1#!/bin/sh 2# 3# Copyright (C) 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 4# 5# Permission to use, copy, modify, and/or distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15# PERFORMANCE OF THIS SOFTWARE. 16 17# $Id$ 18 19SYSTEMTESTTOP=.. 20. $SYSTEMTESTTOP/conf.sh 21 22RANDFILE=./random.data 23pzone=parent.nil pfile=parent.db 24czone=child.parent.nil cfile=child.db 25status=0 26n=0 27 28echo "I:setting key timers" 29$SETTIME -A now+15s `cat rolling.key` > /dev/null 30 31inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key` 32ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key` 33pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key` 34postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key` 35prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key` 36rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key` 37standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key` 38zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key` 39 40../../../tools/genrandom 400 $RANDFILE 41 42echo "I:signing zones" 43$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1 44$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1 45 46awk '$2 ~ /RRSIG/ { 47 type = $3; 48 getline; 49 id = $2; 50 if ($3 ~ /'${czone}'/) { 51 print type, id 52 } 53}' < ${cfile}.signed > sigs 54 55awk '$2 ~ /DNSKEY/ { 56 flags = $3; 57 while ($0 !~ /key id =/) 58 getline; 59 id = $6; 60 print flags, id; 61}' < ${cfile}.signed > keys 62 63echo "I:checking that KSK signed DNSKEY only ($n)" 64ret=0 65grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1 66grep "SOA $ksk"'$' sigs > /dev/null && ret=1 67n=`expr $n + 1` 68if [ $ret != 0 ]; then echo "I:failed"; fi 69status=`expr $status + $ret` 70 71echo "I:checking that ZSK signed ($n)" 72ret=0 73grep "SOA $zsk"'$' sigs > /dev/null || ret=1 74n=`expr $n + 1` 75if [ $ret != 0 ]; then echo "I:failed"; fi 76status=`expr $status + $ret` 77 78echo "I:checking that standby ZSK did not sign ($n)" 79ret=0 80grep " $standby"'$' sigs > /dev/null && ret=1 81n=`expr $n + 1` 82if [ $ret != 0 ]; then echo "I:failed"; fi 83status=`expr $status + $ret` 84 85echo "I:checking that inactive key did not sign ($n)" 86ret=0 87grep " $inact"'$' sigs > /dev/null && ret=1 88n=`expr $n + 1` 89if [ $ret != 0 ]; then echo "I:failed"; fi 90status=`expr $status + $ret` 91 92echo "I:checking that pending key was not published ($n)" 93ret=0 94grep " $pending"'$' keys > /dev/null && ret=1 95n=`expr $n + 1` 96if [ $ret != 0 ]; then echo "I:failed"; fi 97status=`expr $status + $ret` 98 99echo "I:checking that standby KSK did not sign but is delegated ($n)" 100ret=0 101grep " $rolling"'$' sigs > /dev/null && ret=1 102grep " $rolling"'$' keys > /dev/null || ret=1 103egrep "DS[ ]*$rolling[ ]" ${pfile}.signed > /dev/null || ret=1 104n=`expr $n + 1` 105if [ $ret != 0 ]; then echo "I:failed"; fi 106status=`expr $status + $ret` 107 108echo "I:checking that key was revoked ($n)" 109ret=0 110grep " $prerev"'$' keys > /dev/null && ret=1 111grep " $postrev"'$' keys > /dev/null || ret=1 112n=`expr $n + 1` 113if [ $ret != 0 ]; then echo "I:failed"; fi 114status=`expr $status + $ret` 115 116echo "I:checking that revoked key self-signed ($n)" 117ret=0 118grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1 119grep "SOA $postrev"'$' sigs > /dev/null && ret=1 120n=`expr $n + 1` 121if [ $ret != 0 ]; then echo "I:failed"; fi 122status=`expr $status + $ret` 123 124echo "I:waiting 20 seconds for key changes to occur" 125sleep 20 126 127echo "I:re-signing zone" 128$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1 129 130echo "I:checking that standby KSK is now active ($n)" 131ret=0 132grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1 133n=`expr $n + 1` 134if [ $ret != 0 ]; then echo "I:failed"; fi 135status=`expr $status + $ret` 136 137echo "I:checking update of an old-style key" 138ret=0 139# printing metadata should not work with an old-style key 140$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 && ret=1 141$SETTIME -f `cat oldstyle.key` > /dev/null 2>&1 || ret=1 142# but now it should 143$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 || ret=1 144n=`expr $n + 1` 145if [ $ret != 0 ]; then echo "I:failed"; fi 146status=`expr $status + $ret` 147 148echo "I:exit status: $status" 149exit $status 150