tests.sh revision 1.1.1.4 
1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12SYSTEMTESTTOP=..
13. $SYSTEMTESTTOP/conf.sh
14
15DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
16DELVOPTS="-a ns1/trusted.conf -p ${PORT}"
17RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
18
19wait_for_log() {
20	msg=$1
21	file=$2
22	for i in 1 2 3 4 5 6 7 8 9 10; do
23		nextpart "$file" | grep "$msg" > /dev/null && return
24		sleep 1
25	done
26	echo_i "exceeded time limit waiting for '$msg' in $file"
27	ret=1
28}
29
30mkeys_reconfig_on() {
31	nsidx=$1
32	$RNDCCMD 10.53.0.${nsidx} reconfig . | sed "s/^/ns${nsidx} /" | cat_i
33}
34
35mkeys_reload_on() {
36	nsidx=$1
37	nextpart ns${nsidx}/named.run > /dev/null
38	rndc_reload ns${nsidx} 10.53.0.${nsidx}
39	wait_for_log "loaded serial" ns${nsidx}/named.run
40}
41
42mkeys_loadkeys_on() {
43	nsidx=$1
44	nextpart ns${nsidx}/named.run > /dev/null
45	$RNDCCMD 10.53.0.${nsidx} loadkeys . | sed "s/^/ns${nsidx} /" | cat_i
46	wait_for_log "next key event" ns${nsidx}/named.run
47}
48
49mkeys_refresh_on() {
50	nsidx=$1
51	nextpart ns${nsidx}/named.run > /dev/null
52	$RNDCCMD 10.53.0.${nsidx} managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i
53	wait_for_log "Returned from key fetch in keyfetch_done()" ns${nsidx}/named.run
54}
55
56mkeys_sync_on() {
57	# No race with mkeys_refresh_on() is possible as even if the latter
58	# returns immediately after the expected log message is written, the
59	# managed-keys zone is already locked and the command below calls
60	# dns_zone_flush(), which also attempts to take that zone's lock
61	nsidx=$1
62	nextpart ns${nsidx}/named.run > /dev/null
63	$RNDCCMD 10.53.0.${nsidx} managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i
64	wait_for_log "dump_done" ns${nsidx}/named.run
65}
66
67mkeys_status_on() {
68	# No race with mkeys_refresh_on() is possible as even if the latter
69	# returns immediately after the expected log message is written, the
70	# managed-keys zone is already locked and the command below calls
71	# mkey_status(), which in turn calls dns_zone_getrefreshkeytime(),
72	# which also attempts to take that zone's lock
73	nsidx=$1
74	$RNDCCMD 10.53.0.${nsidx} managed-keys status
75}
76
77mkeys_flush_on() {
78	nsidx=$1
79	$RNDCCMD 10.53.0.${nsidx} flush | sed "s/^/ns${nsidx} /" | cat_i
80}
81
82mkeys_secroots_on() {
83	nsidx=$1
84	$RNDCCMD 10.53.0.${nsidx} secroots | sed "s/^/ns${nsidx} /" | cat_i
85}
86
87original=`cat ns1/managed.key`
88originalid=`cat ns1/managed.key.id`
89
90status=0
91n=1
92
93rm -f dig.out.*
94
95echo_i "check for signed record ($n)"
96ret=0
97$DIG $DIGOPTS +norec example.  @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1
98grep "^example\.[ 	]*[0-9].*[ 	]*IN[ 	]*TXT[ 	]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1
99grep "^example\.[ 	]*[0-9].*[ 	]*IN[ 	]*RRSIG[ 	]*TXT[ 	]" dig.out.ns1.test$n > /dev/null || ret=1
100if [ $ret != 0 ]; then echo_i "failed"; fi
101status=`expr $status + $ret`
102
103n=`expr $n + 1`
104echo_i "check positive validation with valid trust anchor ($n)"
105ret=0
106$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
107grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
108grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
109if [ $ret != 0 ]; then echo_i "failed"; fi
110status=`expr $status + $ret`
111
112n=`expr $n + 1`
113ret=0
