1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16# shellcheck source=conf.sh 17. ../conf.sh 18 19PWD=$(pwd) 20 21status=0 22ret=0 23n=0 24 25dig_with_opts() ( 26 $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" 27) 28 29# Perform tests inside ns1 dir 30cd ns1 31 32for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ 33 ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC 34 # ed25519:EC:edwards25519 ed448:EC:edwards448 35 alg=$(echo "$algtypebits" | cut -f 1 -d :) 36 type=$(echo "$algtypebits" | cut -f 2 -d :) 37 bits=$(echo "$algtypebits" | cut -f 3 -d :) 38 zone="${alg}.example" 39 zonefile="zone.${zone}.db.signed" 40 41 if [ ! -f $zonefile ]; then 42 echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}" 43 continue 44 fi 45 46 # Basic checks if setup was successful. 47 n=$((n + 1)) 48 ret=0 49 echo_i "Test key generation was successful for $zone ($n)" 50 count=$(ls K*.key | grep "K${zone}" | wc -l) 51 test "$count" -eq 4 || ret=1 52 test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)" 53 status=$((status + ret)) 54 55 n=$((n + 1)) 56 ret=0 57 echo_i "Test zone signing was successful for $zone ($n)" 58 $VERIFY -z -o $zone "${zonefile}" >verify.out.$zone.$n 2>&1 || ret=1 59 test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" 60 status=$((status + ret)) 61 62 # Test inline signing with keys stored in engine. 63 zskid1=$(cat "${zone}.zskid1") 64 zskid2=$(cat "${zone}.zskid2") 65 66 n=$((n + 1)) 67 ret=0 68 echo_i "Test inline signing for $zone ($n)" 69 dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1 70 awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1 71 numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) 72 test $numsigs -eq 1 || return 1 73 grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 74 test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" 75 status=$((status + ret)) 76 77 n=$((n + 1)) 78 ret=0 79 echo_i "Dynamically update $zone, add new zsk ($n)" 80 zsk2=$(grep -v ';' K${zone}.*.zsk2) 81 cat >"update.cmd.zsk.$zone.$n" <<EOF 82server 10.53.0.1 $PORT 83ttl 300 84zone $zone 85update add $zsk2 86send 87EOF 88 89 $NSUPDATE -v >"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1 90 test "$ret" -eq 0 || echo_i "failed (update failed)" 91 status=$((status + ret)) 92 93 n=$((n + 1)) 94 ret=0 95 echo_i "Test DNSKEY response for $zone after inline signing ($n)" 96 _dig_dnskey() ( 97 dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1 98 count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) 99 test $count -eq 3 100 ) 101 retry_quiet 10 _dig_dnskey || ret=1 102 test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" 103 status=$((status + ret)) 104 105 n=$((n + 1)) 106 ret=0 107 echo_i "Test SOA response for $zone after inline signing ($n)" 108 _dig_soa() ( 109 dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1 110 awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1 111 numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) 112 test $numsigs -eq 2 || return 1 113 grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 114 grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1 115 return 0 116 ) 117 retry_quiet 10 _dig_soa || ret=1 118 test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" 119 status=$((status + ret)) 120 121 # Test inline signing with keys stored in engine (key signing). 122 kskid1=$(cat "${zone}.kskid1") 123 kskid2=$(cat "${zone}.kskid2") 124 125 n=$((n + 1)) 126 ret=0 127 echo_i "Dynamically update $zone, add new ksk ($n)" 128 ksk2=$(grep -v ';' K${zone}.*.ksk2) 129 cat >"update.cmd.ksk.$zone.$n" <<EOF 130server 10.53.0.1 $PORT 131ttl 300 132zone $zone 133update add $ksk2 134send 135EOF 136 137 $NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1 138 test "$ret" -eq 0 || echo_i "failed (update failed)" 139 status=$((status + ret)) 140 141 n=$((n + 1)) 142 ret=0 143 echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" 144 _dig_dnskey_ksk() ( 145 dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1 146 count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) 147 test $count -eq 4 || return 1 148 awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1 149 numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) 150 test $numsigs -eq 2 || return 1 151 grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 152 grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1 153 return 0 154 ) 155 retry_quiet 10 _dig_dnskey_ksk || ret=1 156 test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" 157 status=$((status + ret)) 158 159done 160 161# Go back to main test dir. 162cd .. 163 164n=$((n + 1)) 165ret=0 166echo_i "Checking for assertion failure in pk11_numbits()" 167$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt 168dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1 169test "$ret" -eq 0 || echo_i "failed" 170status=$((status + ret)) 171 172echo_i "exit status: $status" 173[ $status -eq 0 ] || exit 1 174