tests.sh revision 1.1.1.10
1226584Sdim#!/bin/sh 2226584Sdim 3226584Sdim# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4226584Sdim# 5226584Sdim# SPDX-License-Identifier: MPL-2.0 6226584Sdim# 7226584Sdim# This Source Code Form is subject to the terms of the Mozilla Public 8226584Sdim# License, v. 2.0. If a copy of the MPL was not distributed with this 9226584Sdim# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10226584Sdim# 11226584Sdim# See the COPYRIGHT file distributed with this work for additional 12226584Sdim# information regarding copyright ownership. 13226584Sdim 14226584Sdimset -e 15226584Sdim 16226584Sdimexport ALGORITHM_SET="ecc_default" 17226584Sdim#shellcheck source=conf.sh 18226584Sdim. ../conf.sh 19226584Sdim 20226584Sdimdig_with_opts() ( 21226584Sdim "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" 22249423Sdim) 23226584Sdim 24263508Sdimdelv_with_opts() ( 25249423Sdim "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" 26226584Sdim) 27226584Sdim 28226584Sdimrndccmd() ( 29226584Sdim "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" 30226584Sdim) 31226584Sdim 32226584Sdimmkeys_reconfig_on() ( 33226584Sdim nsidx=$1 34226584Sdim rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i 35226584Sdim) 36226584Sdim 37226584Sdimmkeys_reload_on() ( 38226584Sdim nsidx=$1 39226584Sdim nextpart "ns${nsidx}"/named.run >/dev/null 40226584Sdim rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" 41226584Sdim wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 42226584Sdim) 43226584Sdim 44226584Sdimmkeys_loadkeys_on() ( 45263508Sdim nsidx=$1 46263508Sdim nextpart "ns${nsidx}"/named.run >/dev/null 47226584Sdim rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i 48226584Sdim wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 49263508Sdim) 50234353Sdim 51226584Sdimmkeys_refresh_on() ( 52226584Sdim nsidx=$1 53226584Sdim nextpart "ns${nsidx}"/named.run >/dev/null 54263508Sdim rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i 55263508Sdim wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 56263508Sdim) 57226584Sdim 58234353Sdimmkeys_sync_on() ( 59263508Sdim # No race with mkeys_refresh_on() is possible as even if the latter 60263508Sdim # returns immediately after the expected log message is written, the 61226584Sdim # managed-keys zone is already locked and the command below calls 62263508Sdim # dns_zone_flush(), which also attempts to take that zone's lock 63263508Sdim nsidx=$1 64263508Sdim nextpart "ns${nsidx}"/named.run >/dev/null 65263508Sdim rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i 66263508Sdim wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 67263508Sdim) 68263508Sdim 69263508Sdimmkeys_status_on() ( 70226584Sdim # No race with mkeys_refresh_on() is possible as even if the latter 71226584Sdim # returns immediately after the expected log message is written, the 72226584Sdim # managed-keys zone is already locked and the command below calls 73226584Sdim # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), 74226584Sdim # which also attempts to take that zone's lock 75226584Sdim nsidx=$1 76226584Sdim rndccmd "10.53.0.${nsidx}" managed-keys status 77226584Sdim) 78226584Sdim 79226584Sdimmkeys_flush_on() ( 80226584Sdim nsidx=$1 81226584Sdim rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i 82226584Sdim) 83226584Sdim 84263508Sdimmkeys_secroots_on() ( 85226584Sdim nsidx=$1 86226584Sdim rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i 87226584Sdim) 88234353Sdim 89234353Sdimoriginal=$(cat ns1/managed.key) 90226584Sdimoriginalid=$(cat ns1/managed.key.id) 91226584Sdim 92226584Sdimstatus=0 93226584Sdimn=1 94226584Sdim 95226584Sdimrm -f dig.out.* 96226584Sdim 97226584Sdimecho_i "check for signed record ($n)" 98226584Sdimret=0 99226584Sdimdig_with_opts +norec example. @10.53.0.1 TXT >dig.out.ns1.test$n || ret=1 100234353Sdimgrep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n >/dev/null || ret=1 101226584Sdimgrep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n >/dev/null || ret=1 102234353Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 103234353Sdimstatus=$((status + ret)) 104226584Sdim 105226584Sdimn=$((n + 1)) 106241430Sdimecho_i "check positive validation with valid trust anchor ($n)" 107263508Sdimret=0 108241430Sdimdig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 109241430Sdimgrep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 110226584Sdimgrep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 111263508Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 112263508Sdimstatus=$((status + ret)) 113226584Sdim 114226584Sdimif [ -x "$DELV" ]; then 115226584Sdim n=$((n + 1)) 116226584Sdim ret=0 117226584Sdim echo_i "check positive validation using delv ($n)" 118234353Sdim delv_with_opts @10.53.0.1 txt example >delv.out$n || ret=1 119234353Sdim grep "; fully validated" delv.out$n >/dev/null || ret=1 # redundant 120226584Sdim grep "example..*TXT.*This is a test" delv.out$n >/dev/null || ret=1 121226584Sdim grep "example..*.RRSIG..*TXT" delv.out$n >/dev/null || ret=1 122239462Sdim if [ $ret != 0 ]; then echo_i "failed"; fi 123226584Sdim status=$((status + ret)) 124226584Sdimfi 125226584Sdim 126226584Sdimn=$((n + 1)) 127226584Sdimecho_i "check for failed validation due to wrong key in managed-keys ($n)" 128226584Sdimret=0 129226584Sdimdig_with_opts +noauth example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 130226584Sdimgrep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 131226584Sdimgrep "example..*.RRSIG..