114echo_i "check positive validation using delv ($n)"
115$DELV $DELVOPTS @10.53.0.1 txt example > delv.out$n || ret=1
116grep "; fully validated" delv.out$n > /dev/null || ret=1	# redundant
117grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1
118grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1
119if [ $ret != 0 ]; then echo_i "failed"; fi
120status=`expr $status + $ret`
121
122n=`expr $n + 1`
123echo_i "check for failed validation due to wrong key in managed-keys ($n)"
124ret=0
125$DIG $DIGOPTS +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
126grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
127grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1
128grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1
129if [ $ret != 0 ]; then echo_i "failed"; fi
130status=`expr $status + $ret`
131
132n=`expr $n + 1`
133echo_i "check new trust anchor can be added ($n)"
134ret=0
135standby1=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
136mkeys_loadkeys_on 1
137mkeys_refresh_on 2
138mkeys_status_on 2 > rndc.out.$n 2>&1
139# there should be two keys listed now
140count=`grep -c "keyid: " rndc.out.$n`
141[ "$count" -eq 2 ] || ret=1
142# two lines indicating trust status
143count=`grep -c "trust" rndc.out.$n`
144[ "$count" -eq 2 ] || ret=1
145# one indicates current trust
146count=`grep -c "trusted since" rndc.out.$n`
147[ "$count" -eq 1 ] || ret=1
148# one indicates pending trust
149count=`grep -c "trust pending" rndc.out.$n`
150[ "$count" -eq 1 ] || ret=1
151if [ $ret != 0 ]; then echo_i "failed"; fi
152status=`expr $status + $ret`
153
154n=`expr $n + 1`
155echo_i "check new trust anchor can't be added with bad initial key ($n)"
156ret=0
157mkeys_refresh_on 3
158mkeys_status_on 3 > rndc.out.$n 2>&1
159# there should be one key listed now
160count=`grep -c "keyid: " rndc.out.$n`
161[ "$count" -eq 1 ] || ret=1
162# one line indicating trust status
163count=`grep -c "trust" rndc.out.$n`
164[ "$count" -eq 1 ] || ret=1
165# ... and the key is not trusted
166count=`grep -c "no trust" rndc.out.$n`
167[ "$count" -eq 1 ] || ret=1
168if [ $ret != 0 ]; then echo_i "failed"; fi
169status=`expr $status + $ret`
170
171n=`expr $n + 1`
172echo_i "remove untrusted standby key, check timer restarts ($n)"
173ret=0
174mkeys_sync_on 2
175t1=`grep "trust pending" ns2/managed-keys.bind`
176$SETTIME -D now -K ns1 $standby1 > /dev/null
177mkeys_loadkeys_on 1
178# Less than a second may have passed since the last time ns2 received a
179# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
180# timestamp to prevent false negatives caused by the acceptance timer getting
181# reset to the same timestamp.
182sleep 1
183mkeys_refresh_on 2
184mkeys_sync_on 2
185t2=`grep "trust pending" ns2/managed-keys.bind`
186# trust pending date must be different
187[ -n "$t2" ] || ret=1
188[ "$t1" = "$t2" ] && ret=1
189if [ $ret != 0 ]; then echo_i "failed"; fi
190status=`expr $status + $ret`
191
192n=`expr $n + 1`
193ret=0
194echo_i "restore untrusted standby key, revoke original key ($n)"
195t1=$t2
196$SETTIME -D none -K ns1 $standby1 > /dev/null
197$SETTIME -R now -K ns1 $original > /dev/null
198mkeys_loadkeys_on 1
199# Less than a second may have passed since the last time ns2 received a
200# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
201# timestamp to prevent false negatives caused by the acceptance timer getting
202# reset to the same timestamp.
