mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00
Code Issues Releases Wiki Activity

2841. [func] Added "smartsign" and improved "autosign" and

Browse Source 
"dnssec" regression tests. [RT #20865]
This commit is contained in:
Evan Hunt 2010-01-18 19:19:31 +00:00
parent f78fe6d8a9
commit e11a0c114c
35 changed files with 1199 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
2841. [func] Added "smartsign" and improved "autosign" and
"dnssec" regression tests. [RT #20865]
2840. [bug] Change 2836 was not complete. [RT #20883]
2839. [bug] Temporary fixed pkcs11-destroy usage check.

25
bin/tests/system/autosign/clean.sh
View File

@ -14,24 +14,31 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
# $Id: clean.sh,v 1.4 2010/01/18 19:19:30 each Exp $
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f inact.key del.key unpub.key standby.key rev.key
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns2/private.secure.example.db
rm -f active.key inact.key del.key unpub.key standby.key rev.key
rm -f nopriv.key vanishing.key
rm -f nsupdate.out
rm -f */core
rm -f */example.bk
rm -f */named.memstats
rm -f dig.out.*
rm -f random.data
rm -f ns2/dlv.db
rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
rm -f ns3/optout-unknown.example.db ns3/optout.example.db
rm -f */named.memstats
rm -f ns1/root.db
rm -f ns2/example.db
rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/nsec.example.db
rm -f ns3/nsec3.example.db
rm -f ns3/nsec3.nsec3.example.db
rm -f ns3/nsec3.optout.example.db
rm -f ns3/nsec3-to-nsec.example.db
rm -f ns3/oldsigs.example.db
rm -f ns3/optout.example.db
rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/secure.example.db
rm -f ns3/secure.nsec3.example.db
rm -f ns3/secure.optout.example.db
rm -f ns3/secure-to-insecure.example.db

10
bin/tests/system/autosign/ns1/keygen.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $
# $Id: keygen.sh,v 1.5 2010/01/18 19:19:30 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -29,11 +29,14 @@ infile=root.db.in
cat $infile ../ns2/dsset-example. > $zonefile
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
zskact=`$KEYGEN -3 -q -r $RANDFILE $zone`
zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone`
zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
rm $zsknopriv.private
ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone`
kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone`
@ -62,8 +65,11 @@ EOF
' > trusted.conf
cp trusted.conf ../ns5/trusted.conf
echo $zskact > ../active.key
echo $zskvanish > ../vanishing.key
echo $zskdel > ../del.key
echo $zskinact > ../inact.key
echo $zskunpub > ../unpub.key
echo $zsknopriv > ../nopriv.key
echo $zsksby > ../standby.key
echo $kskrev > ../rev.key

3
bin/tests/system/autosign/ns1/root.db.in
View File

@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
; $Id: root.db.in,v 1.4 2010/01/18 19:19:30 each Exp $
$TTL 30
. IN SOA a.root.servers.nil. each.isc.org. (
@ -26,4 +26,5 @@ $TTL 30
a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
bar. NS ns2.example.
ns2.example. A 10.53.0.2

85
bin/tests/system/autosign/ns2/bar.db.in Normal file
View File

@ -0,0 +1,85 @@
; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: bar.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
NS ns3
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
; Used for testing ANY queries
foo TXT "testing"
foo A 10.0.1.0
; Used for testing CNAME queries
cname1 CNAME cname1-target
cname1-target TXT "testing cname"
cname2 CNAME cname2-target
cname2-target TXT "testing cname"
; Used for testing DNAME queries
dname1 DNAME dname1-target
foo.dname1-target TXT "testing dname"
dname2 DNAME dname2-target
foo.dname2-target TXT "testing dname"
; A secure subdomain
secure NS ns.secure
ns.secure A 10.53.0.3
; An insecure subdomain
insecure NS ns.insecure
ns.insecure A 10.53.0.3
; A insecure subdomain
mustbesecure NS ns.mustbesecure
ns.mustbesecure A 10.53.0.3
z A 10.0.0.26
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
nsec3-unknown NS ns.nsec3-unknown
ns.nsec3-unknown A 10.53.0.3
optout-unknown NS ns.optout-unknown
ns.optout-unknown A 10.53.0.3
multiple NS ns.multiple
ns.multiple A 10.53.0.3
rsasha256 NS ns.rsasha256
ns.rsasha256 A 10.53.0.3
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3

8
bin/tests/system/autosign/ns2/example.db.in
View File

@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
; $Id: example.db.in,v 1.4 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
@ -83,3 +83,9 @@ ns.rsasha256 A 10.53.0.3
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
nsec3-to-nsec NS ns.nsec3-to-nsec
ns.nsec3-to-nsec A 10.53.0.3
oldsigs NS ns.oldsigs
ns.oldsigs A 10.53.0.3

