 40d;
|
||||
};
|
||||
|
||||
dnssec-policy "not-enough-hours-in-day" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
/* validity 500 days, resign in 449 days */
|
||||
signatures-validity-dnskey 500d;
|
||||
signatures-validity 500d;
|
||||
signatures-refresh 449d;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
@@ -119,23 +148,14 @@ zone "cds-x.secure" {
|
||||
|
||||
zone "cds-update.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly no;
|
||||
file "cds-update.secure.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "cds-kskonly.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly yes;
|
||||
file "cds-kskonly.secure.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "cds-auto.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly no;
|
||||
file "cds-auto.secure.db.signed";
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy dnssec;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
@@ -151,35 +171,21 @@ zone "cdnskey-x.secure" {
|
||||
|
||||
zone "cdnskey-update.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly no;
|
||||
file "cdnskey-update.secure.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "cdnskey-kskonly.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly yes;
|
||||
file "cdnskey-kskonly.secure.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "cdnskey-auto.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly no;
|
||||
file "cdnskey-auto.secure.db.signed";
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy dnssec;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "updatecheck-kskonly.secure" {
|
||||
type primary;
|
||||
auto-dnssec maintain;
|
||||
key-directory ".";
|
||||
dnssec-dnskey-kskonly yes;
|
||||
update-check-ksk yes;
|
||||
sig-validity-interval 10;
|
||||
dnskey-sig-validity 40;
|
||||
file "updatecheck-kskonly.secure.db.signed";
|
||||
dnssec-policy kskonly;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
@@ -191,9 +197,7 @@ zone "corp" {
|
||||
zone "hours-vs-days" {
|
||||
type primary;
|
||||
file "hours-vs-days.db.signed";
|
||||
auto-dnssec maintain;
|
||||
/* validity 500 days, resign in 499 days */
|
||||
sig-validity-interval 500 499;
|
||||
dnssec-policy not-enough-hours-in-day;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
|
||||
@@ -233,15 +233,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cds-kskonly.secure
|
||||
infile=cds-kskonly.secure.db.in
|
||||
zonefile=cds-kskonly.secure.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
keyfile_to_key_id "$key1" > cds-kskonly.secure.id
|
||||
keyfile_to_key_id "$key1" > cds-update.secure.id
|
||||
|
||||
zone=cds-auto.secure
|
||||
infile=cds-auto.secure.db.in
|
||||
@@ -277,15 +269,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cdnskey-kskonly.secure
|
||||
infile=cdnskey-kskonly.secure.db.in
|
||||
zonefile=cdnskey-kskonly.secure.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
|
||||
keyfile_to_key_id "$key1" > cdnskey-update.secure.id
|
||||
|
||||
zone=cdnskey-auto.secure
|
||||
infile=cdnskey-auto.secure.db.in
|
||||
@@ -305,11 +289,11 @@ keyfile_to_key_id "$key1" > $zone.ksk.id
|
||||
keyfile_to_key_id "$key2" > $zone.zsk.id
|
||||
echo "${key1}" > $zone.ksk.key
|
||||
echo "${key2}" > $zone.zsk.key
|
||||
# Add CDS and CDNSKEY records
|
||||
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey"
|
||||
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
|
||||
cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile"
|
||||
# Don't sign, let auto-dnssec maintain do it.
|
||||
# Make sure dnssec-policy adds CDS and CDNSKEY records
|
||||
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $key1 > settime.out.$zone.ksk 2>&1
|
||||
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 > settime.out.$zone.zsk 2>&1
