tests.sh revision 1.1.1.3
1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, You can obtain one at http://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=.. 13. $SYSTEMTESTTOP/conf.sh 14 15DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" 16DELVOPTS="-a ns1/trusted.conf -p ${PORT}" 17RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" 18 19wait_for_log() { 20 msg=$1 21 file=$2 22 for i in 1 2 3 4 5 6 7 8 9 10; do 23 nextpart "$file" | grep "$msg" > /dev/null && return 24 sleep 1 25 done 26 echo_i "exceeded time limit waiting for '$msg' in $file" 27 ret=1 28} 29 30mkeys_reconfig_on() { 31 nsidx=$1 32 $RNDCCMD 10.53.0.${nsidx} reconfig . | sed "s/^/ns${nsidx} /" | cat_i 33} 34 35mkeys_reload_on() { 36 nsidx=$1 37 nextpart ns${nsidx}/named.run > /dev/null 38 rndc_reload ns${nsidx} 10.53.0.${nsidx} 39 wait_for_log "loaded serial" ns${nsidx}/named.run 40} 41 42mkeys_loadkeys_on() { 43 nsidx=$1 44 nextpart ns${nsidx}/named.run > /dev/null 45 $RNDCCMD 10.53.0.${nsidx} loadkeys . | sed "s/^/ns${nsidx} /" | cat_i 46 wait_for_log "next key event" ns${nsidx}/named.run 47} 48 49mkeys_refresh_on() { 50 nsidx=$1 51 nextpart ns${nsidx}/named.run > /dev/null 52 $RNDCCMD 10.53.0.${nsidx} managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i 53 wait_for_log "Returned from key fetch in keyfetch_done()" ns${nsidx}/named.run 54} 55 56mkeys_sync_on() { 57 # No race with mkeys_refresh_on() is possible as even if the latter 58 # returns immediately after the expected log message is written, the 59 # managed-keys zone is already locked and the command below calls 60 # dns_zone_flush(), which also attempts to take that zone's lock 61 nsidx=$1 62 nextpart ns${nsidx}/named.run > /dev/null 63 $RNDCCMD 10.53.0.${nsidx} managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i 64 wait_for_log "dump_done" ns${nsidx}/named.run 65} 66 67mkeys_status_on() { 68 # No race with mkeys_refresh_on() is possible as even if the latter 69 # returns immediately after the expected log message is written, the 70 # managed-keys zone is already locked and the command below calls 71 # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), 72 # which also attempts to take that zone's lock 73 nsidx=$1 74 $RNDCCMD 10.53.0.${nsidx} managed-keys status 75} 76 77mkeys_flush_on() { 78 nsidx=$1 79 $RNDCCMD 10.53.0.${nsidx} flush | sed "s/^/ns${nsidx} /" | cat_i 80} 81 82mkeys_secroots_on() { 83 nsidx=$1 84 $RNDCCMD 10.53.0.${nsidx} secroots | sed "s/^/ns${nsidx} /" | cat_i 85} 86 87original=`cat ns1/managed.key` 88originalid=`cat ns1/managed.key.id` 89 90status=0 91n=1 92 93rm -f dig.out.* 94 95echo_i "check for signed record ($n)" 96ret=0 97$DIG $DIGOPTS +norec example. @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1 98grep "^example\.[ ]*[0-9].*[ ]*IN[ ]*TXT[ ]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1 99grep "^example\.[ ]*[0-9].*[ ]*IN[ ]*RRSIG[ ]*TXT[ ]" dig.out.ns1.test$n > /dev/null || ret=1 100if [ $ret != 0 ]; then echo_i "failed"; fi 101status=`expr $status + $ret` 102 103n=`expr $n + 1` 104echo_i "check positive validation with valid trust anchor ($n)" 105ret=0 106$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 107grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 108grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 109if [ $ret != 0 ]; then echo_i "failed"; fi 110status=`expr $status + $ret` 111 112n=`expr $n + 1` 113ret=0 114echo_i "check positive validation using delv ($n)" 115$DELV $DELVOPTS @10.53.0.1 txt example > delv.out$n || ret=1 116grep "; fully validated" delv.out$n > /dev/null || ret=1 # redundant 117grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1 118grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1 119if [ $ret != 0 ]; then echo_i "failed"; fi 120status=`expr $status + $ret` 121 122n=`expr $n + 1` 123echo_i "check for failed validation due to wrong key in managed-keys ($n)" 124ret=0 125$DIG $DIGOPTS +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 126grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 127grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1 128grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1 129if [ $ret != 0 ]; then echo_i "failed"; fi 130status=`expr $status + $ret` 131 132n=`expr $n + 1` 133echo_i "check new trust anchor can be added ($n)" 134ret=0 135standby1=`$KEYGEN -a rsasha256 -qfk -K ns1 .