diff --git a/CHANGES b/CHANGES index 675ba7b777..68b533980b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2841. [func] Added "smartsign" and improved "autosign" and + "dnssec" regression tests. [RT #20865] + 2840. [bug] Change 2836 was not complete. [RT #20883] 2839. [bug] Temporary fixed pkcs11-destroy usage check. diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 303b4b479c..832715de53 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -14,24 +14,31 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $ +# $Id: clean.sh,v 1.4 2010/01/18 19:19:30 each Exp $ rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk -rm -f inact.key del.key unpub.key standby.key rev.key -rm -f ns1/root.db ns2/example.db ns3/secure.example.db -rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db -rm -f ns2/private.secure.example.db +rm -f active.key inact.key del.key unpub.key standby.key rev.key +rm -f nopriv.key vanishing.key +rm -f nsupdate.out rm -f */core rm -f */example.bk +rm -f */named.memstats rm -f dig.out.* rm -f random.data -rm -f ns2/dlv.db -rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db -rm -f ns3/optout-unknown.example.db ns3/optout.example.db -rm -f */named.memstats +rm -f ns1/root.db +rm -f ns2/example.db +rm -f ns2/private.secure.example.db ns2/bar.db +rm -f ns3/nsec.example.db +rm -f ns3/nsec3.example.db rm -f ns3/nsec3.nsec3.example.db rm -f ns3/nsec3.optout.example.db +rm -f ns3/nsec3-to-nsec.example.db +rm -f ns3/oldsigs.example.db +rm -f ns3/optout.example.db rm -f ns3/optout.nsec3.example.db rm -f ns3/optout.optout.example.db +rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db +rm -f ns3/secure.example.db rm -f ns3/secure.nsec3.example.db rm -f ns3/secure.optout.example.db +rm -f ns3/secure-to-insecure.example.db diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index 4dae4d7fb0..043f6dcf39 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $ +# $Id: keygen.sh,v 1.5 2010/01/18 19:19:30 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -29,11 +29,14 @@ infile=root.db.in cat $infile ../ns2/dsset-example. > $zonefile -$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null +zskact=`$KEYGEN -3 -q -r $RANDFILE $zone` +zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone` zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone` zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone` zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone` zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone` +zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone` +rm $zsknopriv.private ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone` kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone` @@ -62,8 +65,11 @@ EOF ' > trusted.conf cp trusted.conf ../ns5/trusted.conf +echo $zskact > ../active.key +echo $zskvanish > ../vanishing.key echo $zskdel > ../del.key echo $zskinact > ../inact.key echo $zskunpub > ../unpub.key +echo $zsknopriv > ../nopriv.key echo $zsksby > ../standby.key echo $kskrev > ../rev.key diff --git a/bin/tests/system/autosign/ns1/root.db.in b/bin/tests/system/autosign/ns1/root.db.in index a1a19c4d60..faafbd561e 100644 --- a/bin/tests/system/autosign/ns1/root.db.in +++ b/bin/tests/system/autosign/ns1/root.db.in @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $ +; $Id: root.db.in,v 1.4 2010/01/18 19:19:30 each Exp $ $TTL 30 . IN SOA a.root.servers.nil. each.isc.org. ( @@ -26,4 +26,5 @@ $TTL 30 a.root-servers.nil. A 10.53.0.1 example. NS ns2.example. +bar. NS ns2.example. ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/autosign/ns2/bar.db.in b/bin/tests/system/autosign/ns2/bar.db.in new file mode 100644 index 0000000000..009d1d1a93 --- /dev/null +++ b/bin/tests/system/autosign/ns2/bar.db.in @@ -0,0 +1,85 @@ +; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: bar.db.in,v 1.2 2010/01/18 19:19:31 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +z A 10.0.0.26 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in index 88f113f02b..001427f9c0 100644 --- a/bin/tests/system/autosign/ns2/example.db.in +++ b/bin/tests/system/autosign/ns2/example.db.in @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $ +; $Id: example.db.in,v 1.4 2010/01/18 19:19:31 each Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -83,3 +83,9 @@ ns.rsasha256 A 10.53.0.3 rsasha512 NS ns.rsasha512 ns.rsasha512 A 10.53.0.3 + +nsec3-to-nsec NS ns.nsec3-to-nsec +ns.nsec3-to-nsec A 10.53.0.3 + +oldsigs NS ns.oldsigs +ns.oldsigs A 10.53.0.3 diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 77a2d655b9..74fa26facc 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $ +# $Id: keygen.sh,v 1.5 2010/01/18 19:19:31 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -24,7 +24,7 @@ RANDFILE=../random.data # Have the child generate subdomain keys and pass DS sets to us. ( cd ../ns3 && sh keygen.sh ) -for subdomain in secure nsec3 optout rsasha256 rsasha512 +for subdomain in secure nsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs do cp ../ns3/dsset-$subdomain.example. . done @@ -46,3 +46,12 @@ infile="${zonefile}.in" cp $infile $zonefile $KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null $KEYGEN -3 -q -r $RANDFILE $zone > /dev/null + +# Extract saved keys for the revoke-to-duplicate-key test +zone=bar +zonefile="${zone}.db" +infile="${zonefile}.in" +cat $infile > $zonefile +sh revkeys.shar > /dev/null +$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null +$DSFROMKEY Kbar.