mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 01:59:26 +00:00
ef7aba7072
The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x and is going to be removed. Remove the OpenSSL Engine support in favor of OpenSSL Providers.
421 lines
13 KiB
Bash
421 lines
13 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
set -e
|
|
|
|
# shellcheck source=conf.sh
|
|
. ../conf.sh
|
|
|
|
PWD=$(pwd)
|
|
|
|
status=0
|
|
ret=0
|
|
n=0
|
|
|
|
dig_with_opts() {
|
|
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
|
|
}
|
|
|
|
check_keys() {
|
|
_zone=$1
|
|
_expect=$2
|
|
_ret=0
|
|
_status=0
|
|
_count=$(ls K*.key | grep "K${_zone}" | wc -l)
|
|
|
|
test "$_count" -eq "$_expect" || _ret=1
|
|
test "$_ret" -eq 0 || echo_i "failed (expected $_expect keys, got $_count)"
|
|
_status=$((_status + _ret))
|
|
|
|
_ret=0
|
|
_count=$(cat K${_zone}*.private | grep Label | wc -l)
|
|
test "$_count" -eq "$_expect" || _ret=1
|
|
test "$_ret" -eq 0 || echo_i "failed (expected Label metadata in key files)"
|
|
_status=$((_status + _ret))
|
|
|
|
return $_status
|
|
}
|
|
|
|
# Perform tests inside ns1 dir
|
|
cd ns1
|
|
|
|
for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
|
|
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
|
|
# ed25519:EC:edwards25519 ed448:EC:edwards448
|
|
alg=$(echo "$algtypebits" | cut -f 1 -d :)
|
|
type=$(echo "$algtypebits" | cut -f 2 -d :)
|
|
bits=$(echo "$algtypebits" | cut -f 3 -d :)
|
|
zone="${alg}.example"
|
|
zonefile="zone.${zone}.db.signed"
|
|
|
|
if [ ! -f $zonefile ]; then
|
|
echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
|
|
continue
|
|
fi
|
|
|
|
# Basic checks if setup was successful.
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test key generation was successful for $zone ($n)"
|
|
check_keys $zone 4 || ret=1
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test zone signing was successful for $zone ($n)"
|
|
$VERIFY -z -o $zone "${zonefile}" >verify.out.$zone.$n 2>&1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
|
|
status=$((status + ret))
|
|
|
|
# Test inline signing with keys stored in engine.
|
|
zskid1=$(cat "${zone}.zskid1")
|
|
zskid2=$(cat "${zone}.zskid2")
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test inline signing for $zone ($n)"
|
|
dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1
|
|
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || ret=1
|
|
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
|
|
test $numsigs -eq 1 || ret=1
|
|
grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Dynamically update $zone, add new zsk ($n)"
|
|
zsk2=$(grep -v ';' K${zone}.*.zsk2)
|
|
cat >"update.cmd.zsk.$zone.$n" <<EOF
|
|
server 10.53.0.1 $PORT
|
|
ttl 300
|
|
zone $zone
|
|
update add $zsk2
|
|
send
|
|
EOF
|
|
|
|
$NSUPDATE -v >"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (update failed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test DNSKEY response for $zone after inline signing ($n)"
|
|
_dig_dnskey() {
|
|
dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
|
|
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
|
|
test $count -eq 3
|
|
}
|
|
retry_quiet 10 _dig_dnskey || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test SOA response for $zone after inline signing ($n)"
|
|
_dig_soa() {
|
|
dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
|
|
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
|
|
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
|
|
test $numsigs -eq 2 || return 1
|
|
grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
|
|
grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
|
|
return 0
|
|
}
|
|
retry_quiet 10 _dig_soa || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
|
|
status=$((status + ret))