*TXT" dig.out.ns3.test$n >/dev/null && ret=1 132226584Sdimgrep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n >/dev/null || ret=1 133226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 134226584Sdimstatus=$((status + ret)) 135226584Sdim 136226584Sdimn=$((n + 1)) 137226584Sdimecho_i "check new trust anchor can be added ($n)" 138234353Sdimret=0 139226584Sdimstandby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) 140226584Sdimmkeys_loadkeys_on 1 || ret=1 141226584Sdimmkeys_refresh_on 2 || ret=1 142226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 143263508Sdim# there should be two keys listed now 144263508Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 145263508Sdim[ "$count" -eq 2 ] || ret=1 146263508Sdim# two lines indicating trust status 147263508Sdimcount=$(grep -c "trust" rndc.out.$n) || true 148263508Sdim[ "$count" -eq 2 ] || ret=1 149263508Sdim# one indicates current trust 150263508Sdimcount=$(grep -c "trusted since" rndc.out.$n) || true 151226584Sdim[ "$count" -eq 1 ] || ret=1 152226584Sdim# one indicates pending trust 153226584Sdimcount=$(grep -c "trust pending" rndc.out.$n) || true 154226584Sdim[ "$count" -eq 1 ] || ret=1 155226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 156226584Sdimstatus=$((status + ret)) 157226584Sdim 158226584Sdimn=$((n + 1)) 159226584Sdimecho_i "check new trust anchor can't be added with bad initial key ($n)" 160226584Sdimret=0 161226584Sdimmkeys_refresh_on 3 || ret=1 162226584Sdimmkeys_status_on 3 >rndc.out.$n 2>&1 || ret=1 163226584Sdim# there should be one key listed now 164226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 165226584Sdim[ "$count" -eq 1 ] || ret=1 166226584Sdim# one line indicating trust status 167226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 168226584Sdim[ "$count" -eq 1 ] || ret=1 169226584Sdim# ... and the key is not trusted 170226584Sdimcount=$(grep -c "no trust" rndc.out.$n) || true 171226584Sdim[ "$count" -eq 1 ] || ret=1 172226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 173226584Sdimstatus=$((status + ret)) 174234353Sdim 175234353Sdimn=$((n + 1)) 176226584Sdimecho_i "remove untrusted standby key, check timer restarts ($n)" 177226584Sdimret=0 178226584Sdimmkeys_sync_on 2 || ret=1 179226584Sdimt1=$(grep "trust pending" ns2/managed-keys.bind) || true 180226584Sdim$SETTIME -D now -K ns1 "$standby1" >/dev/null 181226584Sdimmkeys_loadkeys_on 1 || ret=1 182226584Sdim# Less than a second may have passed since the last time ns2 received a 183226584Sdim# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 184226584Sdim# timestamp to prevent false negatives caused by the acceptance timer getting 185226584Sdim# reset to the same timestamp. 186226584Sdimsleep 1 187226584Sdimmkeys_refresh_on 2 || ret=1 188226584Sdimmkeys_sync_on 2 || ret=1 189226584Sdimt2=$(grep "trust pending" ns2/managed-keys.bind) || true 190226584Sdim# trust pending date must be different 191226584Sdim[ -n "$t2" ] || ret=1 192226584Sdim[ "$t1" = "$t2" ] && ret=1 193226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 194226584Sdimstatus=$((status + ret)) 195226584Sdim 196226584Sdimn=$((n + 1)) 197226584Sdimret=0 198226584Sdimecho_i "restore untrusted standby key, revoke original key ($n)" 199226584Sdimt1=$t2 200226584Sdim$SETTIME -D none -K ns1 "$standby1" >/dev/null 201226584Sdim$SETTIME -R now -K ns1 "$original" >/dev/null 202226584Sdimmkeys_loadkeys_on 1 || ret=1 203226584Sdim# Less than a second may have passed since the last time ns2 received a 204226584Sdim# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 205226584Sdim# timestamp to prevent false negatives caused by the acceptance timer getting 206226584Sdim# reset to the same timestamp. 207226584Sdimsleep 1 208226584Sdimmkeys_refresh_on 2 || ret=1 209226584Sdimmkeys_sync_on 2 || ret=1 210226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 211226584Sdim# two keys listed 212226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 213226584Sdim[ "$count" -eq 2 ] || ret=1 214226584Sdim# two lines indicating trust status 215226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 216226584Sdim[ "$count" -eq 2 ] || ret=1 217226584Sdim# trust is revoked 218226584Sdimcount=$(grep -c "trust revoked" rndc.out.$n) || true 219226584Sdim[ "$count" -eq 1 ] || ret=1 220226584Sdim# removal scheduled 221226584Sdimcount=$(grep -c "remove at" rndc.out.$n) || true 222226584Sdim[ "$count" -eq 1 ] || ret=1 223226584Sdim# trust is still pending on the standby key 224226584Sdimcount=$(grep -c "trust pending" rndc.out.$n) || true 225226584Sdim[ "$count" -eq 1 ] || ret=1 226226584Sdim# pending date moved forward for the standby key 227226584Sdimt2=$(grep "trust pending" ns2/managed-keys.bind) || true 228226584Sdim[ -n "$t2" ] || ret=1 229226584Sdim[ "$t1" = "$t2" ] && ret=1 230263508Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 231263508Sdimstatus=$((status + ret)) 232263508Sdim 233263508Sdimn=$((n + 1)) 234263508Sdimret=0 235263508Sdimecho_i "refresh managed-keys, ensure same result ($n)" 236263508Sdimt1=$t2 237263508Sdim# Less than a second may have passed since the last time ns2 received a 238226584Sdim# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 239263508Sdim# timestamp to prevent false negatives caused by the acceptance timer getting 240263508Sdim# reset to the same timestamp. 241263508Sdimsleep 1 242226584Sdimmkeys_refresh_on 2 || ret=1 243226584Sdimmkeys_sync_on 2 || ret=1 244226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 245226584Sdim# two keys listed 246226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 247226584Sdim[ "$count" -eq 2 ] || ret=1 248226584Sdim# two lines indicating trust status 249226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 250226584Sdim[ "$count" -eq 2 ] || ret=1 251226584Sdim# trust is revoked 252226584Sdimcount=$(grep -c "trust revoked" rndc.out.