+005+30804.key > dsset-bar. diff --git a/bin/tests/system/autosign/ns2/named.conf b/bin/tests/system/autosign/ns2/named.conf index de79f6b039..d5944d0ffd 100644 --- a/bin/tests/system/autosign/ns2/named.conf +++ b/bin/tests/system/autosign/ns2/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */ +/* $Id: named.conf,v 1.4 2010/01/18 19:19:31 each Exp $ */ // NS2 @@ -35,12 +35,12 @@ options { }; key rndc_key { - secret "1234abcd8765"; - algorithm hmac-md5; + secret "1234abcd8765"; + algorithm hmac-md5; }; controls { - inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; }; zone "." { @@ -51,46 +51,56 @@ zone "." { zone "example" { type master; file "example.db"; - allow-query { any; }; - allow-transfer { any; }; + allow-query { any; }; + allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; +}; + +zone "bar" { + type master; + file "bar.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; + dnssec-dnskey-kskonly yes; }; zone "private.secure.example" { type master; file "private.secure.example.db"; - allow-query { any; }; - allow-transfer { any; }; + allow-query { any; }; + allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "insecure.secure.example" { type master; file "insecure.secure.example.db"; - allow-query { any; }; - allow-transfer { any; }; + allow-query { any; }; + allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "child.nsec3.example" { type master; file "child.nsec3.example.db"; - allow-query { any; }; - allow-transfer { any; }; + allow-query { any; }; + allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "child.optout.example" { type master; file "child.optout.example.db"; - allow-query { any; }; - allow-transfer { any; }; + allow-query { any; }; + allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns2/revkeys.shar b/bin/tests/system/autosign/ns2/revkeys.shar new file mode 100644 index 0000000000..beb6d472d2 --- /dev/null +++ b/bin/tests/system/autosign/ns2/revkeys.shar @@ -0,0 +1,231 @@ +#!/bin/sh +# This is a shell archive (produced by GNU sharutils 4.6.3). +# To extract the files from this archive, save it to some FILE, remove +# everything before the `#!/bin/sh' line above, then type `sh FILE'. +# +lock_dir=_sh31052 +# Made on 2010-01-08 23:17 PST by . +# Source directory was `/home/each/isc/bind9/bin/tests/system/autosign/ns2/keys'. +# +# Existing files will *not* be overwritten, unless `-c' is specified. +# +# This shar contains: +# length mode name +# ------ ---------- ------------------------------------------ +# 538 -rw-r--r-- Kbar.+005+30676.key +# 1774 -rw-r--r-- Kbar.+005+30676.private +# 538 -rw-r--r-- Kbar.+005+30804.key +# 1774 -rw-r--r-- Kbar.+005+30804.private +# +MD5SUM=${MD5SUM-md5sum} +f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'` +test -n "${f}" && md5check=true || md5check=false +${md5check} || \ + echo 'Note: not verifying md5sums. Consider installing GNU coreutils.' +save_IFS="${IFS}" +IFS="${IFS}:" +gettext_dir=FAILED +locale_dir=FAILED +first_param="$1" +for dir in $PATH +do + if test "$gettext_dir" = FAILED && test -f $dir/gettext \ + && ($dir/gettext --version >/dev/null 2>&1) + then + case `$dir/gettext --version 2>&1 | sed 1q` in + *GNU*) gettext_dir=$dir ;; + esac + fi + if test "$locale_dir" = FAILED && test -f $dir/shar \ + && ($dir/shar --print-text-domain-dir >/dev/null 2>&1) + then + locale_dir=`$dir/shar --print-text-domain-dir` + fi +done +IFS="$save_IFS" +if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED +then + echo=echo +else + TEXTDOMAINDIR=$locale_dir + export TEXTDOMAINDIR + TEXTDOMAIN=sharutils + export TEXTDOMAIN + echo="$gettext_dir/gettext -s" +fi +if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null +then if (echo -n test; echo 1,2,3) | grep n >/dev/null + then shar_n= shar_c=' +' + else shar_n=-n shar_c= ; fi +else shar_n= shar_c='\c' ; fi +f=shar-touch.$$ +st1=200112312359.59 +st2=123123592001.59 +st2tr=123123592001.5 # old SysV 14-char limit +st3=1231235901 + +if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \ + test ! -f ${st1} && test -f ${f}; then + shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"' + +elif touch -am ${st2} ${f} >/dev/null 2>&1 && \ + test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then + shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"' + +elif touch -am ${st3} ${f} >/dev/null 2>&1 && \ + test ! -f ${st3} && test -f ${f}; then + shar_touch='touch -am $3$4$5$6$2 "$8"' + +else + shar_touch=: + echo + ${echo} 'WARNING: not restoring timestamps. Consider getting and' + ${echo} 'installing GNU `touch'\'', distributed in GNU coreutils...' + echo +fi +rm -f ${st1} ${st2} ${st2tr} ${st3} ${f} +# +if test ! -d ${lock_dir} +then : ; else ${echo} 'lock directory '${lock_dir}' exists' + exit 1 +fi +if mkdir ${lock_dir} +then ${echo} 'x - created lock directory `'${lock_dir}\''.' +else ${echo} 'x - failed to create lock directory `'${lock_dir}\''.' + exit 1 +fi +# ============= Kbar.+005+30676.key ============== +if test -f 'Kbar.+005+30676.key' && test "$first_param" != -c; then + ${echo} 'x -SKIPPING Kbar.+005+30676.key (file already exists)' +else +${echo} 'x - extracting Kbar.+005+30676.key (text)' + sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.key' && +; This is a key-signing key, keyid 30676, for bar. +; Created: Sat Dec 26 03:13:10 2009 +; Publish: Sat Dec 26 03:13:10 2009 +; Activate: Sat Dec 26 03:13:10 2009 +bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU= +SHAR_EOF + (set 20 10 01 08 23 14 29 'Kbar.