1#!/bin/sh -e 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16. ../conf.sh 17 18status=0 19n=0 20fail() { 21 echo_i "failed" 22 status=$((status + 1)) 23} 24 25runcmd() { 26 ( 27 "$@" 1>out.$n 2>err.$n 28 echo $? 29 ) || true 30} 31 32testcase() { 33 n=$((n + 1)) 34 echo_i "$name ($n)" 35 expect=$1 36 shift 37 result=$(runcmd "$@") 38 check_stdout 39 check_stderr 40 if [ "$expect" -ne "$result" ]; then 41 echo_d "exit status does not match $expect" 42 fail 43 fi 44 unset name err out 45} 46 47check_stderr() { 48 if [ -n "${err:=}" ]; then 49 grep -E "$err" err.$n >/dev/null && return 0 50 echo_d "stderr did not match '$err'" 51 else 52 [ -s err.$n ] || return 0 53 fi 54 cat err.$n | cat_d 55 fail 56} 57 58check_stdout() { 59 diff out.$n "${out:-empty}" >/dev/null && return 60 echo_d "stdout did not match '$out'" 61 ( 62 echo "wanted" 63 cat "$out" 64 echo "got" 65 cat out.$n 66 ) | cat_d 67 fail 68} 69 70Z=cds.test 71 72name='usage' 73err='Usage' 74testcase 1 $CDS 75 76name='need a DS file' 77err='DS pathname' 78testcase 1 $CDS $Z 79 80name='name of dsset in directory' 81err="./dsset-$Z.: file not found" 82testcase 1 $CDS -d . $Z 83 84name='load a file' 85err='could not find DS records' 86testcase 1 $CDS -d empty $Z 87 88name='load DS records' 89err='path to file containing child data must be specified' 90testcase 1 $CDS -d DS.1 $Z 91 92name='missing DNSKEY' 93err='could not find signed DNSKEY RRset' 94testcase 1 $CDS -f db.null -d DS.1 $Z 95 96name='sigs too old' 97err='could not validate child DNSKEY RRset' 98testcase 1 $CDS -f sig.null -d DS.1 $Z 99 100name='sigs too old, verbosely' 101err='skip RRSIG by key [0-9]+: too old' 102testcase 1 $CDS -v1 -f sig.null -d DS.1 $Z 103 104name='old sigs are allowed' 105err='found RRSIG by key' 106out=DS.1 107testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z 108 109name='no CDS/CDNSKEY records' 110out=DS.1 111testcase 0 $CDS -s -7200 -f sig.null -d DS.1 $Z 112 113name='no child records, verbosely' 114err='has neither CDS nor CDNSKEY records' 115out=DS.1 116testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z 117 118name='unsigned CDS' 119err='missing RRSIG CDS records' 120testcase 1 $CDS -f brk.unsigned-cds -d DS.1 $Z 121 122name='correct signature inception time' 123$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr 124testcase 0 $PERL checktime.pl 3600 xerr 125 126name='in-place reads modification time' 127testcase 0 $CDS -a1 -a2 -f sig.cds.1 -i.bak -d DS.inplace $Z 128 129name='in-place output correct modification time' 130testcase 0 $PERL checkmtime.pl 3600 DS.inplace 131 132name='in-place backup correct modification time' 133testcase 0 $PERL checkmtime.pl 7200 DS.inplace.bak 134 135name='in-place correct output' 136testcase 0 diff DS.1 DS.inplace 137 138name='in-place backup unmodified' 139testcase 0 diff DS.1 DS.inplace.bak 140 141name='one mangled DS' 142err='found RRSIG by key' 143out=DS.1 144testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke1 $Z 145 146name='other mangled DS' 147err='found RRSIG by key' 148out=DS.1 149testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke2 $Z 150 151name='both mangled DS' 152err='could not validate child DNSKEY RRset' 153testcase 1 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke12 $Z 154 155name='mangle RRSIG CDS by ZSK' 156err='found RRSIG by key' 157out=DS.1 158testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z 159 160name='mangle RRSIG CDS by KSK' 161err='could not validate child CDS RRset' 162testcase 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z 163 164name='mangle CDS 1' 165err='could not validate child DNSKEY RRset with new DS records' 166testcase 1 $CDS -a1 -a2 -s -7200 -f sig.cds-mangled -d DS.1 $Z 167 168name='inconsistent digests' 169err='do not cover each key with the same set of digest types' 170testcase 1 $CDS -a1 -a2 -s -7200 -f sig.bad-digests -d DS.1 $Z 171 172name='inconsistent algorithms' 173err='missing signature for algorithm' 174testcase 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z 175 176name='add DS records' 177out=DS.both 178$CDS -a1 -a2 -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out 179# sort to allow for numerical vs lexical order of key tags 180testcase 0 sort DS.out 181 182name='update add' 183out=UP.add2 184testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.both -d DS.1 $Z 185 186name='remove DS records' 187out=DS.2 188testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.2 -d DS.both $Z 189 190name='update del' 191out=UP.del1 192testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.both $Z 193 194name='swap DS records' 195out=DS.2 196testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.2 -d DS.1 $Z 197 198name='update swap' 199out=UP.swap 200testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.1 $Z 201 202name='TTL from -T' 203out=DS.ttl2 204testcase 0 $CDS -a1 -a2 -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z 205 206name='update TTL from -T' 207out=UP.swapttl 208testcase 0 $CDS -a1 -a2 -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z 209 210name='update TTL from dsset' 211out=UP.swapttl 212testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z 213 214name='TTL from -T overrides dsset' 215out=DS.ttlong2 216testcase 0 $CDS -a1 -a2 -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z 217 218name='stable DS record order (changes)' 219out=DS.1 220testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.rev1 -d DS.2 $Z 221 222name='CDNSKEY default algorithm' 223out=DS.2-2 224testcase 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z 225 226name='CDNSKEY SHA1' 227out=DS.2-1 228testcase 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z 229 230name='CDNSKEY two algorithms' 231out=DS.2 232testcase 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z 233 234name='CDNSKEY two algorithms, reversed' 235out=DS.2 236testcase 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z 237 238name='CDNSKEY and CDS' 239out=DS.2 240testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z 241 242name='prefer CDNSKEY' 243out=DS.2-2 244testcase 0 $CDS -D -s -7200 -f sig.cds1.cdnskey2 -d DS.1 $Z 245 246name='CDS subset default (SHA-256)' 247out=DS.2-2 248testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z 249 250name='CDS subset replace SHA1 with SHA2' 251out=DS.2-2 252testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2.sha1 -d DS.1 $Z 253 254name='CDS subset mismatch' 255err='do not match any -a digest types' 256testcase 1 $CDS -s -7200 -f sig.cds.2.sha1 -d DS.1 $Z 257 258name='CDS algorithm unavailable, use CDNSKEY' 259err='using CDNSKEY instead' 260out=DS.2-2 261testcase 0 $CDS -v1 -a SHA256 -s -7200 -f sig.cds.cdnskey.2.sha1 -d DS.1 $Z 262 263echo_i "exit status: $status" 264[ $status -eq 0 ] || exit 1 265