$n) || true 253226584Sdim[ "$count" -eq 1 ] || ret=1 254226584Sdim# removal scheduled 255226584Sdimcount=$(grep -c "remove at" rndc.out.$n) || true 256226584Sdim[ "$count" -eq 1 ] || ret=1 257226584Sdim# trust is still pending on the standby key 258226584Sdimcount=$(grep -c "trust pending" rndc.out.$n) || true 259226584Sdim[ "$count" -eq 1 ] || ret=1 260226584Sdim# pending date moved forward for the standby key 261226584Sdimt2=$(grep "trust pending" ns2/managed-keys.bind) || true 262226584Sdim[ -n "$t2" ] || ret=1 263226584Sdim[ "$t1" = "$t2" ] && ret=1 264226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 265226584Sdimstatus=$((status + ret)) 266226584Sdim 267226584Sdimn=$((n + 1)) 268226584Sdimret=0 269226584Sdimecho_i "restore revoked key, ensure same result ($n)" 270226584Sdimt1=$t2 271226584Sdim$SETTIME -R none -D now -K ns1 "$original" >/dev/null 272226584Sdimmkeys_loadkeys_on 1 || ret=1 273226584Sdim$SETTIME -D none -K ns1 "$original" >/dev/null 274226584Sdimmkeys_loadkeys_on 1 || ret=1 275243830Sdim# Less than a second may have passed since the last time ns2 received a 276226584Sdim# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 277226584Sdim# timestamp to prevent false negatives caused by the acceptance timer getting 278226584Sdim# reset to the same timestamp. 279263508Sdimsleep 1 280263508Sdimmkeys_refresh_on 2 || ret=1 281226584Sdimmkeys_sync_on 2 || ret=1 282226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 283263508Sdim# two keys listed 284226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 285226584Sdim[ "$count" -eq 2 ] || ret=1 286226584Sdim# two lines indicating trust status 287226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 288226584Sdim[ "$count" -eq 2 ] || ret=1 289234353Sdim# trust is revoked 290234353Sdimcount=$(grep -c "trust revoked" rndc.out.$n) || true 291226584Sdim[ "$count" -eq 1 ] || ret=1 292226584Sdim# removal scheduled 293234353Sdimcount=$(grep -c "remove at" rndc.out.$n) || true 294226584Sdim[ "$count" -eq 1 ] || ret=1 295226584Sdim# trust is still pending on the standby key 296226584Sdimcount=$(grep -c "trust pending" rndc.out.$n) || true 297226584Sdim[ "$count" -eq 1 ] || ret=1 298226584Sdim# pending date moved forward for the standby key 299226584Sdimt2=$(grep "trust pending" ns2/managed-keys.bind) || true 300226584Sdim[ -n "$t2" ] || ret=1 301226584Sdim[ "$t1" = "$t2" ] && ret=1 302226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 303226584Sdimstatus=$((status + ret)) 304226584Sdim 305226584Sdimecho_i "reinitialize trust anchors, add second key to bind.keys" 306226584Sdimstop_server --use-rndc --port "${CONTROLPORT}" ns2 307226584Sdimrm -f ns2/managed-keys.bind* 308226584Sdimkeyfile_to_initial_ds ns1/"$original" ns1/"$standby1" >ns2/managed.conf 309226584Sdimnextpart ns2/named.run >/dev/null 310226584Sdimstart_server --noclean --restart --port "${PORT}" ns2 311226584Sdim 312226584Sdimn=$((n + 1)) 313226584Sdimecho_i "check that no key from bind.keys is marked as an initializing key ($n)" 314226584Sdimret=0 315226584Sdimwait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 316226584Sdimmkeys_secroots_on 2 || ret=1 317226584Sdimgrep '; initializing' ns2/named.secroots >/dev/null 2>&1 && ret=1 318226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 319226584Sdimstatus=$((status + ret)) 320226584Sdim 321226584Sdimecho_i "reinitialize trust anchors, revert to one key in bind.keys" 322243830Sdimstop_server --use-rndc --port "${CONTROLPORT}" ns2 323226584Sdimrm -f ns2/managed-keys.bind* 324226584Sdimmv ns2/managed1.conf ns2/managed.conf 325226584Sdimnextpart ns2/named.run >/dev/null 326243830Sdimstart_server --noclean --restart --port "${PORT}" ns2 327243830Sdim 328226584Sdimn=$((n + 1)) 329226584Sdimecho_i "check that standby key is now trusted ($n)" 330226584Sdimret=0 331226584Sdimwait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 332226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 333226584Sdim# two keys listed 334226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 335226584Sdim[ "$count" -eq 2 ] || ret=1 336226584Sdim# two lines indicating trust status 337243830Sdimcount=$(grep -c "trust" rndc.out.$n) || true 338226584Sdim[ "$count" -eq 2 ] || ret=1 339243830Sdim# both indicate current trust 340226584Sdimcount=$(grep -c "trusted since" rndc.out.$n) || true 341226584Sdim[ "$count" -eq 2 ] || ret=1 342226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 343226584Sdimstatus=$((status + ret)) 344234353Sdim 345234353Sdimn=$((n + 1)) 346234353Sdimecho_i "revoke original key, add new standby ($n)" 347234353Sdimret=0 348226584Sdimstandby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) 349226584Sdim$SETTIME -R now -K ns1 "$original" >/dev/null 350234353Sdimmkeys_loadkeys_on 1 || ret=1 351234353Sdimmkeys_refresh_on 2 || ret=1 352226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 353226584Sdim# three keys listed 354226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 355226584Sdim[ "$count" -eq 3 ] || ret=1 356243830Sdim# one is revoked 357263508Sdimcount=$(grep -c "REVOKE" rndc.out.$n) || true 358263508Sdim[ "$count" -eq 1 ] || ret=1 359226584Sdim# three lines indicating trust status 360226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 361263508Sdim[ "$count" -eq 3 ] || ret=1 362226584Sdim# one indicates current trust 363226584Sdimcount=$(grep -c "trusted since" rndc.out.