mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Update autosign test

Browse Source 
Update the autosign system test with new expected behavior.

The 'nozsk.example' zone should have its expired zone signatures
deleted and replaced with signatures generated with the KSK.

The 'inaczsk.example' zone should have its expired zone signatures
deleted and replaced with signatures generated with the KSK.

In both scenarios, signatures are deleted, not retained, so the
"retaining signatures" warning should not be logged.

Furthermore, thsi commit fixex a test bug where the 'awk' command
always returned 0.

Finally, this commit adds a test case for an offline KSK, for the zone
'noksk.example'. In this case the expired signatures should be retained
(despite the zone being bogus, but resigning the DNSKEY RRset with the
ZSK won't help here).
This commit is contained in:
Matthijs Mekking 2021-12-07 14:11:06 +01:00
parent beeefe35c4
commit fbd559ad0d
5 changed files with 78 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/tests/system/autosign/clean.sh
View File

@ -22,7 +22,7 @@ rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f dig.out.* rm -f dig.out.*
rm -f digcomp.out.test* rm -f digcomp.out.test*
rm -f digcomp.out.test* rm -f digcomp.out.test*
rm -f missingzsk.key inactivezsk.key rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key
rm -f nopriv.key vanishing.key del1.key del2.key rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/managed-keys.bind* rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock rm -f ns*/named.lock
@ -43,6 +43,7 @@ rm -f ns3/jitter.nsec3.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/kskonly.example.db rm -f ns3/kskonly.example.db
rm -f ns3/named.ns3.prev rm -f ns3/named.ns3.prev
rm -f ns3/noksk.example.db
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
rm -f ns3/nsec.example.db rm -f ns3/nsec.example.db
rm -f ns3/nsec3-to-nsec.example.db rm -f ns3/nsec3-to-nsec.example.db

25
bin/tests/system/autosign/ns3/keygen.sh
View File

@ -249,15 +249,27 @@ echo $ksk > ../delayksk.key
zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
echo $zsk > ../delayzsk.key echo $zsk > ../delayzsk.key
#
# A zone with signatures that are already expired, and the private KSK
# is missing.
#
setup noksk.example
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../noksk-ksk.key
rm -f ${ksk}.private
# #
# A zone with signatures that are already expired, and the private ZSK # A zone with signatures that are already expired, and the private ZSK
# is missing. # is missing.
# #
setup nozsk.example setup nozsk.example
$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $zsk > ../missingzsk.key echo $ksk > ../nozsk-ksk.key
echo $zsk > ../nozsk-zsk.key
rm -f ${zsk}.private rm -f ${zsk}.private
# #
@ -265,10 +277,11 @@ rm -f ${zsk}.private
# is inactive. # is inactive.
# #
setup inaczsk.example setup inaczsk.example
$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $zsk > ../inactivezsk.key echo $ksk > ../inaczsk-ksk.key
echo $zsk > ../inaczsk-zsk.key
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
# #

7
bin/tests/system/autosign/ns3/named.conf.in
View File

@ -249,6 +249,13 @@ zone "inaczsk.example" {
auto-dnssec maintain; auto-dnssec maintain;
}; };
zone "noksk.example" {
type primary;
file "noksk.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "sync.example" { zone "sync.example" {
type primary; type primary;
file "sync.example.db"; file "sync.example.db";

24
bin/tests/system/autosign/ns3/noksk.example.db.in Normal file
View File

@ -0,0 +1,24 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

37
bin/tests/system/autosign/tests.sh
View File

@ -164,7 +164,7 @@ do
grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
done done
for z in bar. example. inacksk2.example. inacksk3.example \ for z in bar. example. inacksk2.example. inacksk3.example \
inaczsk2.example. inaczsk3.example inaczsk2.example. inaczsk3.example noksk.example nozsk.example
do do
$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
@ -371,36 +371,51 @@ END
echo_i "waiting for change to take effect" echo_i "waiting for change to take effect"
sleep 3 sleep 3
echo_i "checking that expired RRSIGs from missing key are not deleted ($n)" missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)")
echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)"
ret=0
$JOURNALPRINT ns3/noksk.example.db.jnl | \
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)")
ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)")
echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)"
ret=0 ret=0
missing=$(keyfile_to_key_id "$(cat missingzsk.key)")
$JOURNALPRINT ns3/nozsk.example.db.jnl | \ $JOURNALPRINT ns3/nozsk.example.db.jnl | \
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1 awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1
$JOURNALPRINT ns3/nozsk.example.db.jnl | \
awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)" inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)")
ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)")
echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)"
ret=0 ret=0
inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)")
$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ $JOURNALPRINT ns3/inaczsk.example.db.jnl | \
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1 awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1
$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)" echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)"
ret=0 ret=0
loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l` loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
[ "$loglines" -eq 1 ] || ret=1 [ "$loglines" -eq 0 ] || ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)" echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)"
ret=0 ret=0
loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l` loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
[ "$loglines" -eq 1 ] || ret=1 [ "$loglines" -eq 0 ] || ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`