` 136mkeys_loadkeys_on 1 137mkeys_refresh_on 2 138mkeys_status_on 2 > rndc.out.$n 2>&1 139# there should be two keys listed now 140count=`grep -c "keyid: " rndc.out.$n` 141[ "$count" -eq 2 ] || ret=1 142# two lines indicating trust status 143count=`grep -c "trust" rndc.out.$n` 144[ "$count" -eq 2 ] || ret=1 145# one indicates current trust 146count=`grep -c "trusted since" rndc.out.$n` 147[ "$count" -eq 1 ] || ret=1 148# one indicates pending trust 149count=`grep -c "trust pending" rndc.out.$n` 150[ "$count" -eq 1 ] || ret=1 151if [ $ret != 0 ]; then echo_i "failed"; fi 152status=`expr $status + $ret` 153 154n=`expr $n + 1` 155echo_i "check new trust anchor can't be added with bad initial key ($n)" 156ret=0 157mkeys_refresh_on 3 158mkeys_status_on 3 > rndc.out.$n 2>&1 159# there should be one key listed now 160count=`grep -c "keyid: " rndc.out.$n` 161[ "$count" -eq 1 ] || ret=1 162# one line indicating trust status 163count=`grep -c "trust" rndc.out.$n` 164[ "$count" -eq 1 ] || ret=1 165# ... and the key is not trusted 166count=`grep -c "no trust" rndc.out.$n` 167[ "$count" -eq 1 ] || ret=1 168if [ $ret != 0 ]; then echo_i "failed"; fi 169status=`expr $status + $ret` 170 171n=`expr $n + 1` 172echo_i "remove untrusted standby key, check timer restarts ($n)" 173ret=0 174mkeys_sync_on 2 175t1=`grep "trust pending" ns2/managed-keys.bind` 176$SETTIME -D now -K ns1 $standby1 > /dev/null 177mkeys_loadkeys_on 1 178# Less than a second may have passed since the last time ns2 received a 179# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 180# timestamp to prevent false negatives caused by the acceptance timer getting 181# reset to the same timestamp. 182sleep 1 183mkeys_refresh_on 2 184mkeys_sync_on 2 185t2=`grep "trust pending" ns2/managed-keys.bind` 186# trust pending date must be different 187[ -n "$t2" ] || ret=1 188[ "$t1" = "$t2" ] && ret=1 189if [ $ret != 0 ]; then echo_i "failed"; fi 190status=`expr $status + $ret` 191 192n=`expr $n + 1` 193ret=0 194echo_i "restore untrusted standby key, revoke original key ($n)" 195t1=$t2 196$SETTIME -D none -K ns1 $standby1 > /dev/null 197$SETTIME -R now -K ns1 $original > /dev/null 198mkeys_loadkeys_on 1 199# Less than a second may have passed since the last time ns2 received a 200# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 201# timestamp to prevent false negatives caused by the acceptance timer getting 202# reset to the same timestamp. 203sleep 1 204mkeys_refresh_on 2 205mkeys_sync_on 2 206mkeys_status_on 2 > rndc.out.$n 2>&1 207# two keys listed 208count=`grep -c "keyid: " rndc.out.$n` 209[ "$count" -eq 2 ] || ret=1 210# two lines indicating trust status 211count=`grep -c "trust" rndc.out.$n` 212[ "$count" -eq 2 ] || ret=1 213# trust is revoked 214count=`grep -c "trust revoked" rndc.out.$n` 215[ "$count" -eq 1 ] || ret=1 216# removal scheduled 217count=`grep -c "remove at" rndc.out.$n` 218[ "$count" -eq 1 ] || ret=1 219# trust is still pending on the standby key 220count=`grep -c "trust pending" rndc.out.$n` 221[ "$count" -eq 1 ] || ret=1 222# pending date moved forward for the standby key 223t2=`grep "trust pending" ns2/managed-keys.bind` 224[ -n "$t2" ] || ret=1 225[ "$t1" = "$t2" ] && ret=1 226if [ $ret != 0 ]; then echo_i "failed"; fi 227status=`expr $status + $ret` 228 229n=`expr $n + 1` 230ret=0 231echo_i "refresh managed-keys, ensure same result ($n)" 232t1=$t2 233# Less than a second may have passed since the last time ns2 received a 234# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 235# timestamp to prevent false negatives caused by the acceptance timer getting 236# reset to the same timestamp. 