203sleep 1
204mkeys_refresh_on 2
205mkeys_sync_on 2
206mkeys_status_on 2 > rndc.out.$n 2>&1
207# two keys listed
208count=`grep -c "keyid: " rndc.out.$n`
209[ "$count" -eq 2 ] || ret=1
210# two lines indicating trust status
211count=`grep -c "trust" rndc.out.$n`
212[ "$count" -eq 2 ] || ret=1
213# trust is revoked
214count=`grep -c "trust revoked" rndc.out.$n`
215[ "$count" -eq 1 ] || ret=1
216# removal scheduled
217count=`grep -c "remove at" rndc.out.$n`
218[ "$count" -eq 1 ] || ret=1
219# trust is still pending on the standby key
220count=`grep -c "trust pending" rndc.out.$n`
221[ "$count" -eq 1 ] || ret=1
222# pending date moved forward for the standby key
223t2=`grep "trust pending" ns2/managed-keys.bind`
224[ -n "$t2" ] || ret=1
225[ "$t1" = "$t2" ] && ret=1
226if [ $ret != 0 ]; then echo_i "failed"; fi
227status=`expr $status + $ret`
228
229n=`expr $n + 1`
230ret=0
231echo_i "refresh managed-keys, ensure same result ($n)"
232t1=$t2
233# Less than a second may have passed since the last time ns2 received a
234# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
235# timestamp to prevent false negatives caused by the acceptance timer getting
236# reset to the same timestamp.
237sleep 1
238mkeys_refresh_on 2
239mkeys_sync_on 2
240mkeys_status_on 2 > rndc.out.$n 2>&1
241# two keys listed
242count=`grep -c "keyid: " rndc.out.$n`
243[ "$count" -eq 2 ] || ret=1
244# two lines indicating trust status
245count=`grep -c "trust" rndc.out.$n`
246[ "$count" -eq 2 ] || ret=1
247# trust is revoked
248count=`grep -c "trust revoked" rndc.out.$n`
249[ "$count" -eq 1 ] || ret=1
250# removal scheduled
251count=`grep -c "remove at" rndc.out.$n`
252[ "$count" -eq 1 ] || ret=1
253# trust is still pending on the standby key
254count=`grep -c "trust pending" rndc.out.$n`
255[ "$count" -eq 1 ] || ret=1
256# pending date moved forward for the standby key
257t2=`grep "trust pending" ns2/managed-keys.bind`
258[ -n "$t2" ] || ret=1
259[ "$t1" = "$t2" ] && ret=1
260if [ $ret != 0 ]; then echo_i "failed"; fi
261status=`expr $status + $ret`
262
263n=`expr $n + 1`
264ret=0
265echo_i "restore revoked key, ensure same result ($n)"
266t1=$t2
267$SETTIME -R none -D now -K ns1 $original > /dev/null
268mkeys_loadkeys_on 1
269$SETTIME -D none -K ns1 $original > /dev/null
270mkeys_loadkeys_on 1
271# Less than a second may have passed since the last time ns2 received a
272# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
273# timestamp to prevent false negatives caused by the acceptance timer getting
274# reset to the same timestamp.
275sleep 1
276mkeys_refresh_on 2
277mkeys_sync_on 2
278mkeys_status_on 2 > rndc.out.$n 2>&1
279# two keys listed
280count=`grep -c "keyid: " rndc.out.$n`
281[ "$count" -eq 2 ] || ret=1
282# two lines indicating trust status
283count=`grep -c "trust" rndc.out.$n`
284[ "$count" -eq 2 ] || ret=1
285# trust is revoked
286count=`grep -c "trust revoked" rndc.out.$n`
287[ "$count" -eq 1 ] || ret=1
288# removal scheduled
289count=`grep -c "remove at" rndc.out.$n`
290[ "$count" -eq 1 ] || ret=1
291# trust is still pending on the standby key
292count=`grep -c "trust pending" rndc.out.$n`
293[ "$count" -eq 1 ] || ret=1
294# pending date moved forward for the standby key
295t2=`grep "trust pending" ns2/managed-keys.bind`
296[ -n "$t2" ] || ret=1
297[ "$t1" = "$t2" ] && ret=1
298if [ $ret != 0 ]; then echo_i "failed"; fi
299status=`expr $status + $ret`
300
301echo_i "reinitialize trust anchors, add second key to bind.keys"
302$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2
303rm -f ns2/managed-keys.bind*
304keyfile_to_managed_keys ns1/$original ns1/$standby1 > ns2/managed.conf
305nextpart ns2/named.run > /dev/null
306$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2
307
308n=`expr $n + 1`
