diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index 79f3774439..0344ade978 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -24,4 +24,4 @@ rm -rf ./*/*.jbk \ ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ ./*.out ./*.out* ./*/*.out ./*/*.out* \ ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ - ns3/a-file ns3/removedkeys + ns3/a-file ns3/removedkeys ns3/delayedkeys.conf diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in index abc7370e39..7747688370 100644 --- a/bin/tests/system/inline/ns1/root.db.in +++ b/bin/tests/system/inline/ns1/root.db.in @@ -48,12 +48,3 @@ ns3.nsec3. A 10.53.0.3 externalkey. NS ns3.externalkey. ns3.externalkey. A 10.53.0.3 - -retransfer3. NS ns3.retransfer. -ns3.retransfer3. A 10.53.0.3 - -inactiveksk. NS ns3.inactiveksk. -ns3.inactiveksk. A 10.53.0.3 - -inactivezsk. NS ns3.inactivezsk. -ns3.inactivezsk. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in index 38e6e90fbf..25fc893ebf 100644 --- a/bin/tests/system/inline/ns2/named.conf.in +++ b/bin/tests/system/inline/ns2/named.conf.in @@ -47,32 +47,12 @@ zone "retransfer" { notify no; }; -zone "retransfer3" { - type primary; - file "retransfer3.db"; - allow-update { any; }; - allow-transfer { none; }; // changed dynamically by tests.sh - notify no; -}; - zone "nsec3-loop" { type primary; file "nsec3-loop.db"; notify no; }; -zone "inactiveksk" { - type primary; - file "inactiveksk.db"; - allow-update { any; }; -}; - -zone "inactivezsk" { - type primary; - file "inactivezsk.db"; - allow-update { any; }; -}; - zone "nokeys" { type primary; file "nokeys.db"; diff --git a/bin/tests/system/inline/ns3/delayedkeys.conf.1 b/bin/tests/system/inline/ns3/delayedkeys.conf.1 new file mode 100644 index 0000000000..72ed2aa317 --- /dev/null +++ b/bin/tests/system/inline/ns3/delayedkeys.conf.1 @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "delayedkeys" { + type primary; + file "delayedkeys.db"; + inline-signing yes; + dnssec-policy insecure; +}; diff --git a/bin/tests/system/inline/ns3/delayedkeys.conf.2 b/bin/tests/system/inline/ns3/delayedkeys.conf.2 new file mode 100644 index 0000000000..fa7cbcd8b3 --- /dev/null +++ b/bin/tests/system/inline/ns3/delayedkeys.conf.2 @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "delayedkeys" { + type primary; + file "delayedkeys.db"; + inline-signing yes; + dnssec-policy inline; +}; diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in index 6b3b3cd5bc..836d915f15 100644 --- a/bin/tests/system/inline/ns3/named.conf.in +++ b/bin/tests/system/inline/ns3/named.conf.in @@ -35,11 +35,35 @@ options { dnssec-validation no; }; +dnssec-policy "inline" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + nsec3param iterations 0 optout no salt-length 0; +}; + +dnssec-policy "external" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + }; +}; + zone "bits" { type secondary; primaries { 10.53.0.2; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update-forwarding { any; }; file "bits.bk"; sig-signing-signatures 1; // force incremental processing @@ -51,7 +75,7 @@ zone "noixfr" { type secondary; primaries { 10.53.0.4; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update-forwarding { any; }; file "noixfr.bk"; }; @@ -59,7 +83,7 @@ zone "noixfr" { zone "primary" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "primary.db"; notify explicit; also-notify { @@ -70,7 +94,7 @@ zone "primary" { zone "dynamic" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update { any; }; file "dynamic.db"; }; @@ -78,7 +102,7 @@ zone "dynamic" { zone "updated" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update { none; }; file "updated.db"; }; @@ -86,7 +110,7 @@ zone "updated" { zone "expired" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update { any; }; file "expired.db"; }; @@ -95,14 +119,14 @@ zone "retransfer" { type secondary; primaries { 10.53.0.2; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "retransfer.bk"; }; zone "nsec3" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy nsec3; allow-update { any; }; file "nsec3.db"; }; @@ -110,56 +134,23 @@ zone "nsec3" { zone "externalkey" { type primary; inline-signing yes; - auto-dnssec maintain; - dnssec-dnskey-kskonly no; + dnssec-policy external; allow-update { any; }; file "externalkey.db"; }; -zone "retransfer3" { - type secondary; - primaries { 10.53.0.2; }; - inline-signing yes; - auto-dnssec maintain; - file "retransfer3.bk"; -}; - -zone "inactiveksk" { - type secondary; - primaries { 10.53.0.2; }; - inline-signing yes; - auto-dnssec maintain; - dnssec-dnskey-kskonly yes; - file "inactiveksk.bk"; -}; - -zone "inactivezsk" { - type secondary; - primaries { 10.53.0.2; }; - inline-signing yes; - auto-dnssec maintain; - file "inactivezsk.bk"; -}; - zone "nokeys" { type secondary; primaries { 10.53.0.2; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy insecure; file "nokeys.bk"; }; -zone "delayedkeys" { - type primary; - inline-signing