237sleep 1 238mkeys_refresh_on 2 239mkeys_sync_on 2 240mkeys_status_on 2 > rndc.out.$n 2>&1 241# two keys listed 242count=`grep -c "keyid: " rndc.out.$n` 243[ "$count" -eq 2 ] || ret=1 244# two lines indicating trust status 245count=`grep -c "trust" rndc.out.$n` 246[ "$count" -eq 2 ] || ret=1 247# trust is revoked 248count=`grep -c "trust revoked" rndc.out.$n` 249[ "$count" -eq 1 ] || ret=1 250# removal scheduled 251count=`grep -c "remove at" rndc.out.$n` 252[ "$count" -eq 1 ] || ret=1 253# trust is still pending on the standby key 254count=`grep -c "trust pending" rndc.out.$n` 255[ "$count" -eq 1 ] || ret=1 256# pending date moved forward for the standby key 257t2=`grep "trust pending" ns2/managed-keys.bind` 258[ -n "$t2" ] || ret=1 259[ "$t1" = "$t2" ] && ret=1 260if [ $ret != 0 ]; then echo_i "failed"; fi 261status=`expr $status + $ret` 262 263n=`expr $n + 1` 264ret=0 265echo_i "restore revoked key, ensure same result ($n)" 266t1=$t2 267$SETTIME -R none -D now -K ns1 $original > /dev/null 268mkeys_loadkeys_on 1 269$SETTIME -D none -K ns1 $original > /dev/null 270mkeys_loadkeys_on 1 271# Less than a second may have passed since the last time ns2 received a 272# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 273# timestamp to prevent false negatives caused by the acceptance timer getting 274# reset to the same timestamp. 275sleep 1 276mkeys_refresh_on 2 277mkeys_sync_on 2 278mkeys_status_on 2 > rndc.out.$n 2>&1 279# two keys listed 280count=`grep -c "keyid: " rndc.out.$n` 281[ "$count" -eq 2 ] || ret=1 282# two lines indicating trust status 283count=`grep -c "trust" rndc.out.$n` 284[ "$count" -eq 2 ] || ret=1 285# trust is revoked 286count=`grep -c "trust revoked" rndc.out.$n` 287[ "$count" -eq 1 ] || ret=1 288# removal scheduled 289count=`grep -c "remove at" rndc.out.$n` 290[ "$count" -eq 1 ] || ret=1 291# trust is still pending on the standby key 292count=`grep -c "trust pending" rndc.out.$n` 293[ "$count" -eq 1 ] || ret=1 294# pending date moved forward for the standby key 295t2=`grep "trust pending" ns2/managed-keys.bind` 296[ -n "$t2" ] || ret=1 297[ "$t1" = "$t2" ] && ret=1 298if [ $ret != 0 ]; then echo_i "failed"; fi 299status=`expr $status + $ret` 300 301echo_i "reinitialize trust anchors, add second key to bind.keys" 302$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2 303rm -f ns2/managed-keys.bind* 304keyfile_to_managed_keys ns1/$original ns1/$standby1 > ns2/managed.conf 305nextpart ns2/named.run > /dev/null 306$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2 307 308n=`expr $n + 1` 309echo_i "check that no key from bind.keys is marked as an initializing key ($n)" 310ret=0 311wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run 312mkeys_secroots_on 2 313grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1 314if [ $ret != 0 ]; then echo_i "failed"; fi 315status=`expr $status + $ret` 316 317echo_i "reinitialize trust anchors, revert to one key in bind.keys" 318$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2 319rm -f ns2/managed-keys.bind* 320mv ns2/managed1.conf ns2/managed.conf 321nextpart ns2/named.run > /dev/null 322$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2 323 324n=`expr $n + 1` 325echo_i "check that standby key is now trusted ($n)" 326ret=0 327wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run 328mkeys_status_on 2 > rndc.out.$n 2>&1 329# two keys listed 330count=`grep -c "keyid: " rndc.out.$n` 331[ "$count" -eq 2 ] || ret=1 332# two lines indicating trust status 333count=`grep -c "trust" rndc.out.$n` 334[ "$count" -eq 2 ] || ret=1 335# both indicate current trust 336count=`grep -c "trusted since" rndc.out.$n` 337[ "$count" -eq 2 ] || ret=1 338if [ $ret != 0 ]; then echo_i "failed"; fi 339status=`expr $status + $ret` 340 341n=`expr $n + 1` 342echo_i "revoke original key, add new standby ($n)" 343ret=0 344standby2=`$KEYGEN -a rsasha256 -qfk -K ns1 .