|
|
|
|
# Test inline signing with keys stored in engine (key signing).
|
|
kskid1=$(cat "${zone}.kskid1")
|
|
kskid2=$(cat "${zone}.kskid2")
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Dynamically update $zone, add new ksk ($n)"
|
|
ksk2=$(grep -v ';' K${zone}.*.ksk2)
|
|
cat >"update.cmd.ksk.$zone.$n" <<EOF
|
|
server 10.53.0.1 $PORT
|
|
ttl 300
|
|
zone $zone
|
|
update add $ksk2
|
|
send
|
|
EOF
|
|
|
|
$NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (update failed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
|
|
_dig_dnskey_ksk() {
|
|
dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
|
|
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
|
|
test $count -eq 4 || return 1
|
|
awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1
|
|
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
|
|
test $numsigs -eq 2 || return 1
|
|
grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
|
|
grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
|
|
return 0
|
|
}
|
|
retry_quiet 10 _dig_dnskey_ksk || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
|
|
status=$((status + ret))
|
|
|
|
# Check dnssec-policy interaction.
|
|
|
|
# Basic checks if setup was successful (dnssec-policy).
|
|
zone="${alg}.kasp"
|
|
n=$((n + 1))
|
|
ret=0
|
|
ret=0
|
|
echo_i "Test key generation was successful for $zone ($n)"
|
|
check_keys $zone 2 || ret=1
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test DNSKEY response for $zone ($n)"
|
|
_dig_policy_dnskey() {
|
|
dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
|
|
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
|
|
test $count -eq 2
|
|
}
|
|
retry_quiet 2 _dig_policy_dnskey || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected 2 DNSKEY records)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test SOA response for $zone ($n)"
|
|
_dig_policy_soa() {
|
|
dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
|
|
awk '$4 == "RRSIG" && $5 == "SOA" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
|
|
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
|
|
test $numsigs -eq 1 || return 1
|
|
return 0
|
|
}
|
|
retry_quiet 2 _dig_policy_soa || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected a SOA RRSIG record)"
|
|
|
|
zone="$alg.\"\:\;\?\&\[\]\@\!\$\*\+\,\|\=\.\(\)foo.weird"
|
|
keyfile="${alg}.%22%3A%3B%3F%26%5B%5D%40%21%24%2A%2B%2C%7C%3D%2E%28%29foo.weird"
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test key generation was successful for $zone ($n)"
|
|
check_keys $keyfile 2 || ret=1
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test DNSKEY response for $zone ($n)"
|
|
retry_quiet 2 _dig_policy_dnskey || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected 2 DNSKEY records)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test SOA response for $zone ($n)"
|
|
retry_quiet 2 _dig_policy_soa || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected a SOA RRSIG record)"
|
|
status=$((status + ret))
|
|
|
|
# Check a dnssec-policy that uses multiple key-stores.
|
|
zone="${alg}.split"
|
|
echo_i "Test key generation was successful for $zone ($n)"
|
|
# Check KSK.
|
|
check_keys $zone 1 || ret=1
|
|
# Check ZSK.
|
|
count=$(ls keys/K*.key | grep "K${_zone}" | wc -l)
|
|
test "$count" -eq 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected 1 key, got $count)"
|
|
status=$((status + ret))
|
|
ret=0
|
|
count=$(cat keys/K${zone}*.private | grep Engine | wc -l)
|
|
test "$count" -eq 0 || ret=1
|
|
count=$(cat keys/K${zone}*.private | grep Label | wc -l)
|
|
test "$count" -eq 0 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (unexpected Engine and Label in key files)"
|
|
status=$((status + ret))
|
|
|
|
# Check dnssec-keygen with dnssec-policy and key-store.
|
|
zone="${alg}.keygen"
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test dnssec-keygen for $zone ($n)"
|
|
$KEYGEN -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1
|
|
check_keys $zone 2 || ret=1
|
|
status=$((status + ret))
|
|
|
|
done
|
|
|
|
# Go back to main test dir.
|
|
cd ..
|
|
|
|
# Perform tests inside ns2 dir
|
|
cd ns2
|
|
|
|
algtypebits="ecdsap256sha256:EC:prime256v1"
|
|
alg=$(echo "$algtypebits" | cut -f 1 -d :)
|
|
type=$(echo "$algtypebits" | cut -f 2 -d :)
|
|
bits=$(echo "$algtypebits" | cut -f 3 -d :)
|
|
zone="${alg}.views"
|
|
zonefile1="zone.$alg.views.view1.db.signed"
|
|
zonefile2="zone.$alg.views.view2.db.signed"
|
|
|
|
skip=0
|
|
if [ ! -f $zonefile1 ]; then
|
|
echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile1}"
|
|
skip=1
|
|
fi
|
|
|
|
if [ ! -f $zonefile2 ]; then
|
|
echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile2}"