309echo_i "check that no key from bind.keys is marked as an initializing key ($n)"
310ret=0
311wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
312mkeys_secroots_on 2
313grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1
314if [ $ret != 0 ]; then echo_i "failed"; fi
315status=`expr $status + $ret`
316
317echo_i "reinitialize trust anchors, revert to one key in bind.keys"
318$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2
319rm -f ns2/managed-keys.bind*
320mv ns2/managed1.conf ns2/managed.conf
321nextpart ns2/named.run > /dev/null
322$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2
323
324n=`expr $n + 1`
325echo_i "check that standby key is now trusted ($n)"
326ret=0
327wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
328mkeys_status_on 2 > rndc.out.$n 2>&1
329# two keys listed
330count=`grep -c "keyid: " rndc.out.$n`
331[ "$count" -eq 2 ] || ret=1
332# two lines indicating trust status
333count=`grep -c "trust" rndc.out.$n`
334[ "$count" -eq 2 ] || ret=1
335# both indicate current trust
336count=`grep -c "trusted since" rndc.out.$n`
337[ "$count" -eq 2 ] || ret=1
338if [ $ret != 0 ]; then echo_i "failed"; fi
339status=`expr $status + $ret`
340
341n=`expr $n + 1`
342echo_i "revoke original key, add new standby ($n)"
343ret=0
344standby2=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
345$SETTIME -R now -K ns1 $original > /dev/null
346mkeys_loadkeys_on 1
347mkeys_refresh_on 2
348mkeys_status_on 2 > rndc.out.$n 2>&1
349# three keys listed
350count=`grep -c "keyid: " rndc.out.$n`
351[ "$count" -eq 3 ] || ret=1
352# one is revoked
353count=`grep -c "REVOKE" rndc.out.$n`
354[ "$count" -eq 1 ] || ret=1
355# three lines indicating trust status
356count=`grep -c "trust" rndc.out.$n`
357[ "$count" -eq 3 ] || ret=1
358# one indicates current trust
359count=`grep -c "trusted since" rndc.out.$n`
360[ "$count" -eq 1 ] || ret=1
361# one indicates revoked trust
362count=`grep -c "trust revoked" rndc.out.$n`
363[ "$count" -eq 1 ] || ret=1
364# one indicates trust pending
365count=`grep -c "trust pending" rndc.out.$n`
366[ "$count" -eq 1 ] || ret=1
367# removal scheduled
368count=`grep -c "remove at" rndc.out.$n`
369[ "$count" -eq 1 ] || ret=1
370if [ $ret != 0 ]; then echo_i "failed"; fi
371status=`expr $status + $ret`
372
373n=`expr $n + 1`
374echo_i "revoke standby before it is trusted ($n)"
375ret=0
376standby3=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
377mkeys_loadkeys_on 1
378mkeys_refresh_on 2
379mkeys_status_on 2 > rndc.out.a.$n 2>&1
380# four keys listed
381count=`grep -c "keyid: " rndc.out.a.$n`
382[ "$count" -eq 4 ] || { echo "keyid: count ($count) != 4"; ret=1; }
383# one revoked
384count=`grep -c "trust revoked" rndc.out.a.$n`
385[ "$count" -eq 1 ] || { echo "trust revoked count ($count) != 1"; ret=1; }
386# two pending
387count=`grep -c "trust pending" rndc.out.a.$n`
388[ "$count" -eq 2 ] || { echo "trust pending count ($count) != 2"; ret=1; }
389$SETTIME -R now -K ns1 $standby3 > /dev/null
390mkeys_loadkeys_on 1
391mkeys_refresh_on 2
392mkeys_status_on 2 > rndc.out.b.$n 2>&1
393# now three keys listed
394count=`grep -c "keyid: " rndc.out.b.$n`
395[ "$count" -eq 3 ] || { echo "keyid: count ($count) != 3"; ret=1; }
396# one revoked
397count=`grep -c "trust revoked" rndc.out.b.$n`
398[ "$count" -eq 1 ] || { echo "trust revoked count ($count) != 1"; ret=1; }
399# one pending
400count=`grep -c "trust pending" rndc.out.b.$n`
401[ "$count" -eq 1 ] || { echo "trust pending count ($count) != 1"; ret=1; }
402$SETTIME -D now -K ns1 $standby3 > /dev/null
403mkeys_loadkeys_on 1
404if [ $ret != 0 ]; then echo_i "failed"; fi
405status=`expr $status + $ret`
406
407n=`expr $n + 1`
408echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)"
409ret=0
410sleep 20
411mkeys_refresh_on 2
412mkeys_status_on 2 > rndc.out.$n 2>&1