|
||||
# Don't sign, let dnssec-policy maintain do it.
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
mv $zonefile "$zonefile.signed"
|
||||
|
||||
zone=hours-vs-days
|
||||
|
||||
@@ -37,6 +37,42 @@ controls {
|
||||
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
dnssec-policy "dnssec" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
};
|
||||
|
||||
dnssec-policy "nsec3" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
nsec3param iterations 0 optout no salt-length 0;
|
||||
};
|
||||
|
||||
dnssec-policy "autonsec" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
|
||||
};
|
||||
};
|
||||
|
||||
dnssec-policy "autonsec3" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
|
||||
};
|
||||
|
||||
nsec3param iterations 0 optout no salt-length 0;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
@@ -209,21 +245,21 @@ zone "expired.example" {
|
||||
|
||||
zone "update-nsec3.example" {
|
||||
type primary;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy nsec3;
|
||||
allow-update { any; };
|
||||
file "update-nsec3.example.db.signed";
|
||||
};
|
||||
|
||||
zone "auto-nsec.example" {
|
||||
type primary;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy autonsec;
|
||||
allow-update { !0.0.0.0; };
|
||||
file "auto-nsec.example.db.signed";
|
||||
};
|
||||
|
||||
zone "auto-nsec3.example" {
|
||||
type primary;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy autonsec3;
|
||||
allow-update { !0.0.0.0; };
|
||||
file "auto-nsec3.example.db.signed";
|
||||
};
|
||||
@@ -286,15 +322,7 @@ zone "inline.example" {
|
||||
type primary;
|
||||
file "inline.example.db";
|
||||
inline-signing yes;
|
||||
auto-dnssec maintain;
|
||||
};
|
||||
|
||||
zone "publish-inactive.example" {
|
||||
type primary;
|
||||
file "publish-inactive.example.db";
|
||||
auto-dnssec maintain;
|
||||
dnssec-dnskey-kskonly no;
|
||||
update-policy local;
|
||||
dnssec-policy dnssec;
|
||||
};
|
||||
|
||||
zone "future.example" {
|
||||
@@ -389,6 +417,28 @@ zone "rsasha1-1024.example" {
|
||||
file "rsasha1-1024.example.db";
|
||||
};
|
||||
|
||||
dnssec-policy "siginterval1" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
signatures-validity 1d;
|
||||
signatures-refresh 21h;
|
||||
signatures-validity-dnskey 90d;
|
||||
};
|
||||
|
||||
dnssec-policy "siginterval2" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
signatures-validity 35d;
|
||||
signatures-refresh 28d;
|
||||
signatures-validity-dnskey 90d;
|
||||
};
|
||||
|
||||
include "siginterval.conf";
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
@@ -14,8 +14,6 @@
|
||||
zone "siginterval.example" {
|
||||
type primary;
|
||||
allow-update { any; };
|
||||
sig-validity-interval 1 23;
|
||||
dnskey-sig-validity 90;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy siginterval1;
|
||||
file "siginterval.example.db";
|
||||
};
|
||||
|
||||
@@ -14,8 +14,6 @@
|
||||
zone "siginterval.example" {
|
||||
type primary;
|
||||
allow-update { any; };
|
||||
sig-validity-interval 35 28;
|
||||
dnskey-sig-validity 90;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy siginterval2;
|
||||
file "siginterval.example.db";
|
||||
};
|
||||
|
||||
@@ -419,7 +419,7 @@ cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
|
||||
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A NSEC signed zone that will have auto-dnssec enabled and
|
||||
# A NSEC signed zone that will have dnssec-policy enabled and
|
||||
# extra keys not in the initial signed zone.
|
||||
#
|
||||
zone=auto-nsec.example.
|
||||
@@ -428,13 +428,13 @@ zonefile=auto-nsec.example.db
|
||||
|
||||
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null
|
||||
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null
|
||||
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A NSEC3 signed zone that will have auto-dnssec enabled and
|
||||
# A NSEC3 signed zone that will have dnssec-policy enabled and
|
||||
# extra keys not in the initial signed zone.
|
||||
#
|
||||
zone=auto-nsec3.example.
|
||||
@@ -443,8 +443,8 @@ zonefile=auto-nsec3.example.db
|
||||
|
||||
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null
|
||||
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null
|
||||
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
|
||||
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
@@ -569,20 +569,6 @@ zone=inline.example.
|
||||
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
|
||||
#
|
||||
# publish a new key while deactivating another key at the same time.
|
||||
#
|
||||
zone=publish-inactive.example
|
||||
infile=publish-inactive.example.db.in
|
||||
zonefile=publish-inactive.example.db
|
||||
now=$(date -u +%Y%m%d%H%M%S)
|
||||
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
|
||||
kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
|
||||
kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
|
||||
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
cp "$infile" "$zonefile"
|
||||
"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A zone which will change its sig-validity-interval
|
||||
#
|
||||
|
||||
@@ -2763,7 +2763,6 @@ status=$((status+ret))
|
||||
echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)"
|
||||
ret=0
|
||||
(
|
||||
cd ns3 || exit 1
|
||||
kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example)
|
||||
(
|
||||
echo zone update-nsec3.example
|
||||
@@ -2780,7 +2779,7 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
|
||||
echo_i "checking that the NSEC record is properly generated when DNSKEY are added by dnssec-policy ($n)"
|
||||
ret=0
|
||||
dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
|
||||
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
@@ -2790,7 +2789,7 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
|
||||
echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added by dnssec-policy ($n)"
|
||||
ret=0
|
||||
dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
|
||||
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
@@ -2842,121 +2841,6 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param' works with salt ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
for i in 1 2 3 4 5 6 7 8 9 10 ; do
|
||||
salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
|
||||
if [ "$salt" = "FFFF" ]; then
|
||||
break;
|
||||
fi
|
||||
echo_i "sleeping ...."