$n) || true 364226584Sdim[ "$count" -eq 1 ] || ret=1 365226584Sdim# one indicates revoked trust 366243830Sdimcount=$(grep -c "trust revoked" rndc.out.$n) || true 367226584Sdim[ "$count" -eq 1 ] || ret=1 368226584Sdim# one indicates trust pending 369263508Sdimcount=$(grep -c "trust pending" rndc.out.$n) || true 370263508Sdim[ "$count" -eq 1 ] || ret=1 371226584Sdim# removal scheduled 372226584Sdimcount=$(grep -c "remove at" rndc.out.$n) || true 373263508Sdim[ "$count" -eq 1 ] || ret=1 374226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 375226584Sdimstatus=$((status + ret)) 376226584Sdim 377226584Sdimn=$((n + 1)) 378226584Sdimecho_i "revoke standby before it is trusted ($n)" 379226584Sdimret=0 380226584Sdimstandby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) 381226584Sdimmkeys_loadkeys_on 1 || ret=1 382226584Sdimmkeys_refresh_on 2 || ret=1 383226584Sdimmkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 384226584Sdim# four keys listed 385226584Sdimcount=$(grep -c "keyid: " rndc.out.1.$n) || true 386226584Sdim[ "$count" -eq 4 ] || { 387226584Sdim echo_i "keyid: count ($count) != 4" 388226584Sdim ret=1 389226584Sdim} 390226584Sdim# one revoked 391226584Sdimcount=$(grep -c "trust revoked" rndc.out.1.$n) || true 392234353Sdim[ "$count" -eq 1 ] || { 393234353Sdim echo_i "trust revoked count ($count) != 1" 394226584Sdim ret=1 395226584Sdim} 396226584Sdim# two pending 397234353Sdimcount=$(grep -c "trust pending" rndc.out.1.$n) || true 398226584Sdim[ "$count" -eq 2 ] || { 399226584Sdim echo_i "trust pending count ($count) != 2" 400226584Sdim ret=1 401226584Sdim} 402226584Sdim$SETTIME -R now -K ns1 "$standby3" >/dev/null 403239462Sdimmkeys_loadkeys_on 1 || ret=1 404226584Sdimmkeys_refresh_on 2 || ret=1 405226584Sdimmkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 406226584Sdim# now three keys listed 407226584Sdimcount=$(grep -c "keyid: " rndc.out.2.$n) || true 408239462Sdim[ "$count" -eq 3 ] || { 409226584Sdim echo_i "keyid: count ($count) != 3" 410226584Sdim ret=1 411226584Sdim} 412226584Sdim# one revoked 413243830Sdimcount=$(grep -c "trust revoked" rndc.out.2.$n) || true 414243830Sdim[ "$count" -eq 1 ] || { 415243830Sdim echo_i "trust revoked count ($count) != 1" 416243830Sdim ret=1 417243830Sdim} 418243830Sdim# one pending 419243830Sdimcount=$(grep -c "trust pending" rndc.out.2.$n) || true 420226584Sdim[ "$count" -eq 1 ] || { 421226584Sdim echo_i "trust pending count ($count) != 1" 422226584Sdim ret=1 423226584Sdim} 424226584Sdim$SETTIME -D now -K ns1 "$standby3" >/dev/null 425226584Sdimmkeys_loadkeys_on 1 || ret=1 426226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 427226584Sdimstatus=$((status + ret)) 428226584Sdim 429226584Sdimn=$((n + 1)) 430226584Sdimecho_i "wait 20 seconds for key add/remove holddowns to expire ($n)" 431226584Sdimret=0 432226584Sdimsleep 20 433226584Sdimmkeys_refresh_on 2 || ret=1 434226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 435226584Sdim# two keys listed 436226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 437226584Sdim[ "$count" -eq 2 ] || ret=1 438234353Sdim# none revoked 439226584Sdimcount=$(grep -c "REVOKE" rndc.out.$n) || true 440226584Sdim[ "$count" -eq 0 ] || ret=1 441226584Sdim# two lines indicating trust status 442226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 443263508Sdim[ "$count" -eq 2 ] || ret=1 444263508Sdim# both indicate current trust 445263508Sdimcount=$(grep -c "trusted since" rndc.out.$n) || true 446263508Sdim[ "$count" -eq 2 ] || ret=1 447263508Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 448263508Sdimstatus=$((status + ret)) 449263508Sdim 450226584Sdimn=$((n + 1)) 451226584Sdimecho_i "revoke all keys, confirm roll to insecure ($n)" 452263508Sdimret=0 453263508Sdim$SETTIME -D now -K ns1 "$original" >/dev/null 454263508Sdim$SETTIME -R now -K ns1 "$standby1" >/dev/null 455263508Sdim$SETTIME -R now -K ns1 "$standby2" >/dev/null 456263508Sdimmkeys_loadkeys_on 1 || ret=1 457263508Sdimmkeys_refresh_on 2 || ret=1 458263508Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 459263508Sdim# two keys listed 460263508Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 461263508Sdim[ "$count" -eq 2 ] || ret=1 462263508Sdim# both revoked 463263508Sdimcount=$(grep -c "REVOKE" rndc.out.$n) || true 464263508Sdim[ "$count" -eq 2 ] || ret=1 465263508Sdim# two lines indicating trust status 466263508Sdimcount=$(grep -c "trust" rndc.out.$n) || true 467263508Sdim[ "$count" -eq 2 ] || ret=1 468263508Sdim# both indicate trust revoked 469263508Sdimcount=$(grep -c "trust revoked" rndc.out.$n) || true 470263508Sdim[ "$count" -eq 2 ] || ret=1 471263508Sdim# both have removal scheduled 472263508Sdimcount=$(grep -c "remove at" rndc.out.$n) || true 473263508Sdim[ "$count" -eq 2 ] || ret=1 474263508Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 475263508Sdimstatus=$((status + ret)) 476263508Sdim 477263508Sdimn=$((n + 1)) 478263508Sdimecho_i "check for insecure response ($n)" 479263508Sdimret=0 480263508Sdimmkeys_refresh_on 2 || ret=1 481263508Sdimdig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 482263508Sdimgrep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 483226584Sdimgrep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 484226584Sdimgrep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 485226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 486226584Sdimstatus=$((status + ret)) 487226584Sdim 488226584Sdimn=$((n + 1)) 489226584Sdimecho_i "reset the root server ($n)" 490226584Sdimret=0 491226584Sdim$SETTIME -D none -R none -K ns1 "$original" >/dev/null 492226584Sdim$SETTIME -D now -K ns1 "$standby1" >/dev/null 493226584Sdim$SETTIME -D now -K ns1 "$standby2" >/dev/null 494226584Sdimsleep 1 # ensure modification time changes 495226584Sdim$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null 496226584Sdimcopy_setports ns1/named2.conf.in ns1/named.conf 497226584Sdimrm -f ns1/root.db.signed.jnl 498226584Sdimmkeys_reconfig_on 1 || ret=1 499226584Sdimmkeys_reload_on 1 || ret=1 500226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 501226584Sdimstatus=$((status + ret)) 502226584Sdim 503226584Sdimecho_i "reinitialize trust anchors" 504226584Sdimstop_server --use-rndc --port "${CONTROLPORT}" ns2 505226584Sdimrm -f ns2/managed-keys.bind* 506226584Sdimnextpart ns2/named.run >/dev/null 507226584Sdimstart_server --noclean --restart --port "${PORT}" ns2 508226584Sdim 509226584Sdimn=$((n + 1)) 510226584Sdimecho_i "check positive validation ($n)" 511226584Sdimret=0 512226584Sdimwait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 513226584Sdimdig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 514226584Sdimgrep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 515226584Sdimgrep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 516226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 517226584Sdimstatus=$((status + ret)) 518226584Sdim 519226584Sdimn=$((n + 1)) 520226584Sdimecho_i "revoke key with bad signature, check revocation is ignored ($n)" 521226584Sdimret=0 522226584Sdimrevoked=$($REVOKE -K ns1 "$original") 523226584Sdimrkeyid=$(keyfile_to_key_id "$revoked") 524226584Sdimrm -f ns1/root.db.signed.jnl 525226584Sdim# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from 526226584Sdim# failing. Alternatively, we could use -P to disable post-sign verification, 527226584Sdim# but we actually do want post-sign verification to happen to ensure the zone 528226584Sdim# is correct before we break it on purpose. 529226584Sdim$SETTIME -R none -D none -K ns1 "$standby1" >/dev/null 530226584Sdim$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db >/dev/null 2>/dev/null 531226584Sdimcp -f ns1/root.db.signed ns1/root.db.tmp 532226584SdimBADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" 533226584Sdim# Less than a second may have passed since ns1 was started. If we call 534226584Sdim# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the 535226584Sdim# subsequent "rndc reload ." call on platforms which do not set the 536226584Sdim# "nanoseconds" field of isc_time_t, due to zone load time being seemingly 537226584Sdim# equal to master file modification time. 538226584Sdimsleep 1 539226584Sdimsed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n >ns1/root.db.signed 540226584Sdimmkeys_reload_on 1 || ret=1 541226584Sdimmkeys_refresh_on 2 || ret=1 542226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 543226584Sdim# one key listed 544239462Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 545239462Sdim[ "$count" -eq 1 ] || { 546239462Sdim echo_i "'keyid:' count ($count) != 1" 547239462Sdim ret=1 548239462Sdim} 549239462Sdim# it's the original key id 550239462Sdimcount=$(grep -c "keyid: $originalid" rndc.out.$n) || true 551239462Sdim[ "$count" -eq 1 ] || { 552239462Sdim echo_i "'keyid: $originalid' count ($count) != 1" 553239462Sdim ret=1 554239462Sdim} 555239462Sdim# not revoked 556239462Sdimcount=$(grep -c "REVOKE" rndc.out.$n) || true 557239462Sdim[ "$count" -eq 0 ] || { 558239462Sdim echo_i "'REVOKE' count ($count) != 0" 559226584Sdim ret=1 560226584Sdim} 561226584Sdim# trust is still current 562226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 563226584Sdim[ "$count" -eq 1 ] || { 564226584Sdim echo_i "'trust' count != 1" 565226584Sdim ret=1 566226584Sdim} 567226584Sdimcount=$(grep -c "trusted since" rndc.out.$n) || true 568226584Sdim[ "$count" -eq 1 ] || { 569226584Sdim echo_i "'trusted since' count != 1" 570226584Sdim ret=1 571226584Sdim} 572226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 573226584Sdimstatus=$((status + ret)) 574226584Sdim 575226584Sdimn=$((n + 1)) 576226584Sdimecho_i "check validation fails with bad DNSKEY rrset ($n)" 577226584Sdimret=0 578226584Sdimmkeys_flush_on 2 || ret=1 579226584Sdimdig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 580226584Sdimgrep "status: SERVFAIL" dig.out.ns2.test$n >/dev/null || ret=1 581226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 582226584Sdimstatus=$((status + ret)) 583226584Sdim 584226584Sdimn=$((n + 1)) 585226584Sdimecho_i "restore DNSKEY rrset, check validation succeeds again ($n)" 586226584Sdimret=0 587226584Sdimrm -f "${revoked}".key "${revoked}".private 588226584Sdimrm -f ns1/root.db.signed.jnl 589226584Sdim$SETTIME -D none -R none -K ns1 "$original" >/dev/null 590226584Sdim$SETTIME -D now -K ns1 "$standby1" >/dev/null 591226584Sdim# Less than a second may have passed since ns1 was started. If we call 592226584Sdim# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the 593226584Sdim# subsequent "rndc reload ." call on platforms which do not set the 594226584Sdim# "nanoseconds" field of isc_time_t, due to zone load time being seemingly 595226584Sdim# equal to master file modification time. 596226584Sdimsleep 1 597226584Sdim$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null 598226584Sdimmkeys_reload_on 1 || ret=1 599226584Sdimmkeys_flush_on 2 || ret=1 600226584Sdimdig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 601263508Sdimgrep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 602226584Sdimgrep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 603226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 604226584Sdimstatus=$((status + ret)) 605226584Sdim 606226584Sdimn=$((n + 1)) 607226584Sdimecho_i "reset the root server with no keys, check for minimal update ($n)" 608226584Sdimret=0 609226584Sdim# Refresh keys first to prevent previous checks from influencing this one. 610226584Sdim# Note that we might still get occasional false negatives on some really slow 611226584Sdim# machines, when $t1 equals $t2 due to the time elapsed between "rndc 612226584Sdim# managed-keys status" calls being equal to the normal active refresh period 613226584Sdim# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as 614226584Sdim# set using -T mkeytimers). 