+005+30676.key'; eval "$shar_touch") && + chmod 0644 'Kbar.+005+30676.key' +if test $? -ne 0 +then ${echo} 'restore of Kbar.+005+30676.key failed' +fi + if ${md5check} + then ( + ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.key: MD5 check failed' + ) << SHAR_EOF +9c89adb7c9e6d5e2fd34f694b8752c95 Kbar.+005+30676.key +SHAR_EOF + else +test `LC_ALL=C wc -c < 'Kbar.+005+30676.key'` -ne 538 && \ + ${echo} 'restoration warning: size of Kbar.+005+30676.key is not 538' + fi +fi +# ============= Kbar.+005+30676.private ============== +if test -f 'Kbar.+005+30676.private' && test "$first_param" != -c; then + ${echo} 'x -SKIPPING Kbar.+005+30676.private (file already exists)' +else +${echo} 'x - extracting Kbar.+005+30676.private (text)' + sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.private' && +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q== +PublicExponent: AQAB +PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q== +Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0= +Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk= +Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE= +Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE= +Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8= +Created: 20091226021310 +Publish: 20091226021310 +Activate: 20091226021310 +SHAR_EOF + (set 20 10 01 08 23 14 29 'Kbar.+005+30676.private'; eval "$shar_touch") && + chmod 0644 'Kbar.+005+30676.private' +if test $? -ne 0 +then ${echo} 'restore of Kbar.+005+30676.private failed' +fi + if ${md5check} + then ( + ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.private: MD5 check failed' + ) << SHAR_EOF +c85dfac0b5c0cf2972878a65717af9ea Kbar.+005+30676.private +SHAR_EOF + else +test `LC_ALL=C wc -c < 'Kbar.+005+30676.private'` -ne 1774 && \ + ${echo} 'restoration warning: size of Kbar.+005+30676.private is not 1774' + fi +fi +# ============= Kbar.+005+30804.key ============== +if test -f 'Kbar.+005+30804.key' && test "$first_param" != -c; then + ${echo} 'x -SKIPPING Kbar.+005+30804.key (file already exists)' +else +${echo} 'x - extracting Kbar.+005+30804.key (text)' + sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.key' && +; This is a key-signing key, keyid 30804, for bar. +; Created: Sat Dec 26 03:13:10 2009 +; Publish: Sat Dec 26 03:13:10 2009 +; Activate: Sat Dec 26 03:13:10 2009 +bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU= +SHAR_EOF + (set 20 10 01 08 23 14 29 'Kbar.+005+30804.key'; eval "$shar_touch") && + chmod 0644 'Kbar.+005+30804.key' +if test $? -ne 0 +then ${echo} 'restore of Kbar.+005+30804.key failed' +fi + if ${md5check} + then ( + ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.key: MD5 check failed' + ) << SHAR_EOF +825116de64b44b14893cb3b8a48475bc Kbar.+005+30804.key +SHAR_EOF + else +test `LC_ALL=C wc -c < 'Kbar.+005+30804.key'` -ne 538 && \ + ${echo} 'restoration warning: size of Kbar.+005+30804.key is not 538' + fi +fi +# ============= Kbar.+005+30804.private ============== +if test -f 'Kbar.+005+30804.private' && test "$first_param" != -c; then + ${echo} 'x -SKIPPING Kbar.+005+30804.private (file already exists)' +else +${echo} 'x - extracting Kbar.+005+30804.private (text)' + sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.private' && +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q== +PublicExponent: AQCB +PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ== +Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0= +Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk= +Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk= +Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk= +Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8= +Created: 20091226021310 +Publish: 20091226021310 +Activate: 20091226021310 +SHAR_EOF + (set 20 10 01 08 23 14 29 'Kbar.+005+30804.private'; eval "$shar_touch") && + chmod 0644 'Kbar.+005+30804.private' +if test $? -ne 0 +then ${echo} 'restore of Kbar.+005+30804.private failed' +fi + if ${md5check} + then ( + ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.private: MD5 check failed' + ) << SHAR_EOF +580cfb43bac6ed945896b464923676e7 Kbar.+005+30804.private +SHAR_EOF + else +test `LC_ALL=C wc -c < 'Kbar.+005+30804.private'` -ne 1774 && \ + ${echo} 'restoration warning: size of Kbar.+005+30804.private is not 1774' + fi +fi +if rm -fr ${lock_dir} +then ${echo} 'x - removed lock directory `'${lock_dir}\''.' +else ${echo} 'x - failed to remove lock directory `'${lock_dir}\''.' + exit 1 +fi +exit 0 diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 37d1fcd442..69c7eee72d 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $ +# $Id: keygen.sh,v 1.5 2010/01/18 19:19:31 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -138,3 +138,47 @@ cp $infile $zonefile ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone` $KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null $DSFROMKEY $ksk.key > dsset-${zone}. + +# +# NSEC-only zone. +# +zone=nsec.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -r $RANDFILE -fk $zone` +$KEYGEN -q -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# Signature refresh test zone. Signatures are set to expire long +# in the past; they should be updated by autosign. +# +zone=oldsigs.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -r $RANDFILE -fk $zone` +$KEYGEN -q -r $RANDFILE $zone > /dev/null +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1 + +# +# NSEC3->NSEC transition test zone. +# +zone=nsec3-to-nsec.