13
bin/tests/system/autosign/ns2/keygen.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $
# $Id: keygen.sh,v 1.5 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -24,7 +24,7 @@ RANDFILE=../random.data
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && sh keygen.sh )
for subdomain in secure nsec3 optout rsasha256 rsasha512
for subdomain in secure nsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs
do
cp ../ns3/dsset-$subdomain.example. .
done
@ -46,3 +46,12 @@ infile="${zonefile}.in"
cp $infile $zonefile
$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
# Extract saved keys for the revoke-to-duplicate-key test
zone=bar
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile > $zonefile
sh revkeys.shar > /dev/null
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
$DSFROMKEY Kbar.+005+30804.key > dsset-bar.

48
bin/tests/system/autosign/ns2/named.conf
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
/* $Id: named.conf,v 1.4 2010/01/18 19:19:31 each Exp $ */
// NS2
@ -35,12 +35,12 @@ options {
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
@ -51,46 +51,56 @@ zone "." {
zone "example" {
type master;
file "example.db";
allow-query { any; };
allow-transfer { any; };
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "bar" {
type master;
file "bar.db";
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
dnssec-dnskey-kskonly yes;
};
zone "private.secure.example" {
type master;
file "private.secure.example.db";
allow-query { any; };
allow-transfer { any; };
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "insecure.secure.example" {
type master;
file "insecure.secure.example.db";
allow-query { any; };
allow-transfer { any; };
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "child.nsec3.example" {
type master;
file "child.nsec3.example.db";
allow-query { any; };
allow-transfer { any; };
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "child.optout.example" {
type master;
file "child.optout.example.db";
allow-query { any; };
allow-transfer { any; };
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
include "trusted.conf";