615263508Sdimmkeys_refresh_on 2 || ret=1 616226584Sdimmkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 617226584Sdimt1=$(grep 'next refresh:' rndc.out.1.$n) || true 618226584Sdimstop_server --use-rndc --port "${CONTROLPORT}" ns1 619226584Sdimrm -f ns1/root.db.signed.jnl 620226584Sdimcp ns1/root.db ns1/root.db.signed 621226584Sdimnextpart ns1/named.run >/dev/null 622226584Sdimstart_server --noclean --restart --port "${PORT}" ns1 623226584Sdimwait_for_log 20 "all zones loaded" ns1/named.run || ret=1 624226584Sdimmkeys_refresh_on 2 || ret=1 625226584Sdimmkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 626226584Sdim# one key listed 627226584Sdimcount=$(grep -c "keyid: " rndc.out.2.$n) || true 628263508Sdim[ "$count" -eq 1 ] || ret=1 629226584Sdim# it's the original key id 630226584Sdimcount=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true 631226584Sdim[ "$count" -eq 1 ] || ret=1 632226584Sdim# not revoked 633226584Sdimcount=$(grep -c "REVOKE" rndc.out.2.$n) || true 634226584Sdim[ "$count" -eq 0 ] || ret=1 635263508Sdim# trust is still current 636226584Sdimcount=$(grep -c "trust" rndc.out.2.$n) || true 637226584Sdim[ "$count" -eq 1 ] || ret=1 638226584Sdimcount=$(grep -c "trusted since" rndc.out.2.$n) || true 639226584Sdim[ "$count" -eq 1 ] || ret=1 640226584Sdimt2=$(grep 'next refresh:' rndc.out.2.$n) || true 641226584Sdim[ "$t1" = "$t2" ] && ret=1 642226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 643226584Sdimstatus=$((status + ret)) 644226584Sdim 645226584Sdimn=$((n + 1)) 646226584Sdimecho_i "reset the root server with no signatures, check for minimal update ($n)" 647226584Sdimret=0 648263508Sdim# Refresh keys first to prevent previous checks from influencing this one 649226584Sdimmkeys_refresh_on 2 || ret=1 650226584Sdimmkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 651226584Sdimt1=$(grep 'next refresh:' rndc.out.1.$n) || true 652226584Sdimstop_server --use-rndc --port "${CONTROLPORT}" ns1 653226584Sdimrm -f ns1/root.db.signed.jnl 654226584Sdimcat ns1/K*.key >>ns1/root.db.signed 655226584Sdimnextpart ns1/named.run >/dev/null 656226584Sdimstart_server --noclean --restart --port "${PORT}" ns1 657226584Sdimwait_for_log 20 "all zones loaded" ns1/named.run || ret=1 658226584Sdim# Less than a second may have passed since the last time ns2 received a 659226584Sdim# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 660226584Sdim# timestamp to prevent minimal update from resetting it to the same timestamp. 661226584Sdimsleep 1 662263508Sdimmkeys_refresh_on 2 || ret=1 663226584Sdimmkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 664226584Sdim# one key listed 665226584Sdimcount=$(grep -c "keyid: " rndc.out.2.$n) || true 666226584Sdim[ "$count" -eq 1 ] || ret=1 667226584Sdim# it's the original key id 668226584Sdimcount=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true 669226584Sdim[ "$count" -eq 1 ] || ret=1 670226584Sdim# not revoked 671226584Sdimcount=$(grep -c "REVOKE" rndc.out.2.$n) || true 672226584Sdim[ "$count" -eq 0 ] || ret=1 673226584Sdim# trust is still current 674226584Sdimcount=$(grep -c "trust" rndc.out.2.$n) || true 675226584Sdim[ "$count" -eq 1 ] || ret=1 676263508Sdimcount=$(grep -c "trusted since" rndc.out.2.$n) || true 677226584Sdim[ "$count" -eq 1 ] || ret=1 678226584Sdimt2=$(grep 'next refresh:' rndc.out.2.$n) || true 679226584Sdim[ "$t1" = "$t2" ] && ret=1 680226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 681226584Sdimstatus=$((status + ret)) 682226584Sdim 683226584Sdimn=$((n + 1)) 684226584Sdimecho_i "restore root server, check validation succeeds again ($n)" 685226584Sdimret=0 686226584Sdimrm -f ns1/root.db.signed.jnl 687226584Sdim$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null 688226584Sdimmkeys_reload_on 1 || ret=1 689263508Sdimmkeys_refresh_on 2 || ret=1 690226584Sdimmkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 691226584Sdimdig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 692226584Sdimgrep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 693226584Sdimgrep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 694226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 695226584Sdimstatus=$((status + ret)) 696226584Sdim 697226584Sdimn=$((n + 1)) 698226584Sdimecho_i "check that trust-anchor-telemetry queries are logged ($n)" 699226584Sdimret=0 700226584Sdimgrep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run >/dev/null || ret=1 701226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 702263508Sdimstatus=$((status + ret)) 703226584Sdim 704226584Sdimn=$((n + 1)) 705226584Sdimecho_i "check that trust-anchor-telemetry queries are received ($n)" 706226584Sdimret=0 707226584Sdimgrep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run >/dev/null || ret=1 708226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 709226584Sdimstatus=$((status + ret)) 710226584Sdim 711226584Sdimn=$((n + 1)) 712226584Sdimecho_i "check 'rndc-managed-keys destroy' ($n)" 713226584Sdimret=0 714226584Sdimrndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i 715263508Sdimmkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 716226584Sdimgrep "no views with managed keys" rndc.out.1.