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone` +$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1 + +# +# secure-to-insecure transition test zone. +# +zone=secure-to-insecure.example +zonefile="${zone}.db" +infile="${zonefile}.in" +ksk=`$KEYGEN -q -r $RANDFILE -fk $zone` +$KEYGEN -q -r $RANDFILE $zone > /dev/null +$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1 diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index ea07c276a2..a60cef82a7 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */ +/* $Id: named.conf,v 1.4 2010/01/18 19:19:31 each Exp $ */ // NS3 @@ -35,12 +35,12 @@ options { }; key rndc_key { - secret "1234abcd8765"; - algorithm hmac-md5; + secret "1234abcd8765"; + algorithm hmac-md5; }; controls { - inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; + inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; }; zone "." { @@ -54,11 +54,17 @@ zone "example" { file "example.bk"; }; +zone "bar" { + type slave; + masters { 10.53.0.2; }; + file "bar.bk"; +}; + zone "secure.example" { type master; file "secure.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "insecure.example" { @@ -70,77 +76,98 @@ zone "nsec3.example" { type master; file "nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "optout.nsec3.example" { type master; file "optout.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "nsec3.nsec3.example" { type master; file "nsec3.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "secure.nsec3.example" { type master; file "secure.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "optout.example" { type master; file "optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "secure.optout.example" { type master; file "secure.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "nsec3.optout.example" { type master; file "nsec3.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "optout.optout.example" { type master; file "optout.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; -}; - -zone "multiple.example" { - type master; - file "multiple.example.db"; - allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "rsasha256.example" { type master; file "rsasha256.example.db"; allow-update { any; }; - auto-dnssec maintain; + auto-dnssec maintain; }; zone "rsasha512.example" { type master; file "rsasha512.example.db"; - allow-update { any; }; - auto-dnssec maintain; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nsec.example" { + type master; + file "nsec.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nsec3-to-nsec.example" { + type master; + file "nsec3-to-nsec.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "secure-to-insecure.example" { + type master; + file "secure-to-insecure.example.db"; + allow-update { any; }; + dnssec-secure-to-insecure yes; +}; + +zone "oldsigs.example" { + type master; + file "oldsigs.example.db"; + allow-update { any; }; + auto-dnssec maintain; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns3/nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec.example.db.in new file mode 100644 index 0000000000..f6b8801609 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: nsec.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in new file mode 100644 index 0000000000..fd1b5044a8 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: nsec3-to-nsec.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/oldsigs.example.db.in b/bin/tests/system/autosign/ns3/oldsigs.example.db.in new file mode 100644 index 0000000000..7369aabef4 --- /dev/null +++ b/bin/tests/system/autosign/ns3/oldsigs.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: oldsigs.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/multiple.example.db.in b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in similarity index 89% rename from bin/tests/system/autosign/ns3/multiple.example.db.in rename to bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in index 08a803bdf8..e301942828 100644 --- a/bin/tests/system/autosign/ns3/multiple.example.db.in +++ b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: multiple.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $ +; $Id: secure-to-insecure.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -29,6 +29,3 @@ a A 10.0.0.1 b A 10.0.0.2 d A 10.0.0.4 z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/autosign/prereq.sh b/bin/tests/system/autosign/prereq.sh index 4ce0b55054..1c377ce8df 100644 --- a/bin/tests/system/autosign/prereq.sh +++ b/bin/tests/system/autosign/prereq.sh @@ -14,7 +14,10 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: prereq.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $ +# $Id: prereq.sh,v 1.4 2010/01/18 19:19:30 each Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh ../../../tools/genrandom 400 random.data diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh index d4c95462d9..3e1c3f75a6 100644 --- a/bin/tests/system/autosign/setup.sh +++ b/bin/tests/system/autosign/setup.sh @@ -14,12 +14,14 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $ +# $Id: setup.sh,v 1.4 2010/01/18 19:19:30 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh . ./clean.sh +echo "I:generating keys and preparing zones" + ../../../tools/genrandom 400 random.data cd ns1 && sh keygen.sh diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index c05460601d..655654ac8d 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.5 2009/12/19 17:30:31 each Exp $ +# $Id: tests.sh,v 1.6 2010/01/18 19:19:30 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -25,8 +25,37 @@ n=0 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" +echo "I:waiting 30 seconds for autosign changes to take effect" +sleep 30 + +echo "I:checking that zone transfer worked ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)" +ret=0 +# this command should result in an empty file: +$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking NSEC3->NSEC conversion prerequisites ($n)" +ret=0 +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:converting zones from nsec to nsec3" -$NSUPDATE > /dev/null < /dev/null 2>&1 < nsupdate.out 2>&1 < /dev/null 2>&1 << END || status=1 +server 10.53.0.3 5300 +zone nsec3-to-nsec.example. +update delete nsec3-to-nsec.example. NSEC3PARAM +send +END + +echo "I:waiting for change to take effect" +sleep 3 # Send rndc freeze command to ns1, ns2 and ns3, to force the dynamically # signed zones to be dumped to their zone files echo "I:dumping zone files" $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 freeze 2>&1 | sed 's/^/I:ns1 /' +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 thaw 2>&1 | sed 's/^/I:ns1 /' $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 freeze 2>&1 | sed 's/^/I:ns2 /' +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 thaw 2>&1 | sed 's/^/I:ns2 /' $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze 2>&1 | sed 's/^/I:ns3 /' +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw 2>&1 | sed 's/^/I:ns3 /' -# Check the example. domain - -echo "I:checking that zone transfer worked ($n)" +echo "I:checking expired signatures were updated ($n)" ret=0 -$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking NSEC->NSEC3 conversion succeeded ($n)" +ret=0 +$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" +ret=0 +grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking NSEC3->NSEC conversion succeeded ($n)" +ret=0 +# this command should result in an empty file: +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -501,6 +585,25 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking insertion of public-only key ($n)" +ret=0 +id=`sed 's/^K.+007+0*//' < nopriv.key` +file="ns1/`cat nopriv.key`.key" +keydata=`grep DNSKEY $file` +$NSUPDATE > /dev/null 2>&1 < dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking key deletion ($n)" ret=0 id=`sed 's/^K.+007+0*//' < del.key` @@ -510,6 +613,82 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking secure-to-insecure transition ($n)" +$NSUPDATE > /dev/null 2>&1 < dig.out.ns3.test$n || ret=1 +egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1 +egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:preparing to test key change corner cases" +echo "I:removing a private key file" +file="ns1/`cat vanishing.key`.private" +rm -f $file + +echo "I:preparing ZSK roll" +newid=`sed 's/^K.+007+0*//' < standby.key` +file="ns1/`cat standby.key`.key" +$SETTIME -A now $file > /dev/null +oldid=`sed 's/^K.+007+0*//' < active.key` +file="ns1/`cat active.key`.key" +$SETTIME -I now -D now+10 $file > /dev/null + +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /' + +echo "I:revoking key to duplicated key ID" +$SETTIME -R now ns2/Kbar.+005+30676.key > /dev/null + +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 sign bar. 2>&1 | sed 's/^/I:ns2 /' + +echo "I:waiting for changes to take effect" +sleep 5 + +echo "I:checking former standby key is now active ($n)" +ret=0 +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:waiting for former active key to be removed" +sleep 10 + +echo "I:checking key was removed ($n)" +ret=0 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id =.*'"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking private key file removal caused no immediate harm ($n)" +ret=0 +id=`sed 's/^K.+007+0*//' < vanishing.key` +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking revoked key with duplicate key ID (failure expected) ($n)" +lret=0 +id=30676 +$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1 +grep '; key id =.*'"$id"'$' dig.out.ns2.test$n || lret=1 +$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1 +n=`expr $n + 1` +if [ $lret != 0 ]; then echo "I:failed"; fi + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 8cbaf373ab..6819c5ca34 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: conf.sh.in,v 1.43 2009/11/30 21:00:47 each Exp $ +# $Id: conf.sh.in,v 1.44 2010/01/18 19:19:30 each Exp $ # # Common configuration data for system tests, to be sourced into @@ -49,8 +49,8 @@ CHECKCONF=$TOP/bin/check/named-checkconf # v6synth SUBDIRS="acl autosign cacheclean checkconf checknames dnssec forward glue ixfr limits lwresd masterfile masterformat metadata notify nsupdate pending - resolver rrsetorder sortlist stub tkey unknown upforwd views xfer xferquota - zonechecks" + resolver rrsetorder sortlist smartsign stub tkey unknown upforwd views + xfer xferquota zonechecks" # PERL will be an empty string if no perl interpreter was found. PERL=@PERL@ diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 0544cc5e50..cb44dd9e5d 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -13,7 +13,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.22 2009/12/30 08:02:22 jinmei Exp $ +; $Id: example.db.in,v 1.23 2010/01/18 19:19:31 each Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -104,3 +104,6 @@ ns.rsasha256 A 10.53.0.3 rsasha512 NS ns.rsasha512 ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 49d7c18b8d..a16db21c70 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.36 2009/12/30 08:02:22 jinmei Exp $ +# $Id: sign.sh,v 1.37 2010/01/18 19:19:31 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -31,7 +31,7 @@ zonefile=example.db ( cd ../ns3 && sh sign.sh ) for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \ - optout-unknown multiple rsasha256 rsasha512 + optout-unknown multiple rsasha256 rsasha512 kskonly do cp ../ns3/dsset-$subdomain.example. . done diff --git a/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bin/tests/system/dnssec/ns3/kskonly.example.db.in new file mode 100644 index 0000000000..c847680b28 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/kskonly.