yes; - auto-dnssec maintain; - file "delayedkeys.db"; -}; - zone "removedkeys-primary" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update { any; }; also-notify { 10.53.0.2; }; file "removedkeys-primary.db"; @@ -169,7 +160,7 @@ zone "removedkeys-secondary" { type secondary; primaries { 10.53.0.2; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "removedkeys-secondary.bk"; }; @@ -177,5 +168,7 @@ zone "unsupported" { type primary; file "unsupported.db"; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; }; + +include "delayedkeys.conf"; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index f17a8ad1a3..e9b8ded98b 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -49,10 +49,12 @@ $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=updated rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$SETTIME -s -g OMNIPRESENT -k RUMOURED now -z RUMOURED now "$zsk" > settime.out.updated.1 2>&1 +$SETTIME -s -g OMNIPRESENT -k RUMOURED now -r RUMOURED now -d HIDDEN now "$ksk" > settime.out.updated.2 2>&1 +$DSFROMKEY -T 1200 $ksk >> ../ns1/root.db +$SIGNER -S -x -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null cp primary2.db.in updated.db # signatures are expired and should be regenerated on startup @@ -77,31 +79,6 @@ rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -zone=retransfer3 -rm -f K${zone}.+*+*.key -rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db - -zone=inactiveksk -rm -f K${zone}.+*+*.key -rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone) -keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db - -zone=inactivezsk -rm -f K${zone}.+*+*.key -rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db - zone=delayedkeys rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private @@ -136,6 +113,7 @@ do done zone=externalkey +zonefile=${zone}.db rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private @@ -147,13 +125,10 @@ do k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db - # Convert k1 and k2 in to External Keys. + cat $k1.key $k2.key >> $zonefile + + rm -f $k1.key rm -f $k1.private - mv $k1.key a-file - $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) + rm -f $k2.key rm -f $k2.private - mv $k2.key a-file - $IMPORTKEY -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) done diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post index f454b353a2..a85d7606e7 100644 --- a/bin/tests/system/inline/ns5/named.conf.post +++ b/bin/tests/system/inline/ns5/named.conf.post @@ -33,10 +33,17 @@ options { servfail-ttl 0; }; +dnssec-policy "inline" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + zone "bits" { type secondary; primaries { 10.53.0.2; }; file "bits.bk"; - auto-dnssec maintain; + dnssec-policy inline; inline-signing yes; }; diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in index 3a0cf86f56..68ae04c209 100644 --- a/bin/tests/system/inline/ns7/named.conf.in +++ b/bin/tests/system/inline/ns7/named.conf.in @@ -48,3 +48,13 @@ options { sig-signing-nodes 100; sig-signing-signatures 10; }; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm RSASHA256 2048; + zsk key-directory lifetime unlimited algorithm RSASHA256 2048; + zsk key-directory lifetime unlimited algorithm RSASHA256 1024; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh index 8ab8288bca..d89c8a81a9 100755 --- a/bin/tests/system/inline/ns7/sign.sh +++ b/bin/tests/system/inline/ns7/sign.sh @@ -19,6 +19,6 @@ zone=nsec3-loop rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +keyname=$($KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone) +keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) +keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone) diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in index 47bb99151b..81e3142a20 100644 --- a/bin/tests/system/inline/ns8/named.conf.in +++ b/bin/tests/system/inline/ns8/named.conf.in @@ -36,128 +36,135 @@ options { dnssec-validation no; }; +dnssec-policy "inline" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + zone "example01.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example01.com.db"; }; zone "example02.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example02.com.db"; }; zone "example03.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example03.com.db"; }; zone "example04.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example04.com.db"; }; zone "example05.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example05.com.db"; }; zone "example06.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example06.com.db"; }; zone "example07.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example07.com.db"; }; zone "example08.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example08.com.db"; }; zone "example09.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example09.com.db"; }; zone "example10.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example10.com.db"; }; zone "example11.