$n >/dev/null || ret=1 717226584Sdimmkeys_reconfig_on 2 || ret=1 718226584Sdimcheck_root_trust_anchor_is_present_in_status() { 719226584Sdim mkeys_status_on 2 >rndc.out.2.$n 2>&1 || return 1 720226584Sdim grep "name: \." rndc.out.2.$n >/dev/null || return 1 721226584Sdim return 0 722226584Sdim} 723226584Sdimretry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1 724226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 725226584Sdimstatus=$((status + ret)) 726226584Sdim 727226584Sdimn=$((n + 1)) 728226584Sdimecho_i "check that trust-anchor-telemetry queries contain the correct key ($n)" 729263508Sdimret=0 730226584Sdim# convert the hexadecimal key from the TAT query into decimal and 731226584Sdim# compare against the known key. 732226584Sdimtathex=$(grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/') || true 733226584Sdimtatkey=$($PERL -e 'printf("%d\n", hex(@ARGV[0]));' "$tathex") 734226584Sdimrealkey=$(rndccmd 10.53.0.2 secroots - | sed -n "s#.*${DEFAULT_ALGORITHM}/\([0-9][0-9]*\) ; .*managed.*#\1#p") 735226584Sdim[ "$tatkey" -eq "$realkey" ] || ret=1 736226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 737226584Sdimstatus=$((status + ret)) 738226584Sdim 739226584Sdimn=$((n + 1)) 740226584Sdimecho_i "check initialization fails if managed-keys can't be created ($n)" 741226584Sdimret=0 742226584Sdimmkeys_secroots_on 4 || ret=1 743263508Sdimgrep '; initializing managed' ns4/named.secroots >/dev/null 2>&1 || ret=1 744226584Sdimgrep '; managed' ns4/named.secroots >/dev/null 2>&1 && ret=1 745226584Sdimgrep '; trusted' ns4/named.secroots >/dev/null 2>&1 && ret=1 746226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 747226584Sdimstatus=$((status + ret)) 748226584Sdim 749226584Sdimn=$((n + 1)) 750226584Sdimecho_i "check failure to contact root servers does not prevent key refreshes after restart ($n)" 751226584Sdimret=0 752226584Sdim# By the time we get here, ns5 should have attempted refreshing its managed 753226584Sdim# keys. These attempts should fail as ns1 is configured to REFUSE all queries 754226584Sdim# from ns5. Note that named1.args does not contain "-T mkeytimers"; this is to 755226584Sdim# ensure key refresh retry will be scheduled to one actual hour after the first 756226584Sdim# key refresh failure instead of just a few seconds, in order to prevent races 757263508Sdim# between the next scheduled key refresh time and startup time of restarted ns5. 758226584Sdimstop_server --use-rndc --port "${CONTROLPORT}" ns5 759226584Sdimnextpart ns5/named.run >/dev/null 760226584Sdimstart_server --noclean --restart --port "${PORT}" ns5 761226584Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 762226584Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 763226584Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1 764226584Sdim# ns5/named.run will contain logs from both the old instance and the new 765226584Sdim# instance. In order for the test to pass, both must attempt a fetch. 766226584Sdimcount=$(grep -c "Creating key fetch" ns5/named.run) || true 767226584Sdim[ "$count" -lt 2 ] && ret=1 768226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 769226584Sdimstatus=$((status + ret)) 770226584Sdim 771263508Sdimn=$((n + 1)) 772226584Sdimecho_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" 773226584Sdimret=0 774226584Sdimmkeys_sync_on 5 775226584Sdimmkeys_status_on 5 >rndc.out.$n 2>&1 || ret=1 776226584Sdim# there should be three keys listed now 777226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 778226584Sdim[ "$count" -eq 3 ] || ret=1 779226584Sdim# three lines indicating trust status 780226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 781226584Sdim[ "$count" -eq 3 ] || ret=1 782226584Sdim# one indicates current trust 783226584Sdimcount=$(grep -c "trusted since" rndc.out.$n) || true 784263508Sdim[ "$count" -eq 1 ] || ret=1 785226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 786226584Sdimstatus=$((status + ret)) 787263508Sdim 788263508Sdimn=$((n + 1)) 789263508Sdimecho_i "check key refreshes are resumed after root servers become available ($n)" 790263508Sdimret=0 791263508Sdimstop_server --use-rndc --port "${CONTROLPORT}" ns5 792263508Sdim# Prevent previous check from affecting this one 793263508Sdimrm -f ns5/managed-keys.bind* 794263508Sdim# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for 795263508Sdim# an "hour" until keys are refreshed again after initial failure 796263508Sdimcp ns5/named2.args ns5/named.args 797263508Sdimnextpart ns5/named.run >/dev/null 798263508Sdimstart_server --noclean --restart --port "${PORT}" ns5 799263508Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 800263508Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 801263508Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 802263508Sdimmkeys_secroots_on 5 || ret=1 803263508Sdimgrep '; initializing managed' ns5/named.secroots >/dev/null 2>&1 || ret=1 804263508Sdim# ns1 should still REFUSE queries from ns5, so resolving should be impossible 805263508Sdimdig_with_opts +noauth example. @10.53.0.5 txt >dig.out.ns5.a.test$n || ret=1 806263508Sdimgrep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n >/dev/null && ret=1 807263508Sdimgrep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n >/dev/null && ret=1 808263508Sdimgrep "status: SERVFAIL" dig.out.ns5.a.test$n >/dev/null || ret=1 809263508Sdim# Allow queries from ns5 to ns1 810263508Sdimcopy_setports ns1/named3.conf.in ns1/named.conf 811263508Sdimrm -f