|
|
skip=1
|
|
fi
|
|
|
|
if [ $skip -eq 0 ]; then
|
|
# Basic checks if setup was successful.
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test key generation was successful for $zone ($n)"
|
|
check_keys $zone 4 || ret=1
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test zone signing was successful for $zone in view1 ($n)"
|
|
$VERIFY -z -o $zone "${zonefile1}" >verify.out.$zone.view1.$n 2>&1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test zone signing was successful for $zone in view2 ($n)"
|
|
$VERIFY -z -o $zone "${zonefile2}" >verify.out.$zone.view2.$n 2>&1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
|
|
status=$((status + ret))
|
|
|
|
# Test dnssec-policy signing with keys stored in engine.
|
|
zone="${alg}.same-policy.views"
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test key generation was successful for $zone ($n)"
|
|
check_keys $zone 1 || ret=1
|
|
status=$((status + ret))
|
|
|
|
_dig_inview() {
|
|
_qtype="$1"
|
|
_alg="$2"
|
|
_tsig="$DEFAULT_HMAC:$3:$4"
|
|
dig_with_opts "$zone" @10.53.0.2 $_qtype -y "$_tsig" >dig.out.$zone.$n || return 1
|
|
awk -v cov="$_qtype" '$4 == "RRSIG" && $5 == cov { print $6 }' dig.out.$zone.$n >dig.out.alg.$zone.$n || return 1
|
|
numsigs=$(cat dig.out.alg.$zone.$n | wc -l)
|
|
test $numsigs -eq 1 || return 1
|
|
grep -w "$_alg" dig.out.alg.$zone.$n >/dev/null || return 1
|
|
}
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test SOA is signed for $zone in view1 ($n)"
|
|
VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY="
|
|
retry_quiet 4 _dig_inview SOA 13 keyforview1 $VIEW1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test DNSKEY is signed for $zone in view1 ($n)"
|
|
retry_quiet 4 _dig_inview DNSKEY 13 keyforview1 $VIEW1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (DNSKEY RRset not signed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test SOA is signed for $zone in view2 ($n)"
|
|
VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8="
|
|
retry_quiet 4 _dig_inview SOA 13 keyforview2 $VIEW2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test DNSKEY is signed for $zone in view2 ($n)"
|
|
retry_quiet 4 _dig_inview DNSKEY 13 keyforview2 $VIEW2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (DNSKEY RRset not signed)"
|
|
status=$((status + ret))
|
|
|
|
# Now test zone in different views using a different dnssec-policy.
|
|
zone="zone-with.different-policy.views"
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test key generation was successful for $zone in view1 ($n)"
|
|
# view1
|
|
check_keys $zone 1 || ret=1
|
|
status=$((status + ret))
|
|
# view2
|
|
echo_i "Test key generation was successful for $zone in view2 ($n)"
|
|
count=$(ls keys/K*.key | grep "K${zone}" | wc -l)
|
|
test "$count" -eq 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (expected 1 key, got $count)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test SOA is signed for $zone in view1 ($n)"
|
|
VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY="
|
|
retry_quiet 4 _dig_inview SOA 13 keyforview1 $VIEW1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test DNSKEY is signed for $zone in view1 ($n)"
|
|
retry_quiet 4 _dig_inview DNSKEY 13 keyforview1 $VIEW1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (DNSKEY RRset not signed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test SOA is signed for $zone in view2 ($n)"
|
|
VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8="
|
|
retry_quiet 4 _dig_inview SOA 8 keyforview2 $VIEW2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed)"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Test DNSKEY is signed for $zone in view2 ($n)"
|
|
retry_quiet 4 _dig_inview DNSKEY 8 keyforview2 $VIEW2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed (DNSKEY RRset not signed)"
|
|
status=$((status + ret))
|
|
fi
|
|
|
|
# Go back to main test dir.
|
|
cd ..
|
|
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "Checking for assertion failure in pk11_numbits()"
|
|
$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
|
|
dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
echo_i "exit status: $status"
|
|
[ $status -eq 0 ] || exit 1
|