From f4eb3ba459a95f196ce815f3e0cd2844c1a6a623 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 19 Jun 2023 16:21:11 +0200 Subject: [PATCH] Change inline system test The inline system test tests 'auto-dnssec' in conjunction with 'inline-signing'. Change the tests to make use of 'dnssec-policy'. Remove some tests that no longer make sense: - The 'retransfer3.' zone tests changing the parameters with 'rndc signing -nsec3param'. This command is going away and NSEC3 parameters now need to be configured with nsec3param within 'dnssec-policy'. - The 'inactivezsk.' and 'inactiveksk.' zones test whether the ZSK take over signing if the KSK is inactive, or vice versa. This fallback mode longer makes sense when using a DNSSEC policy. Some tests need to be adapted more than just changing 'auto-dnssec' to 'dnssec-policy': - The 'delayedkeys.' zone first needs to be configured as insecure, then we can change it to start signing. Previously, no existing keys means that you cannot sign the zone, with 'dnssec-policy' new keys will be created. - The 'updated.' zone needs to have key states in a specific state so that the minimal journal check still works (otherwise CDS/ CDNSKEY and related records will be in the journal too). - External keys are now added to the unsigned zone and no longer are maintained with key files. Adjust the 'externalkey.' zone accordingly. - The 'nsec3-loop.' zone requires three signing keys. Since 'dnssec-policy' will ignore duplicates in the 'keys' section, create RSASHA256 keys with different role and/or key length. Finally, the 'externalkey.' zone checks for an expected number of DNSKEY and RRSIG records in the response. This used to be 3 DNSKEY and 2 RRSIG records. Due to logic behavior changes (key timing metadata is no longer authoritative, these expected values are changed to 4 DNSKEY records (two signing keys and two external keys per algorithm) and 1 RRSIG record (one active KSK per signing algorithm). --- bin/tests/system/inline/clean.sh | 2 +- bin/tests/system/inline/ns1/root.db.in | 9 - bin/tests/system/inline/ns2/named.conf.in | 20 -- .../system/inline/ns3/delayedkeys.conf.1 | 19 ++ .../system/inline/ns3/delayedkeys.conf.2 | 19 ++ bin/tests/system/inline/ns3/named.conf.in | 85 ++++----- bin/tests/system/inline/ns3/sign.sh | 47 ++--- bin/tests/system/inline/ns5/named.conf.post | 9 +- bin/tests/system/inline/ns7/named.conf.in | 10 + bin/tests/system/inline/ns7/sign.sh | 6 +- bin/tests/system/inline/ns8/named.conf.in | 43 +++-- bin/tests/system/inline/setup.sh | 4 +- bin/tests/system/inline/tests.sh | 175 +++--------------- 13 files changed, 164 insertions(+), 284 deletions(-) create mode 100644 bin/tests/system/inline/ns3/delayedkeys.conf.1 create mode 100644 bin/tests/system/inline/ns3/delayedkeys.conf.2 diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index 79f3774439..0344ade978 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -24,4 +24,4 @@ rm -rf ./*/*.jbk \ ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ ./*.out ./*.out* ./*/*.out ./*/*.out* \ ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ - ns3/a-file ns3/removedkeys + ns3/a-file ns3/removedkeys ns3/delayedkeys.conf diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in index abc7370e39..7747688370 100644 --- a/bin/tests/system/inline/ns1/root.db.in +++ b/bin/tests/system/inline/ns1/root.db.in @@ -48,12 +48,3 @@ ns3.nsec3. A 10.53.0.3 externalkey. NS ns3.externalkey. ns3.externalkey. A 10.53.0.3 - -retransfer3. NS ns3.retransfer. -ns3.retransfer3. A 10.53.0.3 - -inactiveksk. NS ns3.inactiveksk. -ns3.inactiveksk. A 10.53.0.3 - -inactivezsk. NS ns3.inactivezsk. -ns3.inactivezsk. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in index 38e6e90fbf..25fc893ebf 100644 --- a/bin/tests/system/inline/ns2/named.conf.in +++ b/bin/tests/system/inline/ns2/named.conf.in @@ -47,32 +47,12 @@ zone "retransfer" { notify no; }; -zone "retransfer3" { - type primary; - file "retransfer3.db"; - allow-update { any; }; - allow-transfer { none; }; // changed dynamically by tests.sh - notify no; -}; - zone "nsec3-loop" { type primary; file "nsec3-loop.db"; notify no; }; -zone "inactiveksk" { - type primary; - file "inactiveksk.db"; - allow-update { any; }; -}; - -zone "inactivezsk" { - type primary; - file "inactivezsk.db"; - allow-update { any; }; -}; - zone "nokeys" { type primary; file "nokeys.db"; diff --git a/bin/tests/system/inline/ns3/delayedkeys.conf.1 b/bin/tests/system/inline/ns3/delayedkeys.conf.1 new file mode 100644 index 