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example11.com.db"; }; zone "example12.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example12.com.db"; }; zone "example13.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example13.com.db"; }; zone "example14.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example14.com.db"; }; zone "example15.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example15.com.db"; }; zone "example16.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example16.com.db"; }; zone example { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example.db"; }; zone "unsigned-serial-test" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "unsigned-serial-test.db"; }; diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index 84233c801a..edfa98a1f6 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -18,12 +18,9 @@ cp ns1/root.db.in ns1/root.db touch ns2/trusted.conf cp ns2/nsec3-loop.db.in ns2/nsec3-loop.db cp ns2/bits.db.in ns2/bits.db -cp ns2/bits.db.in ns2/inactiveksk.db -cp ns2/bits.db.in ns2/inactivezsk.db cp ns2/bits.db.in ns2/nokeys.db cp ns2/bits.db.in ns2/removedkeys-secondary.db cp ns2/bits.db.in ns2/retransfer.db -cp ns2/bits.db.in ns2/retransfer3.db cp ns3/primary.db.in ns3/primary.db cp ns3/primary.db.in ns3/dynamic.db @@ -44,6 +41,7 @@ cp ns4/noixfr.db.in ns4/noixfr.db copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +cp ns3/delayedkeys.conf.1 ns3/delayedkeys.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.pre ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index e9c455472a..9acb0d7dbb 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -36,8 +36,7 @@ status=0 n=0 ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 || ret=1 - +# Make sure nsec3 zone is NSEC3 signed. for i in 1 2 3 4 5 6 7 8 9 0 do nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1 @@ -65,15 +64,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 -done +zone_is_signed() { + $DIG $DIGOPTS @10.53.0.3 bits. AXFR > dig.out.ns3.test$n || return 1 + $VERIFY -z -o bits. dig.out.ns3.test$n > verify.out.bits.test$n || return 1 + return 0 +} +retry_quiet 10 zone_is_signed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -93,7 +89,7 @@ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1 - break; # We only want to remove 1 record for now. + break; # We only want to remove 1 record for now. done 2>&1 |sed 's/^/ns3 /' | cat_i for i in 1 2 3 4 5 6 7 8 9 10 @@ -113,6 +109,7 @@ n=$((n + 1)) echo_i "checking private type was properly signed ($n)" ret=0 $DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1 +# One private type record, one signature grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 @@ -122,7 +119,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 signing -clear all bits > signing.out.test$n.clear || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 do @@ -434,8 +431,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking primary zone that was updated while offline is correct ($n)" ret=0 -$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n || ret=1 -serial=$(awk '{print $3}' dig.out.ns2.soa.test$n) +$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns3.soa.test$n || ret=1 +serial=$(awk '{print $3}' dig.out.ns3.soa.test$n) # serial should have changed [ "$serial" = "2000042407" ] && ret=1 # e.updated should exist and should be signed @@ -446,7 +443,7 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 # of primary2.db, and should show a minimal diff: no more than 8 added # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records # (SOA/RRSIG, NSEC/RRSIG). -$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n || ret=1 +$JOURNALPRINT ns3/updated.db.signed.jnl > journalprint.out.test$n || ret=1 serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n) [ "$serial" = "2000042408" ] || ret=1 diffsize=$(wc -l < journalprint.out.test$n) @@ -791,65 +788,6 @@ done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n + 1)) -echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)" -ret=0 -# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2, -# which means it should not yet be available on ns3. -$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1 -# Switch the zone to NSEC3. An "NSEC3 -> NSEC -> NSEC3" sequence is used purely -# to test that multiple queued "rndc signing -nsec3param" requests are handled -# properly. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone. -sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new -mv ns2/named.conf.new ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig || ret=1 -# Request ns3 to retransfer the "retransfer3" zone. -$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1 -# Check whether "retransfer3" uses NSEC3 as requested. -for i in 0 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 - grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 - test $ret -eq 0 && break - sleep 1 -done -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)" -ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 -done -$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 -done -[ $ans = 1 ] && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - # NOTE: The test below should be considered fragile. More details can be found # in the comment inside ns7/named.conf. n=$((n + 1)) @@ -858,7 +796,7 @@ ret=0 zone=nsec3-loop # Add secondary zone using rndc $RNDCCMD 10.53.0.7 addzone $zone \ - '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1 + '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; dnssec-policy default; };' || ret=1 # Wait until secondary zone is fully signed using NSEC for i in 1 2 3 4 5 6 7 8 9 0 do @@ -869,15 +807,18 @@ do sleep 1 done # Switch secondary zone to NSEC3 -$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 modzone $zone \ + '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; dnssec-policy nsec3; };' || ret=1 # Wait until secondary zone is fully signed using NSEC3 for i in 1 2 3 4 5 6 7 8 9 0 do ret=1 - nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1 - test "$nsec3param" = "1 0 2 12345678" && ret=0 && break + $DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone > dig.out.ns7.test$n + nsec3param=$(cat dig.out.ns7.test$n) + test "$nsec3param" = "1 0 0 -" && ret=0 && break sleep 1 done + # Attempt to retransfer the secondary zone from primary $RNDCCMD 10.53.0.7 retransfer $zone || ret=1 # Check whether the signer managed to fully sign the retransferred zone by @@ -1013,7 +954,7 @@ $RNDCCMD 10.53.0.2 addzone test-$zone \ $DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n || ret=1 grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; } $RNDCCMD 10.53.0.3 addzone test-$zone \ - '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1 + '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; dnssec-policy default; allow-transfer { any; }; };' || ret=1 $RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1036,8 +977,8 @@ do dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) - test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } - test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } + test ${dnskeys:-0} -eq 4 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } + test ${rrsigs:-0} -eq 1 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1133,70 +1074,6 @@ retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n + 1)) -echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)" -ret=0 - -$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1 -soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n) - -$NSUPDATE << EOF || ret=1 -server 10.53.0.2 ${PORT} -update add added.inactivezsk 0 IN TXT added record -send -EOF - -for i in 1 2 3 4 5 6 7 8 9 10 -do - $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1 - soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) - test ${soa1:-0} -ne ${soa2:-0} && break - sleep 1 -done -test ${soa1:-0} -ne ${soa2:-0} || ret=1 - -$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 - -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)" -ret=0 - -$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n || ret=1 - -# -# check that DNSKEY is signed with ZSK for default algorithm -# -awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' -zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 -awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' -kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 - -# -# check that DNSKEY is signed with KSK for alternative algorithm -# -awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' -zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 -awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' -kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 - -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - # Wait until an update to the raw part of a given inline signed zone is fully # processed. As waiting for a fixed amount of time is suboptimal and there is # no single message that would signify both a successful modification and an @@ -1368,12 +1245,16 @@ ensure_sigs_only_in_journal() { n=$((n + 1)) echo_i "checking that records added from a journal are scheduled to be resigned ($n)" ret=0 +zone="delayedkeys" # Signing keys for the "delayedkeys" zone are not yet accessible. Thus, the # zone file for the signed version of the zone will contain no DNSSEC records. # Move keys into place now and load them, which will cause DNSSEC records to # only be present in the journal for the signed version of the zone. mv Kdelayedkeys* ns3/ -$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 +cp ns3/delayedkeys.conf.2 ns3/delayedkeys.conf +$RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1 || ret=1 + +#$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 # Wait until the zone is signed. check_done_signing () ( $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 || true