413# two keys listed
414count=`grep -c "keyid: " rndc.out.$n`
415[ "$count" -eq 2 ] || ret=1
416# none revoked
417count=`grep -c "REVOKE" rndc.out.$n`
418[ "$count" -eq 0 ] || ret=1
419# two lines indicating trust status
420count=`grep -c "trust" rndc.out.$n`
421[ "$count" -eq 2 ] || ret=1
422# both indicate current trust
423count=`grep -c "trusted since" rndc.out.$n`
424[ "$count" -eq 2 ] || ret=1
425if [ $ret != 0 ]; then echo_i "failed"; fi
426status=`expr $status + $ret`
427
428n=`expr $n + 1`
429echo_i "revoke all keys, confirm roll to insecure ($n)"
430ret=0
431$SETTIME -D now -K ns1 $original > /dev/null
432$SETTIME -R now -K ns1 $standby1 > /dev/null
433$SETTIME -R now -K ns1 $standby2 > /dev/null
434mkeys_loadkeys_on 1
435mkeys_refresh_on 2
436mkeys_status_on 2 > rndc.out.$n 2>&1
437# two keys listed
438count=`grep -c "keyid: " rndc.out.$n`
439[ "$count" -eq 2 ] || ret=1
440# both revoked
441count=`grep -c "REVOKE" rndc.out.$n`
442[ "$count" -eq 2 ] || ret=1
443# two lines indicating trust status
444count=`grep -c "trust" rndc.out.$n`
445[ "$count" -eq 2 ] || ret=1
446# both indicate trust revoked
447count=`grep -c "trust revoked" rndc.out.$n`
448[ "$count" -eq 2 ] || ret=1
449# both have removal scheduled
450count=`grep -c "remove at" rndc.out.$n`
451[ "$count" -eq 2 ] || ret=1
452if [ $ret != 0 ]; then echo_i "failed"; fi
453status=`expr $status + $ret`
454
455n=`expr $n + 1`
456echo_i "check for insecure response ($n)"
457ret=0
458mkeys_refresh_on 2
459$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
460grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
461grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
462grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
463if [ $ret != 0 ]; then echo_i "failed"; fi
464status=`expr $status + $ret`
465
466echo_i "reset the root server"
467$SETTIME -D none -R none -K ns1 $original > /dev/null
468$SETTIME -D now -K ns1 $standby1 > /dev/null
469$SETTIME -D now -K ns1 $standby2 > /dev/null
470$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
471copy_setports ns1/named2.conf.in ns1/named.conf
472rm -f ns1/root.db.signed.jnl
473mkeys_reconfig_on 1
474
475echo_i "reinitialize trust anchors"
476$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2
477rm -f ns2/managed-keys.bind*
478nextpart ns2/named.run > /dev/null
479$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2
480
481n=`expr $n + 1`
482echo_i "check positive validation ($n)"
483ret=0
484wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
485$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
486grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
487grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
488if [ $ret != 0 ]; then echo_i "failed"; fi
489status=`expr $status + $ret`
490
491n=`expr $n + 1`
492echo_i "revoke key with bad signature, check revocation is ignored ($n)"
493ret=0
494revoked=`$REVOKE -K ns1 $original`
495rkeyid=$(keyfile_to_key_id $revoked)
496rm -f ns1/root.db.signed.jnl
497# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from
498# failing.  Alternatively, we could use -P to disable post-sign verification,
499# but we actually do want post-sign verification to happen to ensure the zone
500# is correct before we break it on purpose.
501$SETTIME -R none -D none -K ns1 $standby1 > /dev/null
502$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null
503cp -f ns1/root.db.signed ns1/root.db.tmp
504BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
505# Less than a second may have passed since ns1 was started.  If we call
506# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
507# subsequent "rndc reload ." call on platforms which do not set the
508# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
509# equal to master file modification time.