0000000000..72ed2aa317 --- /dev/null +++ b/bin/tests/system/inline/ns3/delayedkeys.conf.1 @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "delayedkeys" { + type primary; + file "delayedkeys.db"; + inline-signing yes; + dnssec-policy insecure; +}; diff --git a/bin/tests/system/inline/ns3/delayedkeys.conf.2 b/bin/tests/system/inline/ns3/delayedkeys.conf.2 new file mode 100644 index 0000000000..fa7cbcd8b3 --- /dev/null +++ b/bin/tests/system/inline/ns3/delayedkeys.conf.2 @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "delayedkeys" { + type primary; + file "delayedkeys.db"; + inline-signing yes; + dnssec-policy inline; +}; diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in index 6b3b3cd5bc..836d915f15 100644 --- a/bin/tests/system/inline/ns3/named.conf.in +++ b/bin/tests/system/inline/ns3/named.conf.in @@ -35,11 +35,35 @@ options { dnssec-validation no; }; +dnssec-policy "inline" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + nsec3param iterations 0 optout no salt-length 0; +}; + +dnssec-policy "external" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + }; +}; + zone "bits" { type secondary; primaries { 10.53.0.2; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update-forwarding { any; }; file "bits.bk"; sig-signing-signatures 1; // force incremental processing @@ -51,7 +75,7 @@ zone "noixfr" { type secondary; primaries { 10.53.0.4; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update-forwarding { any; }; file "noixfr.bk"; }; @@ -59,7 +83,7 @@ zone "noixfr" { zone "primary" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "primary.db"; notify explicit; also-notify { @@ -70,7 +94,7 @@ zone "primary" { zone "dynamic" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update { any; }; file "dynamic.db"; }; @@ -78,7 +102,7 @@ zone "dynamic" { zone "updated" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update { none; }; file "updated.db"; }; @@ -86,7 +110,7 @@ zone "updated" { zone "expired" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update { any; }; file "expired.db"; }; @@ -95,14 +119,14 @@ zone "retransfer" { type secondary; primaries { 10.53.0.2; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "retransfer.bk"; }; zone "nsec3" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy nsec3; allow-update { any; }; file "nsec3.db"; }; @@ -110,56 +134,23 @@ zone "nsec3" { zone "externalkey" { type primary; inline-signing yes; - auto-dnssec maintain; - dnssec-dnskey-kskonly no; + dnssec-policy external; allow-update { any; }; file "externalkey.db"; }; -zone "retransfer3" { - type secondary; - primaries { 10.53.0.2; }; - inline-signing yes; - auto-dnssec maintain; - file "retransfer3.bk"; -}; - -zone "inactiveksk" { - type secondary; - primaries { 10.53.0.2; }; - inline-signing yes; - auto-dnssec maintain; - dnssec-dnskey-kskonly yes; - file "inactiveksk.bk"; -}; - -zone "inactivezsk" { - type secondary; - primaries { 10.53.0.2; }; - inline-signing yes; - auto-dnssec maintain; - file "inactivezsk.bk"; -}; - zone "nokeys" { type secondary; primaries { 10.53.0.2; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy insecure; file "nokeys.bk"; }; -zone "delayedkeys" { - type primary; - inline-signing yes; - auto-dnssec maintain; - file "delayedkeys.db"; -}; - zone "removedkeys-primary" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; allow-update { any; }; also-notify { 10.53.0.2; }; file "removedkeys-primary.db"; @@ -169,7 +160,7 @@ zone "removedkeys-secondary" { type secondary; primaries { 10.53.0.2; }; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "removedkeys-secondary.bk"; }; @@ -177,5 +168,7 @@ zone "unsupported" { type primary; file "unsupported.db"; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; }; + +include "delayedkeys.conf"; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index f17a8ad1a3..e9b8ded98b 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -49,10 +49,12 @@ $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=updated rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$SETTIME -s -g OMNIPRESENT -k RUMOURED now -z RUMOURED now "$zsk" > settime.out.updated.1 2>&1 +$SETTIME -s -g OMNIPRESENT -k RUMOURED now -r RUMOURED now -d HIDDEN now "$ksk" > settime.out.updated.2 2>&1 +$DSFROMKEY -T 1200 $ksk >> ../ns1/root.db +$SIGNER -S -x -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null cp primary2.db.in updated.db # signatures are expired and should be regenerated on startup @@ -77,31 +79,6 @@ rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -zone=retransfer3 -rm -f K${zone}.