1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0. If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14set -e
15
16# shellcheck source=conf.sh
17. ../conf.sh
18
19PWD=$(pwd)
20
21status=0
22ret=0
23n=0
24
25dig_with_opts() (
26  $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
27)
28
29# Perform tests inside ns1 dir
30cd ns1
31
32for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
33  ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
34  # ed25519:EC:edwards25519 ed448:EC:edwards448
35  alg=$(echo "$algtypebits" | cut -f 1 -d :)
36  type=$(echo "$algtypebits" | cut -f 2 -d :)
37  bits=$(echo "$algtypebits" | cut -f 3 -d :)
38  zone="${alg}.example"
39  zonefile="zone.${zone}.db.signed"
40
41  if [ ! -f $zonefile ]; then
42    echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
43    continue
44  fi
45
46  # Basic checks if setup was successful.
47  n=$((n + 1))
48  ret=0
49  echo_i "Test key generation was successful for $zone ($n)"
50  count=$(ls K*.key | grep "K${zone}" | wc -l)
51  test "$count" -eq 4 || ret=1
52  test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
53  status=$((status + ret))
54
55  n=$((n + 1))
56  ret=0
57  echo_i "Test zone signing was successful for $zone ($n)"
58  $VERIFY -z -o $zone "${zonefile}" >verify.out.$zone.$n 2>&1 || ret=1
59  test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
60  status=$((status + ret))
61
62  # Test inline signing with keys stored in engine.
63  zskid1=$(cat "${zone}.zskid1")
64  zskid2=$(cat "${zone}.zskid2")
65
66  n=$((n + 1))
67  ret=0
68  echo_i "Test inline signing for $zone ($n)"
69  dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1
70  awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
71  numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
72  test $numsigs -eq 1 || return 1
73  grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
74  test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
75  status=$((status + ret))
76
77  n=$((n + 1))
78  ret=0
79  echo_i "Dynamically update $zone, add new zsk ($n)"
80  zsk2=$(grep -v ';' K${zone}.*.zsk2)
81  cat >"update.cmd.zsk.$zone.$n" <<EOF
82server 10.53.0.1 $PORT
83ttl 300
84zone $zone
85update add $zsk2
86send
87EOF
88
89  $NSUPDATE -v >"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1
90  test "$ret" -eq 0 || echo_i "failed (update failed)"
91  status=$((status + ret))
92
93  n=$((n + 1))
94  ret=0
95  echo_i "Test DNSKEY response for $zone after inline signing ($n)"
96  _dig_dnskey() (
97    dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
98    count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
99    test $count -eq 3
100  )
101  retry_quiet 10 _dig_dnskey || ret=1
102  test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
103  status=$((status + ret))
104
105  n=$((n + 1))
106  ret=0
107  echo_i "Test SOA response for $zone after inline signing ($n)"
108  _dig_soa() (
109    dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
110    awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
111    numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
112    test $numsigs -eq 2 || return 1
113    grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
114    grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
115    return 0
116  )
117  retry_quiet 10 _dig_soa || ret=1
118  test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
119  status=$((status + ret))
120
121  # Test inline signing with keys stored in engine (key signing).
122  kskid1=$(cat "${zone}.kskid1")
123  kskid2=$(cat "${zone}.kskid2")
124
125  n=$((n + 1))
126  ret=0
127  echo_i "Dynamically update $zone, add new ksk ($n)"
128  ksk2=$(grep -v ';' K${zone}.*.ksk2)
129  cat >"update.cmd.ksk.$zone.$n" <<EOF
130server 10.53.0.1 $PORT
131ttl 300
132zone $zone
133update add $ksk2
134send
135EOF
136
137  $NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1
138  test "$ret" -eq 0 || echo_i "failed (update failed)"
139  status=$((status + ret))
140
141  n=$((n + 1))
142  ret=0
143  echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
144  _dig_dnskey_ksk() (
145    dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
146    count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
147    test $count -eq 4 || return 1
148    awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1
149    numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
150    test $numsigs -eq 2 || return 1
151    grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
152    grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
153    return 0
154  )
155  retry_quiet 10 _dig_dnskey_ksk || ret=1
156  test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
157  status=$((status + ret))
158
159done
160
161# Go back to main test dir.
162cd ..
163
164n=$((n + 1))
165ret=0
166echo_i "Checking for assertion failure in pk11_numbits()"
167$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
168dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1
169test "$ret" -eq 0 || echo_i "failed"
170status=$((status + ret))
171
172echo_i "exit status: $status"
173[ $status -eq 0 ] || exit 1
174