231
bin/tests/system/autosign/ns2/revkeys.shar Normal file
View File

@ -0,0 +1,231 @@
#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.6.3).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `#!/bin/sh' line above, then type `sh FILE'.
#
lock_dir=_sh31052
# Made on 2010-01-08 23:17 PST by <each@pisces>.
# Source directory was `/home/each/isc/bind9/bin/tests/system/autosign/ns2/keys'.
#
# Existing files will *not* be overwritten, unless `-c' is specified.
#
# This shar contains:
# length mode name
# ------ ---------- ------------------------------------------
# 538 -rw-r--r-- Kbar.+005+30676.key
# 1774 -rw-r--r-- Kbar.+005+30676.private
# 538 -rw-r--r-- Kbar.+005+30804.key
# 1774 -rw-r--r-- Kbar.+005+30804.private
#
MD5SUM=${MD5SUM-md5sum}
f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
test -n "${f}" && md5check=true || md5check=false
${md5check} || \
echo 'Note: not verifying md5sums. Consider installing GNU coreutils.'
save_IFS="${IFS}"
IFS="${IFS}:"
gettext_dir=FAILED
locale_dir=FAILED
first_param="$1"
for dir in $PATH
do
if test "$gettext_dir" = FAILED && test -f $dir/gettext \
&& ($dir/gettext --version >/dev/null 2>&1)
then
case `$dir/gettext --version 2>&1 | sed 1q` in
*GNU*) gettext_dir=$dir ;;
esac
fi
if test "$locale_dir" = FAILED && test -f $dir/shar \
&& ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
then
locale_dir=`$dir/shar --print-text-domain-dir`
fi
done
IFS="$save_IFS"
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
then
echo=echo
else
TEXTDOMAINDIR=$locale_dir
export TEXTDOMAINDIR
TEXTDOMAIN=sharutils
export TEXTDOMAIN
echo="$gettext_dir/gettext -s"
fi
if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null
then if (echo -n test; echo 1,2,3) | grep n >/dev/null
then shar_n= shar_c='
'
else shar_n=-n shar_c= ; fi
else shar_n= shar_c='\c' ; fi
f=shar-touch.$$
st1=200112312359.59
st2=123123592001.59
st2tr=123123592001.5 # old SysV 14-char limit
st3=1231235901
if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \
test ! -f ${st1} && test -f ${f}; then
shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
elif touch -am ${st2} ${f} >/dev/null 2>&1 && \
test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then
shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
elif touch -am ${st3} ${f} >/dev/null 2>&1 && \
test ! -f ${st3} && test -f ${f}; then
shar_touch='touch -am $3$4$5$6$2 "$8"'
else
shar_touch=:
echo
${echo} 'WARNING: not restoring timestamps. Consider getting and'
${echo} 'installing GNU `touch'\'', distributed in GNU coreutils...'
echo
fi
rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
#
if test ! -d ${lock_dir}
then : ; else ${echo} 'lock directory '${lock_dir}' exists'
exit 1
fi
if mkdir ${lock_dir}
then ${echo} 'x - created lock directory `'${lock_dir}\''.'
else ${echo} 'x - failed to create lock directory `'${lock_dir}\''.'
exit 1
fi
# ============= Kbar.+005+30676.key ==============
if test -f 'Kbar.+005+30676.key' && test "$first_param" != -c; then
${echo} 'x -SKIPPING Kbar.+005+30676.key (file already exists)'
else
${echo} 'x - extracting Kbar.+005+30676.key (text)'
sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.key' &&
; This is a key-signing key, keyid 30676, for bar.
; Created: Sat Dec 26 03:13:10 2009
; Publish: Sat Dec 26 03:13:10 2009
; Activate: Sat Dec 26 03:13:10 2009
bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
SHAR_EOF
(set 20 10 01 08 23 14 29 'Kbar.+005+30676.key'; eval "$shar_touch") &&
chmod 0644 'Kbar.+005+30676.key'
if test $? -ne 0
then ${echo} 'restore of Kbar.+005+30676.key failed'
fi
if ${md5check}
then (
${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.key: MD5 check failed'
) << SHAR_EOF
9c89adb7c9e6d5e2fd34f694b8752c95 Kbar.+005+30676.key
SHAR_EOF
else
test `LC_ALL=C wc -c < 'Kbar.+005+30676.key'` -ne 538 && \
${echo} 'restoration warning: size of Kbar.+005+30676.key is not 538'
fi
fi
# ============= Kbar.+005+30676.private ==============
if test -f 'Kbar.+005+30676.private' && test "$first_param" != -c; then
${echo} 'x -SKIPPING Kbar.+005+30676.private (file already exists)'
else
${echo} 'x - extracting Kbar.+005+30676.private (text)'
sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.private' &&
Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
PublicExponent: AQAB
PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
Created: 20091226021310
Publish: 20091226021310
Activate: 20091226021310
SHAR_EOF
(set 20 10 01 08 23 14 29 'Kbar.+005+30676.private'; eval "$shar_touch") &&
chmod 0644 'Kbar.+005+30676.private'
if test $? -ne 0
then ${echo} 'restore of Kbar.+005+30676.private failed'
fi
if ${md5check}
then (
${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.private: MD5 check failed'
) << SHAR_EOF
c85dfac0b5c0cf2972878a65717af9ea Kbar.+005+30676.private
SHAR_EOF
else
test `LC_ALL=C wc -c < 'Kbar.+005+30676.private'` -ne 1774 && \
${echo} 'restoration warning: size of Kbar.+005+30676.private is not 1774'
fi
fi
# ============= Kbar.+005+30804.key ==============
if test -f 'Kbar.+005+30804.key' && test "$first_param" != -c; then
${echo} 'x -SKIPPING Kbar.+005+30804.key (file already exists)'
else
${echo} 'x - extracting Kbar.+005+30804.key (text)'
sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.key' &&
; This is a key-signing key, keyid 30804, for bar.
; Created: Sat Dec 26 03:13:10 2009
; Publish: Sat Dec 26 03:13:10 2009
; Activate: Sat Dec 26 03:13:10 2009
bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
SHAR_EOF
(set 20 10 01 08 23 14 29 'Kbar.+005+30804.key'; eval "$shar_touch") &&
chmod 0644 'Kbar.+005+30804.key'
if test $? -ne 0
then ${echo} 'restore of Kbar.+005+30804.key failed'
fi
if ${md5check}
then (
${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.key: MD5 check failed'
) << SHAR_EOF
825116de64b44b14893cb3b8a48475bc Kbar.+005+30804.key
SHAR_EOF
else
test `LC_ALL=C wc -c < 'Kbar.+005+30804.key'` -ne 538 && \
${echo} 'restoration warning: size of Kbar.+005+30804.key is not 538'
fi
fi
# ============= Kbar.+005+30804.private ==============
if test -f 'Kbar.+005+30804.private' && test "$first_param" != -c; then
${echo} 'x -SKIPPING Kbar.+005+30804.private (file already exists)'
else
${echo} 'x - extracting Kbar.+005+30804.private (text)'
sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.private' &&
Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
PublicExponent: AQCB
PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
Created: 20091226021310
Publish: 20091226021310
Activate: 20091226021310
SHAR_EOF
(set 20 10 01 08 23 14 29 'Kbar.+005+30804.private'; eval "$shar_touch") &&
chmod 0644 'Kbar.+005+30804.private'
if test $? -ne 0
then ${echo} 'restore of Kbar.+005+30804.private failed'
fi
if ${md5check}
then (
${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.private: MD5 check failed'
) << SHAR_EOF
580cfb43bac6ed945896b464923676e7 Kbar.+005+30804.private
SHAR_EOF
else
test `LC_ALL=C wc -c < 'Kbar.+005+30804.private'` -ne 1774 && \
${echo} 'restoration warning: size of Kbar.+005+30804.private is not 1774'
fi
fi
if rm -fr ${lock_dir}
then ${echo} 'x - removed lock directory `'${lock_dir}\''.'
else ${echo} 'x - failed to remove lock directory `'${lock_dir}\''.'
exit 1
fi
exit 0