510sleep 1
511sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed
512mkeys_reload_on 1
513mkeys_refresh_on 2
514mkeys_status_on 2 > rndc.out.$n 2>&1
515# one key listed
516count=`grep -c "keyid: " rndc.out.$n`
517[ "$count" -eq 1 ] || { echo "'keyid:' count ($count) != 1"; ret=1; }
518# it's the original key id
519count=`grep -c "keyid: $originalid" rndc.out.$n`
520[ "$count" -eq 1 ] || { echo "'keyid: $originalid' count ($count) != 1"; ret=1; }
521# not revoked
522count=`grep -c "REVOKE" rndc.out.$n`
523[ "$count" -eq 0 ] || { echo "'REVOKE' count ($count) != 0"; ret=1; }
524# trust is still current
525count=`grep -c "trust" rndc.out.$n`
526[ "$count" -eq 1 ] || { echo "'trust' count != 1"; ret=1; }
527count=`grep -c "trusted since" rndc.out.$n`
528[ "$count" -eq 1 ] || { echo "'trusted since' count != 1"; ret=1; }
529if [ $ret != 0 ]; then echo_i "failed"; fi
530status=`expr $status + $ret`
531
532n=`expr $n + 1`
533echo_i "check validation fails with bad DNSKEY rrset ($n)"
534ret=0
535mkeys_flush_on 2
536$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
537grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1
538if [ $ret != 0 ]; then echo_i "failed"; fi
539status=`expr $status + $ret`
540
541n=`expr $n + 1`
542echo_i "restore DNSKEY rrset, check validation succeeds again ($n)"
543ret=0
544rm -f ${revoked}.key ${revoked}.private
545rm -f ns1/root.db.signed.jnl
546$SETTIME -D none -R none -K ns1 $original > /dev/null
547$SETTIME -D now -K ns1 $standby1 > /dev/null
548# Less than a second may have passed since ns1 was started.  If we call
549# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
550# subsequent "rndc reload ." call on platforms which do not set the
551# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
552# equal to master file modification time.
553sleep 1
554$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
555mkeys_reload_on 1
556mkeys_flush_on 2
557$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
558grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
559grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
560if [ $ret != 0 ]; then echo_i "failed"; fi
561status=`expr $status + $ret`
562
563n=`expr $n + 1`
564echo_i "reset the root server with no keys, check for minimal update ($n)"
565ret=0
566# Refresh keys first to prevent previous checks from influencing this one.
567# Note that we might still get occasional false negatives on some really slow
568# machines, when $t1 equals $t2 due to the time elapsed between "rndc
569# managed-keys status" calls being equal to the normal active refresh period
570# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as
571# set using -T mkeytimers).
572mkeys_refresh_on 2
573mkeys_status_on 2 > rndc.out.$n 2>&1
574t1=`grep 'next refresh:' rndc.out.$n`
575$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns1
576rm -f ns1/root.db.signed.jnl
577cp ns1/root.db ns1/root.db.signed
578nextpart ns1/named.run > /dev/null
579$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns1
580wait_for_log "loaded serial" ns1/named.run
581mkeys_refresh_on 2
582mkeys_status_on 2 > rndc.out.$n 2>&1
583# one key listed
584count=`grep -c "keyid: " rndc.out.$n`
585[ "$count" -eq 1 ] || ret=1
586# it's the original key id
587count=`grep -c "keyid: $originalid" rndc.out.$n`
588[ "$count" -eq 1 ] || ret=1
589# not revoked
590count=`grep -c "REVOKE" rndc.out.$n`
591[ "$count" -eq 0 ] || ret=1
592# trust is still current
593count=`grep -c "trust" rndc.out.$n`
594[ "$count" -eq 1 ] || ret=1
595count=`grep -c "trusted since" rndc.out.$n`
596[ "$count" -eq 1 ] || ret=1
597t2=`grep 'next refresh:' rndc.out.$n`
598[ "$t1" = "$t2" ] && ret=1
599if [ $ret != 0 ]; then echo_i "failed"; fi
600status=`expr $status + $ret`
601
602n=`expr $n + 1`
603echo_i "reset the root server with no signatures, check for minimal update ($n)"
604ret=0
605# Refresh keys first to prevent previous checks from influencing this one
606mkeys_refresh_on 2
607mkeys_status_on 2 > rndc.out.$n 2>&1
608t1=`grep 'next refresh:' rndc.out.$n`
609$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns1
610rm -f ns1/root.db.signed.jnl
611cat ns1/K*.key >> ns1/root.db.signed
612nextpart ns1/named.run > /dev/null
613$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns1
614wait_for_log "loaded serial" ns1/named.run
615# Less than a second may have passed since the last time ns2 received a
616# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
617# timestamp to prevent minimal update from resetting it to the same timestamp.