` 345$SETTIME -R now -K ns1 $original > /dev/null 346mkeys_loadkeys_on 1 347mkeys_refresh_on 2 348mkeys_status_on 2 > rndc.out.$n 2>&1 349# three keys listed 350count=`grep -c "keyid: " rndc.out.$n` 351[ "$count" -eq 3 ] || ret=1 352# one is revoked 353count=`grep -c "REVOKE" rndc.out.$n` 354[ "$count" -eq 1 ] || ret=1 355# three lines indicating trust status 356count=`grep -c "trust" rndc.out.$n` 357[ "$count" -eq 3 ] || ret=1 358# one indicates current trust 359count=`grep -c "trusted since" rndc.out.$n` 360[ "$count" -eq 1 ] || ret=1 361# one indicates revoked trust 362count=`grep -c "trust revoked" rndc.out.$n` 363[ "$count" -eq 1 ] || ret=1 364# one indicates trust pending 365count=`grep -c "trust pending" rndc.out.$n` 366[ "$count" -eq 1 ] || ret=1 367# removal scheduled 368count=`grep -c "remove at" rndc.out.$n` 369[ "$count" -eq 1 ] || ret=1 370if [ $ret != 0 ]; then echo_i "failed"; fi 371status=`expr $status + $ret` 372 373n=`expr $n + 1` 374echo_i "revoke standby before it is trusted ($n)" 375ret=0 376standby3=`$KEYGEN -a rsasha256 -qfk -K ns1 .` 377mkeys_loadkeys_on 1 378mkeys_refresh_on 2 379mkeys_status_on 2 > rndc.out.a.$n 2>&1 380# four keys listed 381count=`grep -c "keyid: " rndc.out.a.$n` 382[ "$count" -eq 4 ] || { echo "keyid: count ($count) != 4"; ret=1; } 383# one revoked 384count=`grep -c "trust revoked" rndc.out.a.$n` 385[ "$count" -eq 1 ] || { echo "trust revoked count ($count) != 1"; ret=1; } 386# two pending 387count=`grep -c "trust pending" rndc.out.a.$n` 388[ "$count" -eq 2 ] || { echo "trust pending count ($count) != 2"; ret=1; } 389$SETTIME -R now -K ns1 $standby3 > /dev/null 390mkeys_loadkeys_on 1 391mkeys_refresh_on 2 392mkeys_status_on 2 > rndc.out.b.$n 2>&1 393# now three keys listed 394count=`grep -c "keyid: " rndc.out.b.$n` 395[ "$count" -eq 3 ] || { echo "keyid: count ($count) != 3"; ret=1; } 396# one revoked 397count=`grep -c "trust revoked" rndc.out.b.$n` 398[ "$count" -eq 1 ] || { echo "trust revoked count ($count) != 1"; ret=1; } 399# one pending 400count=`grep -c "trust pending" rndc.out.b.$n` 401[ "$count" -eq 1 ] || { echo "trust pending count ($count) != 1"; ret=1; } 402$SETTIME -D now -K ns1 $standby3 > /dev/null 403mkeys_loadkeys_on 1 404if [ $ret != 0 ]; then echo_i "failed"; fi 405status=`expr $status + $ret` 406 407n=`expr $n + 1` 408echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)" 409ret=0 410sleep 20 411mkeys_refresh_on 2 412mkeys_status_on 2 > rndc.out.$n 2>&1 413# two keys listed 414count=`grep -c "keyid: " rndc.out.$n` 415[ "$count" -eq 2 ] || ret=1 416# none revoked 417count=`grep -c "REVOKE" rndc.out.$n` 418[ "$count" -eq 0 ] || ret=1 419# two lines indicating trust status 420count=`grep -c "trust" rndc.out.$n` 421[ "$count" -eq 2 ] || ret=1 422# both indicate current trust 423count=`grep -c "trusted since" rndc.out.$n` 424[ "$count" -eq 2 ] || ret=1 425if [ $ret != 0 ]; then echo_i "failed"; fi 426status=`expr $status + $ret` 427 428n=`expr $n + 1` 429echo_i "revoke all keys, confirm roll to insecure ($n)" 430ret=0 431$SETTIME -D now -K ns1 $original > /dev/null 432$SETTIME -R now -K ns1 $standby1 > /dev/null 433$SETTIME -R now -K ns1 $standby2 > /dev/null 434mkeys_loadkeys_on 1 435mkeys_refresh_on 2 436mkeys_status_on 2 > rndc.out.$n 2>&1 437# two keys listed 438count=`grep -c "keyid: " rndc.out.$n` 439[ "$count" -eq 2 ] || ret=1 440# both revoked 441count=`grep -c "REVOKE" rndc.out.$n` 442[ "$count" -eq 2 ] || ret=1 443# two lines indicating trust status 444count=`grep -c "trust" rndc.out.$n` 445[ "$count" -eq 2 ] || ret=1 446# both indicate trust revoked 447count=`grep -c "trust revoked" rndc.out.$n` 448[ "$count" -eq 2 ] || ret=1 449# both have removal scheduled 450count=`grep -c "remove at" rndc.out.