|
||||
sleep 1
|
||||
done;
|
||||
[ "$salt" = "FFFF" ] || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param' works without salt ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
for i in 1 2 3 4 5 6 7 8 9 10 ; do
|
||||
salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
|
||||
if [ "$salt" = "-" ]; then
|
||||
break;
|
||||
fi
|
||||
echo_i "sleeping ...."
|
||||
sleep 1
|
||||
done;
|
||||
[ "$salt" = "-" ] || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
for i in 1 2 3 4 5 6 7 8 9 10 ; do
|
||||
salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
|
||||
[ -n "$salt" ] && [ "$salt" != "-" ] && break
|
||||
echo_i "sleeping ...."
|
||||
sleep 1
|
||||
done;
|
||||
[ "$salt" != "-" ] || ret=1
|
||||
[ "${#salt}" -eq 16 ] || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)"
|
||||
ret=0
|
||||
oldsalt=$salt
|
||||
rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
|
||||
rndccmd 10.53.0.3 status > /dev/null || ret=1
|
||||
for i in 1 2 3 4 5 6 7 8 9 10 ; do
|
||||
salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
|
||||
[ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break
|
||||
echo_i "sleeping ...."
|
||||
sleep 1
|
||||
done;
|
||||
[ "$salt" != "$oldsalt" ] || ret=1
|
||||
[ "${#salt}" -eq 16 ] || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check rndc signing -list output ($n)"
|
||||
ret=0
|
||||
{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out.dynamic.example; } 2>&1
|
||||
@@ -3398,26 +3282,7 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)"
|
||||
ret=0
|
||||
cnt=0
|
||||
while :
|
||||
do
|
||||
dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n
|
||||
keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l)
|
||||
test "$keys" -gt 2 && break
|
||||
cnt=$((cnt+1))
|
||||
test "$cnt" -gt 120 && break
|
||||
sleep 1
|
||||
done
|
||||
test "$keys" -gt 2 || ret=1
|
||||
sigs=$(grep -c RRSIG dig.out.ns3.test$n || true)
|
||||
n=$((n+1))
|
||||
test "$sigs" -eq 2 || ret=1
|
||||
if test "$ret" -ne 0 ; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)"
|
||||
echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)"
|
||||
ret=0
|
||||
before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA)
|
||||
cp ns3/siginterval2.conf ns3/siginterval.conf
|
||||
@@ -3434,7 +3299,7 @@ if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi
|
||||
status=$((status+ret))
|
||||
|
||||
if [ -x "$PYTHON" ]; then
|
||||
echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)"
|
||||
echo_i "check signatures-validity-dnskey sets longer expiry for DNSKEY ($n)"
|
||||
ret=0
|
||||
rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i
|
||||
# convert expiry date to a comma-separated list of integers python can
|
||||
@@ -3641,11 +3506,11 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)"
|
||||
echo_i "check that CDS records are signed using KSK by with dnssec-policy ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 2 || ret=1
|
||||
test "$lines" -eq 1 || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
@@ -3668,8 +3533,9 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)"
|
||||
echo_i "check that CDS records are signed only using KSK when added by nsupdate ($n)"
|
||||
ret=0
|
||||
keyid=$(cat ns2/cds-update.secure.id)
|
||||
(
|
||||
echo zone cds-update.secure
|
||||
echo server 10.53.0.2 "$PORT"
|
||||
@@ -3683,30 +3549,6 @@ echo send
|
||||
) | $NSUPDATE
|
||||
dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 2 || ret=1
|
||||
lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 2 || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that CDS records are signed only using KSK when added by"
|
||||
echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
|
||||
ret=0
|
||||
keyid=$(cat ns2/cds-kskonly.secure.id)
|
||||
(
|
||||
echo zone cds-kskonly.secure
|
||||
echo server 10.53.0.2 "$PORT"
|
||||
echo update delete cds-kskonly.secure CDS
|
||||
echo send
|
||||
dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure |
|
||||
grep "DNSKEY.257" |
|
||||
$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure |
|
||||
sed "s/^/update add /"
|
||||
echo send
|
||||
) | $NSUPDATE
|
||||
dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
@@ -3716,18 +3558,17 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that CDS deletion records are signed only using KSK when added by"
|
||||
echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
|
||||
echo_i "check that CDS deletion records are signed only using KSK when added by nsupdate ($n)"
|
||||
ret=0
|
||||
keyid=$(cat ns2/cds-kskonly.secure.id)
|
||||
keyid=$(cat ns2/cds-update.secure.id)
|
||||
(
|
||||
echo zone cds-kskonly.secure
|
||||
echo zone cds-update.secure
|
||||
echo server 10.53.0.2 "$PORT"
|
||||
echo update delete cds-kskonly.secure CDS
|
||||
echo update add cds-kskonly.secure 0 CDS 0 0 0 00
|
||||
echo update delete cds-update.secure CDS
|
||||
echo update add cds-update.secure 0 CDS 0 0 0 00
|
||||
echo send
|
||||
) | $NSUPDATE
|
||||
dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
|
||||
dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l)
|
||||
@@ -3771,7 +3612,7 @@ echo send
|
||||
) | $NSUPDATE
|
||||
dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 2 || ret=1
|
||||
test "$lines" -eq 1 || ret=1
|
||||
lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 4 || ret=1
|
||||
n=$((n+1))
|
||||
@@ -3820,7 +3661,7 @@ echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)
|
||||
ret=0
|
||||
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 2 || ret=1
|
||||
test "$lines" -eq 1 || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
@@ -3892,8 +3733,9 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)"
|
||||
echo_i "check that CDNSKEY records are signed using KSK only when added by nsupdate ($n)"
|
||||
ret=0
|
||||
keyid=$(cat ns2/cdnskey-update.secure.id)
|
||||
(
|
||||
echo zone cdnskey-update.secure
|
||||
echo server 10.53.0.2 "$PORT"
|
||||
@@ -3904,27 +3746,6 @@ echo send
|
||||
) | $NSUPDATE
|
||||
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 2 || ret=1
|
||||
lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that CDNSKEY records are signed only using KSK when added by"
|
||||
echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
|
||||
ret=0
|
||||
keyid=$(cat ns2/cdnskey-kskonly.secure.id)
|
||||
(
|
||||
echo zone cdnskey-kskonly.secure
|
||||
echo server 10.53.0.2 "$PORT"
|
||||
echo update delete cdnskey-kskonly.secure CDNSKEY
|
||||
dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure |
|
||||
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
|
||||
echo send
|
||||
) | $NSUPDATE
|
||||
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
@@ -3934,29 +3755,8 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that CDNSKEY deletion records are signed only using KSK when added by"
|
||||
echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
|
||||
ret=0
|
||||
keyid=$(cat ns2/cdnskey-kskonly.secure.id)
|
||||
(
|
||||
echo zone cdnskey-kskonly.secure
|
||||
echo server 10.53.0.2 "$PORT"
|
||||
echo update delete cdnskey-kskonly.secure CDNSKEY
|
||||
echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA==
|
||||
echo send
|
||||
) | $NSUPDATE
|
||||
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 1 || ret=1
|
||||
lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l)
|
||||
test "${lines:-10}" -eq 1 || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
echo_i "status: $status"
|
||||
exit $status
|
||||
|
||||
echo_i "checking initialization with a revoked managed key ($n)"
|
||||
ret=0
|
||||
@@ -3983,7 +3783,7 @@ echo send
|
||||
) | $NSUPDATE
|
||||
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
|
||||
lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 2 || ret=1
|
||||
test "$lines" -eq 1 || ret=1
|
||||
lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
|
||||
test "$lines" -eq 2 || ret=1
|
||||
n=$((n+1))