618sleep 1
619mkeys_refresh_on 2
620mkeys_status_on 2 > rndc.out.$n 2>&1
621# one key listed
622count=`grep -c "keyid: " rndc.out.$n`
623[ "$count" -eq 1 ] || ret=1
624# it's the original key id
625count=`grep -c "keyid: $originalid" rndc.out.$n`
626[ "$count" -eq 1 ] || ret=1
627# not revoked
628count=`grep -c "REVOKE" rndc.out.$n`
629[ "$count" -eq 0 ] || ret=1
630# trust is still current
631count=`grep -c "trust" rndc.out.$n`
632[ "$count" -eq 1 ] || ret=1
633count=`grep -c "trusted since" rndc.out.$n`
634[ "$count" -eq 1 ] || ret=1
635t2=`grep 'next refresh:' rndc.out.$n`
636[ "$t1" = "$t2" ] && ret=1
637if [ $ret != 0 ]; then echo_i "failed"; fi
638status=`expr $status + $ret`
639
640n=`expr $n + 1`
641echo_i "restore root server, check validation succeeds again ($n)"
642ret=0
643rm -f ns1/root.db.signed.jnl
644$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
645mkeys_reload_on 1
646mkeys_refresh_on 2
647mkeys_status_on 2 > rndc.out.$n 2>&1
648$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
649grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
650grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
651if [ $ret != 0 ]; then echo_i "failed"; fi
652status=`expr $status + $ret`
653
654n=`expr $n + 1`
655echo_i "check that trust-anchor-telemetry queries are logged ($n)"
656ret=0
657grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1
658if [ $ret != 0 ]; then echo_i "failed"; fi
659status=`expr $status + $ret`
660
661n=`expr $n + 1`
662echo_i "check that trust-anchor-telemetry queries are received ($n)"
663ret=0
664grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1
665if [ $ret != 0 ]; then echo_i "failed"; fi
666status=`expr $status + $ret`
667
668n=`expr $n + 1`
669echo_i "check 'rndc-managed-keys destroy' ($n)"
670ret=0
671$RNDCCMD 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i
672mkeys_status_on 2 > rndc.out.$n 2>&1
673grep "no views with managed keys" rndc.out.$n > /dev/null || ret=1
674mkeys_reconfig_on 2
675mkeys_status_on 2 > rndc.out.$n 2>&1
676grep "name: \." rndc.out.$n > /dev/null || ret=1
677if [ $ret != 0 ]; then echo_i "failed"; fi
678status=`expr $status + $ret`
679
680n=`expr $n + 1`
681echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)"
682ret=0
683# convert the hexadecimal key from the TAT query into decimal and
684# compare against the known key.
685tathex=`grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/'`
686tatkey=`$PERL -e 'printf("%d\n", hex(@ARGV[0]));' $tathex`
687realkey=`$RNDCCMD 10.53.0.2 secroots - | sed -n 's#.*SHA256/\([0-9][0-9]*\) ; .*managed.*#\1#p'`
688[ "$tatkey" -eq "$realkey" ] || ret=1
689if [ $ret != 0 ]; then echo_i "failed"; fi
690status=`expr $status + $ret`
691
692n=`expr $n + 1`
693echo_i "check initialization fails if managed-keys can't be created ($n)"
694ret=0
695mkeys_secroots_on 4
696grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1
697grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1
698grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1
699if [ $ret != 0 ]; then echo_i "failed"; fi
700status=`expr $status + $ret`
701
702n=`expr $n + 1`
703echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)"
704ret=0
705# By the time we get here, ns5 should have attempted refreshing its managed
706# keys.  These attempts should fail as ns1 is configured to REFUSE all queries
707# from ns5.  Note that named1.args does not contain "-T mkeytimers"; this is to
708# ensure key refresh retry will be scheduled to one actual hour after the first
709# key refresh failure instead of just a few seconds, in order to prevent races
710# between the next scheduled key refresh time and startup time of restarted ns5.