ns1/root.db.signed.jnl 812263508Sdimnextpart ns5/named.run >/dev/null 813263508Sdimmkeys_reconfig_on 1 || ret=1 814263508Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 815226584Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 816226584Sdimwait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 817226584Sdimmkeys_secroots_on 5 || ret=1 818226584Sdimgrep '; managed' ns5/named.secroots >/dev/null || ret=1 819226584Sdim# ns1 should not longer REFUSE queries from ns5, so managed keys should be 820226584Sdim# correctly refreshed and resolving should succeed 821226584Sdimdig_with_opts +noauth example. @10.53.0.5 txt >dig.out.ns5.b.test$n || ret=1 822226584Sdimgrep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n >/dev/null || ret=1 823226584Sdimgrep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n >/dev/null || ret=1 824226584Sdimgrep "status: NOERROR" dig.out.ns5.b.test$n >/dev/null || ret=1 825226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 826226584Sdimstatus=$((status + ret)) 827226584Sdim 828226584Sdimn=$((n + 1)) 829226584Sdimecho_i "reinitialize trust anchors, add unsupported algorithm ($n)" 830234353Sdimret=0 831226584Sdimstop_server --use-rndc --port "${CONTROLPORT}" ns6 832226584Sdimrm -f ns6/managed-keys.bind* 833226584Sdimnextpart ns6/named.run >/dev/null 834226584Sdimstart_server --noclean --restart --port "${PORT}" ns6 835226584Sdim# log when an unsupported algorithm is encountered during startup 836226584Sdimwait_for_log 20 "ignoring initial-key for 'unsupported.': algorithm is unsupported" ns6/named.run || ret=1 837226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 838226584Sdimstatus=$((status + ret)) 839226584Sdim 840226584Sdimn=$((n + 1)) 841226584Sdimecho_i "ignoring unsupported algorithm in managed-keys ($n)" 842226584Sdimret=0 843226584Sdimmkeys_status_on 6 >rndc.out.$n 2>&1 || ret=1 844226584Sdim# there should still be only two keys listed (for . and island.) 845226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 846226584Sdim[ "$count" -eq 2 ] || ret=1 847226584Sdim# two lines indicating trust status 848226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 849226584Sdim[ "$count" -eq 2 ] || ret=1 850226584Sdim 851226584Sdimn=$((n + 1)) 852226584Sdimecho_i "introduce unsupported algorithm rollover in authoritative zone ($n)" 853226584Sdimret=0 854226584Sdimcp ns1/root.db ns1/root.db.orig 855226584Sdimksk=$(cat ns1/managed.key) 856226584Sdimzsk=$(cat ns1/zone.key) 857226584Sdimcat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >>ns1/root.db 858226584Sdimgrep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db >/dev/null || ret=1 859226584Sdim$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" >/dev/null 2>/dev/null || ret=1 860263508Sdimgrep "DNSKEY.*257 3 255" ns1/root.db.signed >/dev/null || ret=1 861263508Sdimcp ns1/root.db.orig ns1/root.db 862226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 863226584Sdimstatus=$((status + ret)) 864226584Sdim 865226584Sdimn=$((n + 1)) 866226584Sdimecho_i "ignoring unsupported algorithm in rollover ($n)" 867226584Sdimret=0 868226584Sdimmkeys_reload_on 1 || ret=1 869226584Sdimmkeys_refresh_on 6 || ret=1 870226584Sdimmkeys_status_on 6 >rndc.out.$n 2>&1 || ret=1 871226584Sdim# there should still be only two keys listed (for . and island.) 872226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 873226584Sdim[ "$count" -eq 2 ] || ret=1 874226584Sdim# two lines indicating trust status 875226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 876226584Sdim[ "$count" -eq 2 ] || ret=1 877226584Sdim# log when an unsupported algorithm is encountered during rollover 878226584Sdimwait_for_log 20 "Cannot compute tag for key in zone .: algorithm is unsupported" ns6/named.run || ret=1 879226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 880226584Sdimstatus=$((status + ret)) 881226584Sdim 882226584Sdimn=$((n + 1)) 883226584Sdimecho_i "check 'rndc managed-keys' and views ($n)" 884226584Sdimret=0 885226584Sdimrndccmd 10.53.0.7 managed-keys refresh in view1 >rndc.out.ns7.view1.test$n || ret=1 886226584Sdimgrep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n >/dev/null || ret=1 887226584Sdimlines=$(wc -l <rndc.out.ns7.view1.test$n) 888226584Sdim[ "$lines" -eq 1 ] || ret=1 889226584Sdimrndccmd 10.53.0.7 managed-keys refresh >rndc.out.ns7.view2.test$n || ret=1 890226584Sdimlines=$(wc -l <rndc.out.ns7.view2.test$n) 891226584Sdimgrep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n >/dev/null || ret=1 892226584Sdimgrep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n >/dev/null || ret=1 893226584Sdim[ "$lines" -eq 2 ] || ret=1 894263508Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 895263508Sdimstatus=$((status + ret)) 896263508Sdim 897226584Sdimn=$((n + 1)) 898226584Sdimecho_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" 899226584Sdimret=0 900226584Sdimmkeys_sync_on 5 901226584Sdimmkeys_status_on 5 >rndc.out.$n 2>&1 || ret=1 902226584Sdim# there should be three keys listed now 903226584Sdimcount=$(grep -c "keyid: " rndc.out.$n) || true 904226584Sdim[ "$count" -eq 3 ] || ret=1 905226584Sdim# theee lines indicating trust status 906226584Sdimcount=$(grep -c "trust" rndc.out.$n) || true 907226584Sdim[ "$count" -eq 3 ] || ret=1 908226584Sdim# three indicates current trust 909226584Sdimcount=$(grep -c "trusted since" rndc.out.$n) || true 910226584Sdim[ "$count" -eq 3 ] || ret=1 911226584Sdimif [ $ret != 0 ]; then echo_i "failed"; fi 912226584Sdimstatus=$((status + ret)) 913226584Sdim 914226584Sdimecho_i "exit status: $status" 915226584Sdim[ $status -eq 0 ] || exit 1 916226584Sdim