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: kskonly.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index c3f7d10de9..6c5cac3e9c 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.35 2009/10/27 23:47:44 tbox Exp $ */ +/* $Id: named.conf,v 1.36 2010/01/18 19:19:31 each Exp $ */ // NS3 @@ -166,4 +166,9 @@ zone "rsasha512.example" { file "rsasha512.example.db.signed"; }; +zone "kskonly.example" { + type master; + file "kskonly.example.db.signed"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index faab14a769..3e8027d0df 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $ +# $Id: sign.sh,v 1.31 2010/01/18 19:19:31 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -30,7 +30,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=bogus.example. infile=bogus.example.db.in @@ -40,7 +40,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=dynamic.example. infile=dynamic.example.db.in @@ -51,7 +51,7 @@ keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=keyless.example. infile=keyless.example.db.in @@ -61,7 +61,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # Change the signer field of the a.b.keyless.example SIG A # to point to a provably nonexistent KEY record. @@ -81,7 +81,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # NSEC3/NSEC3 test zone @@ -94,7 +94,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # OPTOUT/NSEC3 test zone @@ -107,7 +107,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # A nsec3 zone (non-optout). @@ -120,7 +120,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # OPTOUT/NSEC test zone @@ -133,7 +133,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # OPTOUT/NSEC3 test zone @@ -146,7 +146,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # OPTOUT/OPTOUT test zone @@ -159,7 +159,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # A optout nsec3 zone. @@ -172,7 +172,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # A nsec3 zone (non-optout) with unknown hash algorithm. @@ -185,7 +185,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # A optout nsec3 zone. @@ -198,7 +198,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # A multiple parameter nsec3 zone. @@ -211,17 +211,17 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # A RSASHA256 zone. @@ -234,7 +234,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # # A RSASHA512 zone. @@ -247,4 +247,16 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone` cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone with the DNSKEY set only signed by the KSK +# +zone=kskonly.example. +infile=kskonly.example.db.in +zonefile=kskonly.example.db + +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 18be2daf13..eb5ed1dcbe 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.56 2009/12/30 08:02:22 jinmei Exp $ +# $Id: tests.sh,v 1.57 2010/01/18 19:19:31 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -38,6 +38,26 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +# test AD bit: +# - dig +adflag asks for authentication (ad in response) +echo "I:checking AD bit asking for validation ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking for AD in authoritative answer ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking positive validation NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 @@ -662,6 +682,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking positive validation with KSK-only DNSKEY signature ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking cd bit on a query that should fail ($n)" ret=0 $DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \ diff --git a/bin/tests/system/pending/ns2/example.com.db.in b/bin/tests/system/pending/ns2/example.com.db.in index 9cdb2fd9a9..fce1429dd8 100644 --- a/bin/tests/system/pending/ns2/example.com.db.in +++ b/bin/tests/system/pending/ns2/example.com.db.in @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.com.db.in,v 1.2 2009/12/30 08:02:22 jinmei Exp $ +; $Id: example.com.db.in,v 1.3 2010/01/18 19:19:31 each Exp $ $TTL 30 @ IN SOA mname1. . ( @@ -29,3 +29,4 @@ mail A 192.0.2.2 AAAA 2001:db8::2 pending-ok A 192.0.2.2 pending-ng A 192.0.2.102 +removed A 10.9.8.7 diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh index d65bd8f296..af42d386cf 100644 --- a/bin/tests/system/pending/ns2/sign.sh +++ b/bin/tests/system/pending/ns2/sign.