46
bin/tests/system/autosign/ns3/keygen.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $
# $Id: keygen.sh,v 1.5 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -138,3 +138,47 @@ cp $infile $zonefile
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# NSEC-only zone.
#
zone=nsec.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
$KEYGEN -q -r $RANDFILE $zone > /dev/null
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# Signature refresh test zone. Signatures are set to expire long
# in the past; they should be updated by autosign.
#
zone=oldsigs.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
$KEYGEN -q -r $RANDFILE $zone > /dev/null
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1
#
# NSEC3->NSEC transition test zone.
#
zone=nsec3-to-nsec.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
#
# secure-to-insecure transition test zone.
#
zone=secure-to-insecure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
$KEYGEN -q -r $RANDFILE $zone > /dev/null
$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1

73
bin/tests/system/autosign/ns3/named.conf
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
/* $Id: named.conf,v 1.4 2010/01/18 19:19:31 each Exp $ */
// NS3
@ -35,12 +35,12 @@ options {
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
@ -54,11 +54,17 @@ zone "example" {
file "example.bk";
};
zone "bar" {
type slave;
masters { 10.53.0.2; };
file "bar.bk";
};
zone "secure.example" {
type master;
file "secure.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "insecure.example" {
@ -70,77 +76,98 @@ zone "nsec3.example" {
type master;
file "nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "optout.nsec3.example" {
type master;
file "optout.nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "nsec3.nsec3.example" {
type master;
file "nsec3.nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "secure.nsec3.example" {
type master;
file "secure.nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "optout.example" {
type master;
file "optout.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "secure.optout.example" {
type master;
file "secure.optout.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "nsec3.optout.example" {
type master;
file "nsec3.optout.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "optout.optout.example" {
type master;
file "optout.optout.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "multiple.example" {
type master;
file "multiple.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "rsasha256.example" {
type master;
file "rsasha256.example.db";
allow-update { any; };
auto-dnssec maintain;
auto-dnssec maintain;
};
zone "rsasha512.example" {
type master;
file "rsasha512.example.db";
allow-update { any; };
auto-dnssec maintain;
allow-update { any; };
auto-dnssec maintain;
};
zone "nsec.example" {
type master;
file "nsec.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "nsec3-to-nsec.example" {
type master;
file "nsec3-to-nsec.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "secure-to-insecure.example" {
type master;
file "secure-to-insecure.example.db";
allow-update { any; };
dnssec-secure-to-insecure yes;
};
zone "oldsigs.example" {
type master;
file "oldsigs.example.db";
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf";

31
bin/tests/system/autosign/ns3/nsec.example.db.in Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: nsec.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

31
bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: nsec3-to-nsec.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

31
bin/tests/system/autosign/ns3/oldsigs.example.db.in Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: oldsigs.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

5
bin/tests/system/autosign/ns3/multiple.example.db.in → bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in
View File

@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: multiple.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
; $Id: secure-to-insecure.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
@ -29,6 +29,3 @@ a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.

5
bin/tests/system/autosign/prereq.sh
View File

@ -14,7 +14,10 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: prereq.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
# $Id: prereq.sh,v 1.4 2010/01/18 19:19:30 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
../../../tools/genrandom 400 random.data

4
bin/tests/system/autosign/setup.sh
View File

@ -14,12 +14,14 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
# $Id: setup.sh,v 1.4 2010/01/18 19:19:30 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
. ./clean.sh
echo "I:generating keys and preparing zones"
../../../tools/genrandom 400 random.data
cd ns1 && sh keygen.sh