$n` 451[ "$count" -eq 2 ] || ret=1 452if [ $ret != 0 ]; then echo_i "failed"; fi 453status=`expr $status + $ret` 454 455n=`expr $n + 1` 456echo_i "check for insecure response ($n)" 457ret=0 458mkeys_refresh_on 2 459$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 460grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 461grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 462grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 463if [ $ret != 0 ]; then echo_i "failed"; fi 464status=`expr $status + $ret` 465 466echo_i "reset the root server" 467$SETTIME -D none -R none -K ns1 $original > /dev/null 468$SETTIME -D now -K ns1 $standby1 > /dev/null 469$SETTIME -D now -K ns1 $standby2 > /dev/null 470$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null 471copy_setports ns1/named2.conf.in ns1/named.conf 472rm -f ns1/root.db.signed.jnl 473mkeys_reconfig_on 1 474 475echo_i "reinitialize trust anchors" 476$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2 477rm -f ns2/managed-keys.bind* 478nextpart ns2/named.run > /dev/null 479$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2 480 481n=`expr $n + 1` 482echo_i "check positive validation ($n)" 483ret=0 484wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run 485$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 486grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 487grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 488if [ $ret != 0 ]; then echo_i "failed"; fi 489status=`expr $status + $ret` 490 491n=`expr $n + 1` 492echo_i "revoke key with bad signature, check revocation is ignored ($n)" 493ret=0 494revoked=`$REVOKE -K ns1 $original` 495rkeyid=`expr $revoked : 'ns1/K\.+00.+0*\([1-9]*[0-9]*[0-9]\)'` 496rm -f ns1/root.db.signed.jnl 497# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from 498# failing. Alternatively, we could use -P to disable post-sign verification, 499# but we actually do want post-sign verification to happen to ensure the zone 500# is correct before we break it on purpose. 501$SETTIME -R none -D none -K ns1 $standby1 > /dev/null 502$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null 503cp -f ns1/root.db.signed ns1/root.db.tmp 504BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" 505# Less than a second may have passed since ns1 was started. If we call 506# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the 507# subsequent "rndc reload ." call on platforms which do not set the 508# "nanoseconds" field of isc_time_t, due to zone load time being seemingly 509# equal to master file modification time. 510sleep 1 511sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed 512mkeys_reload_on 1 513mkeys_refresh_on 2 514mkeys_status_on 2 > rndc.out.$n 2>&1 515# one key listed 516count=`grep -c "keyid: " rndc.out.$n` 517[ "$count" -eq 1 ] || { echo "'keyid:' count ($count) != 1"; ret=1; } 518# it's the original key id 519count=`grep -c "keyid: $originalid" rndc.out.$n` 520[ "$count" -eq 1 ] || { echo "'keyid: $originalid' count ($count) != 1"; ret=1; } 521# not revoked 522count=`grep -c "REVOKE" rndc.out.$n` 523[ "$count" -eq 0 ] || { echo "'REVOKE' count ($count) != 0"; ret=1; } 524# trust is still current 525count=`grep -c "trust" rndc.out.$n` 526[ "$count" -eq 1 ] || { echo "'trust' count != 1"; ret=1; } 527count=`grep -c "trusted since" rndc.out.$n` 528[ "$count" -eq 1 ] || { echo "'trusted since' count != 1"; ret=1; } 529if [ $ret != 0 ]; then echo_i "failed"; fi 530status=`expr $status + $ret` 531 532n=`expr $n + 1` 533echo_i "check validation fails with bad DNSKEY rrset ($n)" 534ret=0 535mkeys_flush_on 2 536$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 537grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1 538if [ $ret != 0 ]; then echo_i "failed"; fi 539status=`expr $status + $ret` 540 541n=`expr $n + 1` 542echo_i "restore DNSKEY rrset, check validation succeeds again ($n)" 543ret=0 544rm -f ${revoked}.key ${revoked}.private 545rm -f ns1/root.db.signed.jnl 546$SETTIME -D none -R none -K ns1 $original > /dev/null 547$SETTIME -D now -K ns1 $standby1 > /dev/null 548# Less than a second may have passed since ns1 was started. If we call 549# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the 550# subsequent "rndc reload ." call on platforms which do not set the 551# "nanoseconds" field of isc_time_t, due to zone load time being seemingly 552# equal to master file modification time. 553sleep 1 554$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null 555mkeys_reload_on 1 556mkeys_flush_on 2 557$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 558grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 559grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 560if [ $ret != 0 ]; then echo_i "failed"; fi 561status=`expr $status + $ret` 562 563n=`expr $n + 1` 564echo_i "reset the root server with no keys, check for minimal update ($n)" 565ret=0 566# Refresh keys first to prevent previous checks from influencing this one. 567# Note that we might still get occasional false negatives on some really slow 568# machines, when $t1 equals $t2 due to the time elapsed between "rndc 569# managed-keys status" calls being equal to the normal active refresh period 570# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as 571# set using -T mkeytimers). 572mkeys_refresh_on 2 573mkeys_status_on 2 > rndc.out.$n 2>&1 574t1=`grep 'next refresh:' rndc.out.$n` 575$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns1 576rm -f ns1/root.db.signed.jnl 577cp ns1/root.db ns1/root.db.signed 578nextpart ns1/named.run > /dev/null 579$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns1 580wait_for_log "loaded serial" ns1/named.run 581mkeys_refresh_on 2 582mkeys_status_on 2 > rndc.out.$n 2>&1 583# one key listed 584count=`grep -c "keyid: " rndc.out.$n` 585[ "$count" -eq 1 ] || ret=1 586# it's the original key id 587count=`grep -c "keyid: $originalid" rndc.out.$n` 588[ "$count" -eq 1 ] || ret=1 589# not revoked 590count=`grep -c "REVOKE" rndc.out.$n` 591[ "$count" -eq 0 ] || ret=1 592# trust is still current 593count=`grep -c "trust" rndc.out.$n` 594[ "$count" -eq 1 ] || ret=1 595count=`grep -c "trusted since" rndc.out.$n` 596[ "$count" -eq 1 ] || ret=1 597t2=`grep 'next refresh:' rndc.out.$n` 598[ "$t1" = "$t2" ] && ret=1 599if [ $ret != 0 ]; then echo_i "failed"; fi 600status=`expr $status + $ret` 601 602n=`expr $n + 1` 603echo_i "reset the root server with no signatures, check for minimal update ($n)" 604ret=0 605# Refresh keys first to prevent previous checks from influencing this one 606mkeys_refresh_on 2 607mkeys_status_on 2 > rndc.out.$n 2>&1 608t1=`grep 'next refresh:' rndc.out.$n` 609$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns1 610rm -f ns1/root.db.signed.jnl 611cat ns1/K*.key >> ns1/root.db.signed 612nextpart ns1/named.run > /dev/null 613$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns1 614wait_for_log "loaded serial" ns1/named.run 615# Less than a second may have passed since the last time ns2 received a 616# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 617# timestamp to prevent minimal update from resetting it to the same timestamp. 618sleep 1 619mkeys_refresh_on 2 620mkeys_status_on 2 > rndc.out.$n 2>&1 621# one key listed 622count=`grep -c "keyid: " rndc.out.$n` 623[ "$count" -eq 1 ] || ret=1 624# it's the original key id 625count=`grep -c "keyid: $originalid" rndc.out.$n` 626[ "$count" -eq 1 ] || ret=1 627# not revoked 628count=`grep -c "REVOKE" rndc.out.$n` 629[ "$count" -eq 0 ] || ret=1 630# trust is still current 631count=`grep -c "trust" rndc.out.$n` 632[ "$count" -eq 1 ] || ret=1 633count=`grep -c "trusted since" rndc.out.$n` 634[ "$count" -eq 1 ] || ret=1 635t2=`grep 'next refresh:' rndc.out.$n` 636[ "$t1" = "$t2" ] && ret=1 637if [ $ret != 0 ]; then echo_i "failed"; fi 638status=`expr $status + $ret` 639 640n=`expr $n + 1` 641echo_i "restore root server, check validation succeeds again ($n)" 642ret=0 643rm -f ns1/root.db.signed.jnl 644$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null 645mkeys_reload_on 1 646mkeys_refresh_on 2 647mkeys_status_on 2 > rndc.out.