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.6 2010/01/07 23:48:53 tbox Exp $ +# $Id: sign.sh,v 1.7 2010/01/18 19:19:31 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -26,10 +26,16 @@ for domain in example example.com; do infile=${domain}.db.in zonefile=${domain}.db - keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` - keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone` + keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone` - cat $infile $keyname1.key $keyname2.key >$zonefile + cat $infile $keyname1.key $keyname2.key > $zonefile - $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + $SIGNER -3 bebe -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 done + +# remove "removed" record from example.com, causing the server to +# send an apparently-invalid NXDOMAIN +sed '/^removed/d' example.com.db.signed > example.com.db.new +rm -f example.com.db.signed +mv example.com.db.new example.com.db.signed diff --git a/bin/tests/system/pending/tests.sh b/bin/tests/system/pending/tests.sh index d99cb8e70d..baf973a592 100644 --- a/bin/tests/system/pending/tests.sh +++ b/bin/tests/system/pending/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.6 2010/01/07 23:48:53 tbox Exp $ +# $Id: tests.sh,v 1.7 2010/01/18 19:19:31 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -179,5 +179,26 @@ test "$ans" = "$expect" || ret=1 test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" status=`expr $status + $ret` +# +# Make sure the resolver doesn't cache bogus NXDOMAIN +# +echo I:Trying to Prime bogus NXDOMAIN +ret=0 +expect="SERVFAIL" +ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1 +ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'` +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" +status=`expr $status + $ret` + +echo I:Confirming the bogus NXDOMAIN was not cached +ret=0 +expect="SERVFAIL" +ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1 +ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'` +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/smartsign/child.db b/bin/tests/system/smartsign/child.db new file mode 100644 index 0000000000..76bdd602cd --- /dev/null +++ b/bin/tests/system/smartsign/child.db @@ -0,0 +1,13 @@ +$ORIGIN . +$TTL 60 ; 1 minute +child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns.child.parent.nil. +$ORIGIN child.parent.nil. +$TTL 300 ; 5 minutes +ns A 10.53.0.3 diff --git a/bin/tests/system/smartsign/clean.sh b/bin/tests/system/smartsign/clean.sh new file mode 100644 index 0000000000..b451a4c61c --- /dev/null +++ b/bin/tests/system/smartsign/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.2 2010/01/18 19:19:31 each Exp $ + +rm -f K* dsset-* *.signed random.data dnskey.sigs other.sigs dsset.out diff --git a/bin/tests/system/smartsign/parent.db b/bin/tests/system/smartsign/parent.db new file mode 100644 index 0000000000..060c0454f5 --- /dev/null +++ b/bin/tests/system/smartsign/parent.db @@ -0,0 +1,20 @@ +$ORIGIN . +$TTL 300 ; 5 minutes +parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns1.parent.nil. + NS ns2.parent.nil. +$ORIGIN parent.nil. +$TTL 3600 ; 1 hour +a A 1.1.1.1 +$TTL 300 ; 5 minutes +ns1 A 10.53.0.1 +ns2 A 10.53.0.2 + +child NS ns.child +ns.child A 10.53.0.3 diff --git a/bin/tests/system/smartsign/prereq.sh b/bin/tests/system/smartsign/prereq.sh new file mode 100644 index 0000000000..ba19799b49 --- /dev/null +++ b/bin/tests/system/smartsign/prereq.sh @@ -0,0 +1,28 @@ +#!/bin/sh +# +# Copyright (C) 2004, 2006, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: prereq.sh,v 1.2 2010/01/18 19:19:31 each Exp $ + +../../../tools/genrandom 400 random.data + +if $KEYGEN -q -r random.data foo > /dev/null 2>&1 +then + rm -f Kfoo* +else + echo "I:This test requires that --with-openssl was used." >&2 + exit 1 +fi diff --git a/bin/tests/system/smartsign/setup.sh b/bin/tests/system/smartsign/setup.sh new file mode 100644 index 0000000000..c9f00a2334 --- /dev/null +++ b/bin/tests/system/smartsign/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh -e +# +# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000, 2001 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: setup.sh,v 1.2 2010/01/18 19:19:31 each Exp $ + +sh clean.sh +../../../tools/genrandom 400 random.data diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh new file mode 100644 index 0000000000..311fa7617c --- /dev/null +++ b/bin/tests/system/smartsign/tests.sh @@ -0,0 +1,167 @@ +#!/bin/sh +# +# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: tests.sh,v 1.2 2010/01/18 19:19:31 each Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +RANDFILE=./random.data + +pzone=parent.nil +pfile=parent.db + +czone=child.parent.nil +cfile=child.db + +echo I:generating keys +# active zsk +czsk1=`$KEYGEN -q -r $RANDFILE $czone` + +# not yet published or active +czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone` + +# published but not active +czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone` + +# inactive +czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone` + +# active ksk +cksk1=`$KEYGEN -q -r $RANDFILE -fk $czone` + +# published but not YET active; will be active in 20 seconds +cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone` +$SETTIME -A now+20s $cksk2 > /dev/null + +echo I:revoking key +# revoking key changes its ID +cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone` +cksk4=`$REVOKE $cksk3` + +echo I:signing child zone +czoneout=`$SIGNER -Sg -r $RANDFILE -o $czone $cfile 2>&1` + +echo I:generating keys +pzsk=`$KEYGEN -q -r $RANDFILE $pzone` +pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone` + +echo I:signing parent zone +pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1` + +czactive=`echo $czsk1 | sed 's/^K.*+005+0*//'` +czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*//'` +czpublished=`echo $czsk3 | sed 's/^K.*+005+0*//'` +czinactive=`echo $czsk4 | sed 's/^K.*+005+0*//'` +ckactive=`echo $cksk1 | sed 's/^K.