199
bin/tests/system/autosign/tests.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.5 2009/12/19 17:30:31 each Exp $
# $Id: tests.sh,v 1.6 2010/01/18 19:19:30 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -25,8 +25,37 @@ n=0
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
echo "I:waiting 30 seconds for autosign changes to take effect"
sleep 30
echo "I:checking that zone transfer worked ($n)"
ret=0
$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
ret=0
# this command should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking NSEC3->NSEC conversion prerequisites ($n)"
ret=0
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:converting zones from nsec to nsec3"
$NSUPDATE > /dev/null <<END || status=1
$NSUPDATE > /dev/null 2>&1 <<END || status=1
server 10.53.0.3 5300
zone nsec3.nsec3.example.
update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
@ -48,23 +77,78 @@ update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
END
echo "I:waiting 30 seconds for key changes to take effect"
sleep 30
# try to convert nsec.example; this should fail due to non-NSEC key
$NSUPDATE > nsupdate.out 2>&1 <<END
server 10.53.0.3 5300
zone nsec.example.
update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END
echo "I:waiting for changes to take effect"
sleep 3
echo "I:converting zone from nsec3 to nsec"
$NSUPDATE > /dev/null 2>&1 << END || status=1
server 10.53.0.3 5300
zone nsec3-to-nsec.example.
update delete nsec3-to-nsec.example. NSEC3PARAM
send
END
echo "I:waiting for change to take effect"
sleep 3
# Send rndc freeze command to ns1, ns2 and ns3, to force the dynamically
# signed zones to be dumped to their zone files
echo "I:dumping zone files"
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 freeze 2>&1 | sed 's/^/I:ns1 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 thaw 2>&1 | sed 's/^/I:ns1 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 freeze 2>&1 | sed 's/^/I:ns2 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 thaw 2>&1 | sed 's/^/I:ns2 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze 2>&1 | sed 's/^/I:ns3 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw 2>&1 | sed 's/^/I:ns3 /'
# Check the example. domain
echo "I:checking that zone transfer worked ($n)"
echo "I:checking expired signatures were updated ($n)"
ret=0
$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking NSEC->NSEC3 conversion succeeded ($n)"
ret=0
$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
ret=0
grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking NSEC3->NSEC conversion succeeded ($n)"
ret=0
# this command should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
@ -501,6 +585,25 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking insertion of public-only key ($n)"
ret=0
id=`sed 's/^K.+007+0*//' < nopriv.key`
file="ns1/`cat nopriv.key`.key"
keydata=`grep DNSKEY $file`
$NSUPDATE > /dev/null 2>&1 <<END || status=1
server 10.53.0.1 5300
zone .
ttl 3600
update add $keydata
send
END
sleep 1
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking key deletion ($n)"
ret=0
id=`sed 's/^K.+007+0*//' < del.key`
@ -510,6 +613,82 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking secure-to-insecure transition ($n)"
$NSUPDATE > /dev/null 2>&1 <<END || status=1
server 10.53.0.3 5300
zone secure-to-insecure.example
update delete secure-to-insecure.example dnskey
send
END
sleep 2
$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:preparing to test key change corner cases"
echo "I:removing a private key file"
file="ns1/`cat vanishing.key`.private"
rm -f $file
echo "I:preparing ZSK roll"
newid=`sed 's/^K.+007+0*//' < standby.key`
file="ns1/`cat standby.key`.key"
$SETTIME -A now $file > /dev/null
oldid=`sed 's/^K.+007+0*//' < active.key`
file="ns1/`cat active.key`.key"
$SETTIME -I now -D now+10 $file > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /'
echo "I:revoking key to duplicated key ID"
$SETTIME -R now ns2/Kbar.+005+30676.key > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 sign bar. 2>&1 | sed 's/^/I:ns2 /'
echo "I:waiting for changes to take effect"
sleep 5
echo "I:checking former standby key is now active ($n)"
ret=0
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:waiting for former active key to be removed"
sleep 10
echo "I:checking key was removed ($n)"
ret=0
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id =.*'"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking private key file removal caused no immediate harm ($n)"
ret=0
id=`sed 's/^K.+007+0*//' < vanishing.key`
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking revoked key with duplicate key ID (failure expected) ($n)"
lret=0
id=30676
$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
grep '; key id =.*'"$id"'$' dig.out.ns2.test$n || lret=1
$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
n=`expr $n + 1`
if [ $lret != 0 ]; then echo "I:failed"; fi
echo "I:exit status: $status"
exit $status

6
bin/tests/system/conf.sh.in
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.43 2009/11/30 21:00:47 each Exp $
# $Id: conf.sh.in,v 1.44 2010/01/18 19:19:30 each Exp $
#
# Common configuration data for system tests, to be sourced into
@ -49,8 +49,8 @@ CHECKCONF=$TOP/bin/check/named-checkconf
# v6synth
SUBDIRS="acl autosign cacheclean checkconf checknames dnssec forward glue ixfr
limits lwresd masterfile masterformat metadata notify nsupdate pending
resolver rrsetorder sortlist stub tkey unknown upforwd views xfer xferquota
zonechecks"
resolver rrsetorder sortlist smartsign stub tkey unknown upforwd views
xfer xferquota zonechecks"
# PERL will be an empty string if no perl interpreter was found.
PERL=@PERL@