$n 2>&1 648$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 649grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 650grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 651if [ $ret != 0 ]; then echo_i "failed"; fi 652status=`expr $status + $ret` 653 654n=`expr $n + 1` 655echo_i "check that trust-anchor-telemetry queries are logged ($n)" 656ret=0 657grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1 658if [ $ret != 0 ]; then echo_i "failed"; fi 659status=`expr $status + $ret` 660 661n=`expr $n + 1` 662echo_i "check that trust-anchor-telemetry queries are received ($n)" 663ret=0 664grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1 665if [ $ret != 0 ]; then echo_i "failed"; fi 666status=`expr $status + $ret` 667 668n=`expr $n + 1` 669echo_i "check 'rndc-managed-keys destroy' ($n)" 670ret=0 671$RNDCCMD 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i 672mkeys_status_on 2 > rndc.out.$n 2>&1 673grep "no views with managed keys" rndc.out.$n > /dev/null || ret=1 674mkeys_reconfig_on 2 675mkeys_status_on 2 > rndc.out.$n 2>&1 676grep "name: \." rndc.out.$n > /dev/null || ret=1 677if [ $ret != 0 ]; then echo_i "failed"; fi 678status=`expr $status + $ret` 679 680n=`expr $n + 1` 681echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)" 682ret=0 683# convert the hexadecimal key from the TAT query into decimal and 684# compare against the known key. 685tathex=`grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/'` 686tatkey=`$PERL -e 'printf("%d\n", hex(@ARGV[0]));' $tathex` 687realkey=`$RNDCCMD 10.53.0.2 secroots - | sed -n 's#.*SHA256/\([0-9][0-9]*\) ; .*managed.*#\1#p'` 688[ "$tatkey" -eq "$realkey" ] || ret=1 689if [ $ret != 0 ]; then echo_i "failed"; fi 690status=`expr $status + $ret` 691 692n=`expr $n + 1` 693echo_i "check initialization fails if managed-keys can't be created ($n)" 694ret=0 695mkeys_secroots_on 4 696grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1 697grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1 698grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1 699if [ $ret != 0 ]; then echo_i "failed"; fi 700status=`expr $status + $ret` 701 702n=`expr $n + 1` 703echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)" 704ret=0 705# By the time we get here, ns5 should have attempted refreshing its managed 706# keys. These attempts should fail as ns1 is configured to REFUSE all queries 707# from ns5. Note that named1.args does not contain "-T mkeytimers"; this is to 708# ensure key refresh retry will be scheduled to one actual hour after the first 709# key refresh failure instead of just a few seconds, in order to prevent races 710# between the next scheduled key refresh time and startup time of restarted ns5. 711$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns5 712nextpart ns5/named.run > /dev/null 713$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns5 714wait_for_log "Returned from key fetch in keyfetch_done()" ns5/named.run 715# ns5/named.run will contain logs from both the old instance and the new 716# instance. In order for the test to pass, both must attempt a fetch. 717count=`grep -c "Creating key fetch" ns5/named.run` 718[ $count -lt 2 ] && ret=1 719if [ $ret != 0 ]; then echo_i "failed"; fi 720status=`expr $status + $ret` 721 722n=`expr $n + 1` 723echo_i "check key refreshes are resumed after root servers become available ($n)" 724ret=0 725$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns5 726# Prevent previous check from affecting this one 727rm -f ns5/managed-keys.bind* 728# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for 729# an "hour" until keys are refreshed again after initial failure 730cp ns5/named2.args ns5/named.args 731nextpart ns5/named.run > /dev/null 732$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns5 733wait_for_log "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run 734mkeys_secroots_on 5 735grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 736# ns1 should still REFUSE queries from ns5, so resolving should be impossible 737$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1 738grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1 739grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1 740grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1 741# Allow queries from ns5 to ns1 742copy_setports ns1/named3.conf.in ns1/named.conf 743rm -f ns1/root.db.signed.jnl 744nextpart ns5/named.run > /dev/null 745mkeys_reconfig_on 1 746wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run 747mkeys_secroots_on 5 748grep '; managed' ns5/named.secroots > /dev/null || ret=1 749# ns1 should not longer REFUSE queries from ns5, so managed keys should be 750# correctly refreshed and resolving should succeed 751$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 752grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1 753grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1 754grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 755if [ $ret != 0 ]; then echo_i "failed"; fi 756status=`expr $status + $ret` 757 758n=`expr $n + 1` 759echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" 760ret=0 761$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6 762rm -f ns6/managed-keys.bind* 763nextpart ns6/named.run > /dev/null 764$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6 765# log when an unsupported algorithm is encountered during startup 766wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run 767if [ $ret != 0 ]; then echo_i "failed"; fi 768status=`expr $status + $ret` 769 770n=`expr $n + 1` 771echo_i "skipping unsupported algorithm in managed-keys ($n)" 772ret=0 773mkeys_status_on 6 > rndc.out.$n 2>&1 774# there should still be only two keys listed (for . and rsasha256.) 775count=`grep -c "keyid: " rndc.out.$n` 776[ "$count" -eq 2 ] || ret=1 777# two lines indicating trust status 778count=`grep -c "trust" rndc.out.$n` 779[ "$count" -eq 2 ] || ret=1 780 781n=`expr $n + 1` 782echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" 783ret=0 784cp ns1/root.db ns1/root.db.orig 785ksk=`cat ns1/managed.key` 786zsk=`cat ns1/zone.key` 787cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db 788grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1 789$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1 790grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 791cp ns1/root.db.orig ns1/root.db 792if [ $ret != 0 ]; then echo_i "failed"; fi 793status=`expr $status + $ret` 794 795n=`expr $n + 1` 796echo_i "skipping unsupported algorithm in rollover ($n)" 797ret=0 798mkeys_reload_on 1 799mkeys_refresh_on 6 800mkeys_status_on 6 > rndc.out.$n 2>&1 801# there should still be only two keys listed (for . and rsasha256.) 802count=`grep -c "keyid: " rndc.out.$n` 803[ "$count" -eq 2 ] || ret=1 804# two lines indicating trust status 805count=`grep -c "trust" rndc.out.$n` 806[ "$count" -eq 2 ] || ret=1 807# log when an unsupported algorithm is encountered during rollover 808wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run 809if [ $ret != 0 ]; then echo_i "failed"; fi 810status=`expr $status + $ret` 811 812n=`expr $n + 1` 813echo_i "check 'rndc managed-keys' and views ($n)" 814ret=0 815$RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1 816grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1 817lines=`wc -l < rndc.out.ns7.view1.test$n` 818[ $lines -eq 1 ] || ret=1 819$RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1 820lines=`wc -l < rndc.out.ns7.view2.test$n` 821grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 822grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 823[ $lines -eq 2 ] || ret=1 824if [ $ret != 0 ]; then echo_i "failed"; fi 825status=`expr $status + $ret` 826 827echo_i "exit status: $status" 828[ $status -eq 0 ] || exit 1 829