*+005+0*//'` +ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*//'` +ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*//'` +ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)\.private$/\1/'` + +pzid=`echo $pzsk | sed 's/^K.*+005+0*//'` +pkid=`echo $pksk | sed 's/^K.*+005+0*//'` + +echo "I:checking dnssec-signzone output matches expectations" +ret=0 +echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 +echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 +echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 +echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking parent zone DNSKEY set" +ret=0 +grep "key id = $pzid" $pfile.signed > /dev/null || ret=1 +grep "key id = $pkid" $pfile.signed > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking parent zone DS records" +ret=0 +awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out +grep "$ckactive" dsset.out > /dev/null || ret=1 +grep "$ckpublished" dsset.out > /dev/null || ret=1 +# revoked key should not be there, hence the && +grep "$ckprerevoke" dsset.out > /dev/null && ret=1 +grep "$ckrevoked" dsset.out > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking child zone DNSKEY set" +ret=0 +grep "key id = $ckactive" $cfile.signed > /dev/null || ret=1 +grep "key id = $ckpublished" $cfile.signed > /dev/null || ret=1 +grep "key id = $ckrevoked" $cfile.signed > /dev/null || ret=1 +grep "key id = $czactive" $cfile.signed > /dev/null || ret=1 +grep "key id = $czpublished" $cfile.signed > /dev/null || ret=1 +grep "key id = $czinactive" $cfile.signed > /dev/null || ret=1 +# should not be there, hence the && +grep "key id = $ckprerevoke" $cfile.signed > /dev/null && ret=1 +grep "key id = $czgenerated" $cfile.signed > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking child zone signatures" +ret=0 +# check DNSKEY signatures first +awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs +grep "$ckactive" dnskey.sigs > /dev/null || ret=1 +grep "$ckrevoked" dnskey.sigs > /dev/null || ret=1 +grep "$czactive" dnskey.sigs > /dev/null || ret=1 +# should not be there: +grep "$ckprerevoke" dnskey.sigs > /dev/null && ret=1 +grep "$ckpublished" dnskey.sigs > /dev/null && ret=1 +grep "$czpublished" dnskey.sigs > /dev/null && ret=1 +grep "$czinactive" dnskey.sigs > /dev/null && ret=1 +grep "$czgenerated" dnskey.sigs > /dev/null && ret=1 +# now check other signatures first +awk '$2 == "RRSIG" && $3 != "DNSKEY" { getline; print $2 }' $cfile.signed | sort -un > other.sigs +# should not be there: +grep "$ckactive" other.sigs > /dev/null && ret=1 +grep "$ckpublished" other.sigs > /dev/null && ret=1 +grep "$ckprerevoke" other.sigs > /dev/null && ret=1 +grep "$ckrevoked" other.sigs > /dev/null && ret=1 +grep "$czpublished" other.sigs > /dev/null && ret=1 +grep "$czinactive" other.sigs > /dev/null && ret=1 +grep "$czgenerated" other.sigs > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:waiting 20 seconds for key activation" +sleep 20 +echo "I:re-signing child zone" +czoneout2=`$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed 2>&1` +mv $cfile.new $cfile.signed + +echo "I:checking dnssec-signzone output matches expectations" +ret=0 +echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking child zone signatures again" +ret=0 +awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs +grep "$ckpublished" dnskey.sigs > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:exit status: $status" +exit $status diff --git a/util/copyrights b/util/copyrights index 9748d11c1d..fd3e129842 100644 --- a/util/copyrights +++ b/util/copyrights @@ -550,19 +550,23 @@ ./bin/tests/system/autosign/ns2/keygen.sh SH 2009 ./bin/tests/system/autosign/ns2/named.conf CONF-C 2009 ./bin/tests/system/autosign/ns2/private.secure.example.db.in ZONE 2009 +./bin/tests/system/autosign/ns2/revkeys.shar X 2010 ./bin/tests/system/autosign/ns3/.cvsignore X 2009 ./bin/tests/system/autosign/ns3/insecure.example.db ZONE 2009 ./bin/tests/system/autosign/ns3/keygen.sh SH 2009 -./bin/tests/system/autosign/ns3/multiple.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/named.conf CONF-C 2009 +./bin/tests/system/autosign/ns3/nsec.example.db.in ZONE 2010 +./bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in ZONE 2010 ./bin/tests/system/autosign/ns3/nsec3.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/nsec3.optout.example.db.in ZONE 2009 +./bin/tests/system/autosign/ns3/oldsigs.example.db.in ZONE 2010 ./bin/tests/system/autosign/ns3/optout.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/optout.nsec3.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/optout.optout.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/rsasha256.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/rsasha512.example.db.in ZONE 2009 +./bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in ZONE 2010 ./bin/tests/system/autosign/ns3/secure.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/secure.nsec3.example.db.in ZONE 2009 ./bin/tests/system/autosign/ns3/secure.optout.example.db.in ZONE 2009 @@ -666,6 +670,7 @@ ./bin/tests/system/dnssec/ns3/insecure.nsec3.example.db ZONE 2008 ./bin/tests/system/dnssec/ns3/insecure.optout.example.db ZONE 2008 ./bin/tests/system/dnssec/ns3/keyless.example.db.in ZONE 2001,2002,2004,2007 +./bin/tests/system/dnssec/ns3/kskonly.example.db.in ZONE 2010 ./bin/tests/system/dnssec/ns3/multiple.example.db.in ZONE 2006,2008 ./bin/tests/system/dnssec/ns3/named.conf CONF-C 2000,2001,2002,2004,2006,2007,2008,2009 ./bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in ZONE 2006,2008