5
bin/tests/system/dnssec/ns2/example.db.in
View File

@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.22 2009/12/30 08:02:22 jinmei Exp $
; $Id: example.db.in,v 1.23 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
@ -104,3 +104,6 @@ ns.rsasha256 A 10.53.0.3
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
kskonly NS ns.kskonly
ns.kskonly A 10.53.0.3

4
bin/tests/system/dnssec/ns2/sign.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.36 2009/12/30 08:02:22 jinmei Exp $
# $Id: sign.sh,v 1.37 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -31,7 +31,7 @@ zonefile=example.db
( cd ../ns3 && sh sign.sh )
for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
optout-unknown multiple rsasha256 rsasha512
optout-unknown multiple rsasha256 rsasha512 kskonly
do
cp ../ns3/dsset-$subdomain.example. .
done

31
bin/tests/system/dnssec/ns3/kskonly.example.db.in Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: kskonly.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

7
bin/tests/system/dnssec/ns3/named.conf
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.35 2009/10/27 23:47:44 tbox Exp $ */
/* $Id: named.conf,v 1.36 2010/01/18 19:19:31 each Exp $ */
// NS3
@ -166,4 +166,9 @@ zone "rsasha512.example" {
file "rsasha512.example.db.signed";
};
zone "kskonly.example" {
type master;
file "kskonly.example.db.signed";
};
include "trusted.conf";

58
bin/tests/system/dnssec/ns3/sign.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
# $Id: sign.sh,v 1.31 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -30,7 +30,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=bogus.example.
infile=bogus.example.db.in
@ -40,7 +40,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=dynamic.example.
infile=dynamic.example.db.in
@ -51,7 +51,7 @@ keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=keyless.example.
infile=keyless.example.db.in
@ -61,7 +61,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
# Change the signer field of the a.b.keyless.example SIG A
# to point to a provably nonexistent KEY record.
@ -81,7 +81,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# NSEC3/NSEC3 test zone
@ -94,7 +94,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC3 test zone
@ -107,7 +107,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A nsec3 zone (non-optout).
@ -120,7 +120,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC test zone
@ -133,7 +133,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC3 test zone
@ -146,7 +146,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/OPTOUT test zone
@ -159,7 +159,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A optout nsec3 zone.
@ -172,7 +172,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A nsec3 zone (non-optout) with unknown hash algorithm.
@ -185,7 +185,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A optout nsec3 zone.
@ -198,7 +198,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A multiple parameter nsec3 zone.
@ -211,17 +211,17 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A RSASHA256 zone.
@ -234,7 +234,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A RSASHA512 zone.
@ -247,4 +247,16 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A zone with the DNSKEY set only signed by the KSK
#
zone=kskonly.example.
infile=kskonly.example.db.in
zonefile=kskonly.example.db
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
zskname=`$KEYGEN -q -r $RANDFILE $zone`
cat $infile $kskname.key $zskname.key >$zonefile
$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1

32
bin/tests/system/dnssec/tests.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.56 2009/12/30 08:02:22 jinmei Exp $
# $Id: tests.sh,v 1.57 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -38,6 +38,26 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# test AD bit:
# - dig +adflag asks for authentication (ad in response)
echo "I:checking AD bit asking for validation ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking for AD in authoritative answer ($n)"
ret=0
$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking positive validation NSEC ($n)"
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@ -662,6 +682,16 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking positive validation with KSK-only DNSKEY signature ($n)"
ret=0
$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking cd bit on a query that should fail ($n)"
ret=0
$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \

3
bin/tests/system/pending/ns2/example.com.db.in
View File

@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.com.db.in,v 1.2 2009/12/30 08:02:22 jinmei Exp $
; $Id: example.com.db.in,v 1.3 2010/01/18 19:19:31 each Exp $
$TTL 30
@ IN SOA mname1. . (
@ -29,3 +29,4 @@ mail A 192.0.2.2
AAAA 2001:db8::2
pending-ok A 192.0.2.2
pending-ng A 192.0.2.102
removed A 10.9.8.7

16
bin/tests/system/pending/ns2/sign.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.6 2010/01/07 23:48:53 tbox Exp $
# $Id: sign.sh,v 1.7 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -26,10 +26,16 @@ for domain in example example.com; do
infile=${domain}.db.in
zonefile=${domain}.db
keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
$SIGNER -3 bebe -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
done
# remove "removed" record from example.com, causing the server to
# send an apparently-invalid NXDOMAIN
sed '/^removed/d' example.com.db.signed > example.com.db.new
rm -f example.com.db.signed
mv example.com.db.new example.com.db.signed