+*+*.key -rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db - -zone=inactiveksk -rm -f K${zone}.+*+*.key -rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone) -keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db - -zone=inactivezsk -rm -f K${zone}.+*+*.key -rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db - zone=delayedkeys rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private @@ -136,6 +113,7 @@ do done zone=externalkey +zonefile=${zone}.db rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private @@ -147,13 +125,10 @@ do k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db - # Convert k1 and k2 in to External Keys. + cat $k1.key $k2.key >> $zonefile + + rm -f $k1.key rm -f $k1.private - mv $k1.key a-file - $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) + rm -f $k2.key rm -f $k2.private - mv $k2.key a-file - $IMPORTKEY -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) done diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post index f454b353a2..a85d7606e7 100644 --- a/bin/tests/system/inline/ns5/named.conf.post +++ b/bin/tests/system/inline/ns5/named.conf.post @@ -33,10 +33,17 @@ options { servfail-ttl 0; }; +dnssec-policy "inline" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + zone "bits" { type secondary; primaries { 10.53.0.2; }; file "bits.bk"; - auto-dnssec maintain; + dnssec-policy inline; inline-signing yes; }; diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in index 3a0cf86f56..68ae04c209 100644 --- a/bin/tests/system/inline/ns7/named.conf.in +++ b/bin/tests/system/inline/ns7/named.conf.in @@ -48,3 +48,13 @@ options { sig-signing-nodes 100; sig-signing-signatures 10; }; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm RSASHA256 2048; + zsk key-directory lifetime unlimited algorithm RSASHA256 2048; + zsk key-directory lifetime unlimited algorithm RSASHA256 1024; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh index 8ab8288bca..d89c8a81a9 100755 --- a/bin/tests/system/inline/ns7/sign.sh +++ b/bin/tests/system/inline/ns7/sign.sh @@ -19,6 +19,6 @@ zone=nsec3-loop rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +keyname=$($KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone) +keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) +keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone) diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in index 47bb99151b..81e3142a20 100644 --- a/bin/tests/system/inline/ns8/named.conf.in +++ b/bin/tests/system/inline/ns8/named.conf.in @@ -36,128 +36,135 @@ options { dnssec-validation no; }; +dnssec-policy "inline" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + zone "example01.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example01.com.db"; }; zone "example02.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example02.com.db"; }; zone "example03.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example03.com.db"; }; zone "example04.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example04.com.db"; }; zone "example05.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example05.com.db"; }; zone "example06.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example06.com.db"; }; zone "example07.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example07.com.db"; }; zone "example08.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example08.com.db"; }; zone "example09.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example09.com.db"; }; zone "example10.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example10.com.db"; }; zone "example11.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example11.com.db"; }; zone "example12.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example12.com.db"; }; zone "example13.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example13.com.db"; }; zone "example14.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example14.com.db"; }; zone "example15.