|
||||
@@ -4312,7 +4112,7 @@ get_keys_which_signed() {
|
||||
# Basic checks to make sure everything is fine before the KSK is made offline.
|
||||
for qtype in "DNSKEY" "CDNSKEY" "CDS"
|
||||
do
|
||||
echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)"
|
||||
echo_i "checking $qtype RRset is signed with KSK only ($n)"
|
||||
ret=0
|
||||
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
|
||||
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
|
||||
@@ -4324,7 +4124,7 @@ do
|
||||
status=$((status+ret))
|
||||
done
|
||||
|
||||
echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)"
|
||||
echo_i "checking SOA RRset is signed with ZSK only ($n)"
|
||||
ret=0
|
||||
dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n
|
||||
lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l)
|
||||
@@ -4339,10 +4139,9 @@ status=$((status+ret))
|
||||
zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
|
||||
keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2
|
||||
ZSK_ID2=$(cat ns2/$zone.zsk.id2)
|
||||
|
||||
echo_i "load new ZSK $ZSK_ID2 for $zone ($n)"
|
||||
ret=0
|
||||
dnssec_loadkeys_on 2 $zone || ret=1
|
||||
echo_i "prepublish new ZSK $ZSK_ID2 for $zone ($n)"
|
||||
rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID $zone 2>&1 | sed 's/^/ns2 /' | cat_i
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
@@ -4351,7 +4150,7 @@ status=$((status+ret))
|
||||
echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)"
|
||||
ret=0
|
||||
$SETTIME -I now -K ns2 $ZSK > /dev/null
|
||||
$SETTIME -A now -K ns2 $zsk2 > /dev/null
|
||||
$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk2 > /dev/null
|
||||
dnssec_loadkeys_on 2 $zone || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
@@ -4374,7 +4173,7 @@ echo send
|
||||
# Redo the tests now that the zone is updated and the KSK is offline.
|
||||
for qtype in "DNSKEY" "CDNSKEY" "CDS"
|
||||
do
|
||||
echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)"
|
||||
echo_i "checking $qtype RRset is signed with KSK only, KSK offline ($n)"
|
||||
ret=0
|
||||
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
|
||||
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
|
||||
@@ -4389,7 +4188,7 @@ done
|
||||
|
||||
for qtype in "SOA" "TXT"
|
||||
do
|
||||
echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)"
|
||||
echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID2 only, KSK offline ($n)"
|
||||
ret=0
|
||||
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
|
||||
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
|
||||
@@ -4414,10 +4213,10 @@ ZSK_ID3=$(cat ns2/$zone.zsk.id3)
|
||||
|
||||
# Schedule the new ZSK (ZSK3) to become active.
|
||||
echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)"
|
||||
$SETTIME -D now -K ns2 $ZSK > /dev/null
|
||||
$SETTIME -s -k UNRETENTIVE -z HIDDEN -D now -K ns2 $ZSK > /dev/null
|
||||
$SETTIME -I +3600 -K ns2 $zsk2 > /dev/null
|
||||
$SETTIME -A +3600 -K ns2 $zsk3 > /dev/null
|
||||
dnssec_loadkeys_on 2 $zone || ret=1
|
||||
rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID2 $zone 2>&1 | sed 's/^/ns2 /' | cat_i
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
@@ -4439,7 +4238,7 @@ echo send
|
||||
# Redo the tests now that the ZSK roll has deleted the old key.
|
||||
for qtype in "DNSKEY" "CDNSKEY" "CDS"
|
||||
do
|
||||
echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)"
|
||||
echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted ($n)"
|
||||
ret=0
|
||||
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
|
||||
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
|
||||
@@ -4455,7 +4254,7 @@ done
|
||||
|
||||
for qtype in "SOA" "TXT"
|
||||
do
|
||||
echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)"
|
||||
echo_i "checking $qtype RRset is signed with ZSK $ZSK_ID2 only, old ZSK deleted ($n)"
|
||||
ret=0
|
||||
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
|
||||
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
|
||||
@@ -4471,8 +4270,9 @@ done
|
||||
|
||||
# Make the new ZSK (ZSK3) active.
|
||||
echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)"
|
||||
$SETTIME -I +1 -K ns2 $zsk2 > /dev/null
|
||||
$SETTIME -A +1 -K ns2 $zsk3 > /dev/null
|
||||
$SETTIME -I now -K ns2 $zsk2 > /dev/null
|
||||
$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk3 > /dev/null
|
||||
|
||||
dnssec_loadkeys_on 2 $zone || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
@@ -4506,7 +4306,7 @@ status=$((status+ret))
|
||||
# Redo the tests one more time.
|
||||
for qtype in "DNSKEY" "CDNSKEY" "CDS"
|
||||
do
|
||||
echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)"
|
||||
echo_i "checking $qtype RRset is signed with KSK only, new ZSK active ($n)"
|
||||
ret=0
|
||||
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
|
||||
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
|
||||
@@ -4522,7 +4322,7 @@ done
|
||||
|
||||
for qtype in "SOA" "TXT"
|
||||
do
|
||||
echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)"
|
||||
echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID3 only, new ZSK active ($n)"
|
||||
ret=0
|
||||
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
|
||||
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
|
||||
|
||||
Reference in New Issue
Block a user