23
bin/tests/system/pending/tests.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.6 2010/01/07 23:48:53 tbox Exp $
# $Id: tests.sh,v 1.7 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -179,5 +179,26 @@ test "$ans" = "$expect" || ret=1
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
status=`expr $status + $ret`
#
# Make sure the resolver doesn't cache bogus NXDOMAIN
#
echo I:Trying to Prime bogus NXDOMAIN
ret=0
expect="SERVFAIL"
ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1
ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
test "$ans" = "$expect" || ret=1
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
status=`expr $status + $ret`
echo I:Confirming the bogus NXDOMAIN was not cached
ret=0
expect="SERVFAIL"
ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1
ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
test "$ans" = "$expect" || ret=1
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

13
bin/tests/system/smartsign/child.db Normal file
View File

@ -0,0 +1,13 @@
$ORIGIN .
$TTL 60 ; 1 minute
child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. (
1 ; serial
2000 ; refresh (33 minutes 20 seconds)
2000 ; retry (33 minutes 20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns.child.parent.nil.
$ORIGIN child.parent.nil.
$TTL 300 ; 5 minutes
ns A 10.53.0.3

20
bin/tests/system/smartsign/clean.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.2 2010/01/18 19:19:31 each Exp $
rm -f K* dsset-* *.signed random.data dnskey.sigs other.sigs dsset.out

20
bin/tests/system/smartsign/parent.db Normal file
View File

@ -0,0 +1,20 @@
$ORIGIN .
$TTL 300 ; 5 minutes
parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. (
1 ; serial
2000 ; refresh (33 minutes 20 seconds)
2000 ; retry (33 minutes 20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns1.parent.nil.
NS ns2.parent.nil.
$ORIGIN parent.nil.
$TTL 3600 ; 1 hour
a A 1.1.1.1
$TTL 300 ; 5 minutes
ns1 A 10.53.0.1
ns2 A 10.53.0.2
child NS ns.child
ns.child A 10.53.0.3

28
bin/tests/system/smartsign/prereq.sh Normal file
View File

@ -0,0 +1,28 @@
#!/bin/sh
#
# Copyright (C) 2004, 2006, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: prereq.sh,v 1.2 2010/01/18 19:19:31 each Exp $
../../../tools/genrandom 400 random.data
if $KEYGEN -q -r random.data foo > /dev/null 2>&1
then
rm -f Kfoo*
else
echo "I:This test requires that --with-openssl was used." >&2
exit 1
fi

21
bin/tests/system/smartsign/setup.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh -e
#
# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000, 2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.2 2010/01/18 19:19:31 each Exp $
sh clean.sh
../../../tools/genrandom 400 random.data