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example15.com.db"; }; zone "example16.com" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example16.com.db"; }; zone example { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "example.db"; }; zone "unsigned-serial-test" { type primary; inline-signing yes; - auto-dnssec maintain; + dnssec-policy inline; file "unsigned-serial-test.db"; }; diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index 84233c801a..edfa98a1f6 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -18,12 +18,9 @@ cp ns1/root.db.in ns1/root.db touch ns2/trusted.conf cp ns2/nsec3-loop.db.in ns2/nsec3-loop.db cp ns2/bits.db.in ns2/bits.db -cp ns2/bits.db.in ns2/inactiveksk.db -cp ns2/bits.db.in ns2/inactivezsk.db cp ns2/bits.db.in ns2/nokeys.db cp ns2/bits.db.in ns2/removedkeys-secondary.db cp ns2/bits.db.in ns2/retransfer.db -cp ns2/bits.db.in ns2/retransfer3.db cp ns3/primary.db.in ns3/primary.db cp ns3/primary.db.in ns3/dynamic.db @@ -44,6 +41,7 @@ cp ns4/noixfr.db.in ns4/noixfr.db copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +cp ns3/delayedkeys.conf.1 ns3/delayedkeys.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.pre ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index e9c455472a..9acb0d7dbb 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -36,8 +36,7 @@ status=0 n=0 ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 || ret=1 - +# Make sure nsec3 zone is NSEC3 signed. for i in 1 2 3 4 5 6 7 8 9 0 do nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1 @@ -65,15 +64,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 -done +zone_is_signed() { + $DIG $DIGOPTS @10.53.0.3 bits. AXFR > dig.out.ns3.test$n || return 1 + $VERIFY -z -o bits. dig.out.ns3.test$n > verify.out.bits.test$n || return 1 + return 0 +} +retry_quiet 10 zone_is_signed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -93,7 +89,7 @@ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1 - break; # We only want to remove 1 record for now. + break; # We only want to remove 1 record for now. done 2>&1 |sed 's/^/ns3 /' | cat_i for i in 1 2 3 4 5 6 7 8 9 10 @@ -113,6 +109,7 @@ n=$((n + 1)) echo_i "checking private type was properly signed ($n)" ret=0 $DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1 +# One private type record, one signature grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 @@ -122,7 +119,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 signing -clear all bits > signing.out.test$n.clear || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 do @@ -434,8 +431,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking primary zone that was updated while offline is correct ($n)" ret=0 -$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n || ret=1 -serial=$(awk '{print $3}' dig.out.ns2.soa.test$n) +$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns3.soa.test$n || ret=1 +serial=$(awk '{print $3}' dig.out.ns3.soa.test$n) # serial should have changed [ "$serial" = "2000042407" ] && ret=1 # e.updated should exist and should be signed @@ -446,7 +443,7 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 # of primary2.db, and should show a minimal diff: no more than 8 added # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records # (SOA/RRSIG, NSEC/RRSIG). -$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n || ret=1 +$JOURNALPRINT ns3/updated.db.signed.jnl > journalprint.out.test$n || ret=1 serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n) [ "$serial" = "2000042408" ] || ret=1 diffsize=$(wc -l < journalprint.out.test$n) @@ -791,65 +788,6 @@ done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n + 1)) -echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)" -ret=0 -# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2, -# which means it should not yet be available on ns3. -$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1 -# Switch the zone to NSEC3. An "NSEC3 -> NSEC -> NSEC3" sequence is used purely -# to test that multiple queued "rndc signing -nsec3param" requests are handled -# properly. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone. -sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new -mv ns2/named.conf.new ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig || ret=1 -# Request ns3 to retransfer the "retransfer3" zone. -$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1 -# Check whether "retransfer3" uses NSEC3 as requested. -for i in 0 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 - grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 - test $ret -eq 0 && break - sleep 1 -done -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)" -ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 -done -$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 -done -[ $ans = 1 ] && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - # NOTE: The test below should be considered fragile. More details can be found # in the comment inside ns7/named.conf. n=$((n + 1)) @@ -858,7 +796,7 @@ ret=0 zone=nsec3-loop # Add secondary zone using rndc $RNDCCMD 10.53.0.7 addzone $zone \ - '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1 + '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; dnssec-policy default; };' || ret=1 # Wait until secondary zone is fully signed using NSEC for i in 1 2 3 4 5 6 7 8 9 0 do @@ -869,15 +807,18 @@ do sleep 1 done # Switch secondary zone to NSEC3 -$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 modzone $zone \ + '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; dnssec-policy nsec3; };' || ret=1 # Wait until secondary zone is fully signed using NSEC3 for i in 1 2 3 4 5 6 7 8 9 0 do ret=1 - nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1 - test "$nsec3param" = "1 0 2 12345678" && ret=0 && break + $DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone > dig.out.ns7.test$n + nsec3param=$(cat dig.out.ns7.test$n) + test "$nsec3param" = "1 0 0 -" && ret=0 && break sleep 1 done + # Attempt to retransfer the secondary zone from primary $RNDCCMD 10.53.0.7 retransfer $zone || ret=1 # Check whether the signer managed to fully sign the retransferred zone by @@ -1013,7 +954,7 @@ $RNDCCMD 10.53.0.2 addzone test-$zone \ $DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n || ret=1 grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; } $RNDCCMD 10.53.0.3 addzone test-$zone \ - '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1 + '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; dnssec-policy default; allow-transfer { any; }; };' || ret=1 $RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1036,8 +977,8 @@ do dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) - test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } - test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } + test ${dnskeys:-0} -eq 4 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } + test ${rrsigs:-0} -eq 1 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1133,70 +1074,6 @@ retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n + 1)) -echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)" -ret=0 - -$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1 -soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n) - -$NSUPDATE << EOF || ret=1 -server 10.53.0.2 ${PORT} -update add added.inactivezsk 0 IN TXT added record -send -EOF - -for i in 1 2 3 4 5 6 7 8 9 10 -do - $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1 - soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) - test ${soa1:-0} -ne ${soa2:-0} && break - sleep 1 -done -test ${soa1:-0} -ne ${soa2:-0} || ret=1 - -$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 - -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)" -ret=0 - -$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n || ret=1 - -# -# check that DNSKEY is signed with ZSK for default algorithm -# -awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' -zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 -awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' -kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 - -# -# check that DNSKEY is signed with KSK for alternative algorithm -# -awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' -zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 -awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' -kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 - -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - # Wait until an update to the raw part of a given inline signed zone is fully # processed. As waiting for a fixed amount of time is suboptimal and there is # no single message that would signify both a successful modification and an @@ -1368,12 +1245,16 @@ ensure_sigs_only_in_journal() { n=$((n + 1)) echo_i "checking that records added from a journal are scheduled to be resigned ($n)" ret=0 +zone="delayedkeys" # Signing keys for the "delayedkeys" zone are not yet accessible. Thus, the # zone file for the signed version of the zone will contain no DNSSEC records. # Move keys into place now and load them, which will cause DNSSEC records to # only be present in the journal for the signed version of the zone. mv Kdelayedkeys* ns3/ -$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 +cp ns3/delayedkeys.conf.2 ns3/delayedkeys.conf +$RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1 || ret=1 + +#$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 # Wait until the zone is signed. check_done_signing () ( $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 || true