167
bin/tests/system/smartsign/tests.sh Normal file
View File

@ -0,0 +1,167 @@
#!/bin/sh
#
# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.2 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
RANDFILE=./random.data
pzone=parent.nil
pfile=parent.db
czone=child.parent.nil
cfile=child.db
echo I:generating keys
# active zsk
czsk1=`$KEYGEN -q -r $RANDFILE $czone`
# not yet published or active
czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
# published but not active
czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
# inactive
czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
# active ksk
cksk1=`$KEYGEN -q -r $RANDFILE -fk $czone`
# published but not YET active; will be active in 20 seconds
cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
$SETTIME -A now+20s $cksk2 > /dev/null
echo I:revoking key
# revoking key changes its ID
cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
cksk4=`$REVOKE $cksk3`
echo I:signing child zone
czoneout=`$SIGNER -Sg -r $RANDFILE -o $czone $cfile 2>&1`
echo I:generating keys
pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
echo I:signing parent zone
pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
czactive=`echo $czsk1 | sed 's/^K.*+005+0*//'`
czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*//'`
czpublished=`echo $czsk3 | sed 's/^K.*+005+0*//'`
czinactive=`echo $czsk4 | sed 's/^K.*+005+0*//'`
ckactive=`echo $cksk1 | sed 's/^K.*+005+0*//'`
ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*//'`
ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*//'`
ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)\.private$/\1/'`
pzid=`echo $pzsk | sed 's/^K.*+005+0*//'`
pkid=`echo $pksk | sed 's/^K.*+005+0*//'`
echo "I:checking dnssec-signzone output matches expectations"
ret=0
echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking parent zone DNSKEY set"
ret=0
grep "key id = $pzid" $pfile.signed > /dev/null || ret=1
grep "key id = $pkid" $pfile.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking parent zone DS records"
ret=0
awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
grep "$ckactive" dsset.out > /dev/null || ret=1
grep "$ckpublished" dsset.out > /dev/null || ret=1
# revoked key should not be there, hence the &&
grep "$ckprerevoke" dsset.out > /dev/null && ret=1
grep "$ckrevoked" dsset.out > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking child zone DNSKEY set"
ret=0
grep "key id = $ckactive" $cfile.signed > /dev/null || ret=1
grep "key id = $ckpublished" $cfile.signed > /dev/null || ret=1
grep "key id = $ckrevoked" $cfile.signed > /dev/null || ret=1
grep "key id = $czactive" $cfile.signed > /dev/null || ret=1
grep "key id = $czpublished" $cfile.signed > /dev/null || ret=1
grep "key id = $czinactive" $cfile.signed > /dev/null || ret=1
# should not be there, hence the &&
grep "key id = $ckprerevoke" $cfile.signed > /dev/null && ret=1
grep "key id = $czgenerated" $cfile.signed > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking child zone signatures"
ret=0
# check DNSKEY signatures first
awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs
grep "$ckactive" dnskey.sigs > /dev/null || ret=1
grep "$ckrevoked" dnskey.sigs > /dev/null || ret=1
grep "$czactive" dnskey.sigs > /dev/null || ret=1
# should not be there:
grep "$ckprerevoke" dnskey.sigs > /dev/null && ret=1
grep "$ckpublished" dnskey.sigs > /dev/null && ret=1
grep "$czpublished" dnskey.sigs > /dev/null && ret=1
grep "$czinactive" dnskey.sigs > /dev/null && ret=1
grep "$czgenerated" dnskey.sigs > /dev/null && ret=1
# now check other signatures first
awk '$2 == "RRSIG" && $3 != "DNSKEY" { getline; print $2 }' $cfile.signed | sort -un > other.sigs
# should not be there:
grep "$ckactive" other.sigs > /dev/null && ret=1
grep "$ckpublished" other.sigs > /dev/null && ret=1
grep "$ckprerevoke" other.sigs > /dev/null && ret=1
grep "$ckrevoked" other.sigs > /dev/null && ret=1
grep "$czpublished" other.sigs > /dev/null && ret=1
grep "$czinactive" other.sigs > /dev/null && ret=1
grep "$czgenerated" other.sigs > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:waiting 20 seconds for key activation"
sleep 20
echo "I:re-signing child zone"
czoneout2=`$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed 2>&1`
mv $cfile.new $cfile.signed
echo "I:checking dnssec-signzone output matches expectations"
ret=0
echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking child zone signatures again"
ret=0
awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs
grep "$ckpublished" dnskey.sigs > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

7
util/copyrights
View File

@ -550,19 +550,23 @@
./bin/tests/system/autosign/ns2/keygen.sh SH 2009
./bin/tests/system/autosign/ns2/named.conf CONF-C 2009
./bin/tests/system/autosign/ns2/private.secure.example.db.in ZONE 2009
./bin/tests/system/autosign/ns2/revkeys.shar X 2010
./bin/tests/system/autosign/ns3/.cvsignore X 2009
./bin/tests/system/autosign/ns3/insecure.example.db ZONE 2009
./bin/tests/system/autosign/ns3/keygen.sh SH 2009
./bin/tests/system/autosign/ns3/multiple.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/named.conf CONF-C 2009
./bin/tests/system/autosign/ns3/nsec.example.db.in ZONE 2010
./bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in ZONE 2010
./bin/tests/system/autosign/ns3/nsec3.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/nsec3.optout.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/oldsigs.example.db.in ZONE 2010
./bin/tests/system/autosign/ns3/optout.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/optout.nsec3.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/optout.optout.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/rsasha256.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/rsasha512.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in ZONE 2010
./bin/tests/system/autosign/ns3/secure.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/secure.nsec3.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/secure.optout.example.db.in ZONE 2009
@ -666,6 +670,7 @@
./bin/tests/system/dnssec/ns3/insecure.nsec3.example.db ZONE 2008
./bin/tests/system/dnssec/ns3/insecure.optout.example.db ZONE 2008
./bin/tests/system/dnssec/ns3/keyless.example.db.in ZONE 2001,2002,2004,2007
./bin/tests/system/dnssec/ns3/kskonly.example.db.in ZONE 2010
./bin/tests/system/dnssec/ns3/multiple.example.db.in ZONE 2006,2008
./bin/tests/system/dnssec/ns3/named.conf CONF-C 2000,2001,2002,2004,2006,2007,2008,2009
./bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in ZONE 2006,2008