711$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns5
712nextpart ns5/named.run > /dev/null
713$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns5
714wait_for_log "Returned from key fetch in keyfetch_done()" ns5/named.run
715# ns5/named.run will contain logs from both the old instance and the new
716# instance.  In order for the test to pass, both must attempt a fetch.
717count=`grep -c "Creating key fetch" ns5/named.run`
718[ $count -lt 2 ] && ret=1
719if [ $ret != 0 ]; then echo_i "failed"; fi
720status=`expr $status + $ret`
721
722n=`expr $n + 1`
723echo_i "check key refreshes are resumed after root servers become available ($n)"
724ret=0
725$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns5
726# Prevent previous check from affecting this one
727rm -f ns5/managed-keys.bind*
728# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for
729# an "hour" until keys are refreshed again after initial failure
730cp ns5/named2.args ns5/named.args
731nextpart ns5/named.run > /dev/null
732$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns5
733wait_for_log "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run
734mkeys_secroots_on 5
735grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
736# ns1 should still REFUSE queries from ns5, so resolving should be impossible
737$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1
738grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1
739grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1
740grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1
741# Allow queries from ns5 to ns1
742copy_setports ns1/named3.conf.in ns1/named.conf
743rm -f ns1/root.db.signed.jnl
744nextpart ns5/named.run > /dev/null
745mkeys_reconfig_on 1
746wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
747mkeys_secroots_on 5
748grep '; managed' ns5/named.secroots > /dev/null || ret=1
749# ns1 should not longer REFUSE queries from ns5, so managed keys should be
750# correctly refreshed and resolving should succeed
751$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
752grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1
753grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1
754grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
755if [ $ret != 0 ]; then echo_i "failed"; fi
756status=`expr $status + $ret`
757
758n=`expr $n + 1`
759echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
760ret=0
761$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
762rm -f ns6/managed-keys.bind*
763nextpart ns6/named.run > /dev/null
764$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
765# log when an unsupported algorithm is encountered during startup
766wait_for_log "ignoring managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
767if [ $ret != 0 ]; then echo_i "failed"; fi
768status=`expr $status + $ret`
769
770n=`expr $n + 1`
771echo_i "ignoring unsupported algorithm in managed-keys ($n)"
772ret=0
773mkeys_status_on 6 > rndc.out.$n 2>&1
774# there should still be only two keys listed (for . and rsasha256.)
775count=`grep -c "keyid: " rndc.out.$n`
776[ "$count" -eq 2 ] || ret=1
777# two lines indicating trust status
778count=`grep -c "trust" rndc.out.$n`
779[ "$count" -eq 2 ] || ret=1
780
781n=`expr $n + 1`
782echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
783ret=0
784cp ns1/root.db ns1/root.db.orig
785ksk=`cat ns1/managed.key`
786zsk=`cat ns1/zone.key`
787cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
788grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
789$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
790grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
791cp ns1/root.db.orig ns1/root.db
792if [ $ret != 0 ]; then echo_i "failed"; fi
793status=`expr $status + $ret`
794
795n=`expr $n + 1`
796echo_i "ignoring unsupported algorithm in rollover ($n)"
797ret=0
798mkeys_reload_on 1
799mkeys_refresh_on 6
800mkeys_status_on 6 > rndc.out.$n 2>&1
801# there should still be only two keys listed (for . and rsasha256.)
802count=`grep -c "keyid: " rndc.out.$n`
803[ "$count" -eq 2 ] || ret=1
804# two lines indicating trust status
805count=`grep -c "trust" rndc.out.$n`
806[ "$count" -eq 2 ] || ret=1
807# log when an unsupported algorithm is encountered during rollover
808wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
809if [ $ret != 0 ]; then echo_i "failed"; fi
810status=`expr $status + $ret`
811
812n=`expr $n + 1`
813echo_i "check 'rndc managed-keys' and views ($n)"
814ret=0
815$RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1
816grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1
817lines=`wc -l < rndc.out.ns7.view1.test$n`
818[ $lines -eq 1 ] || ret=1
819$RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1
820lines=`wc -l < rndc.out.ns7.view2.test$n`
821grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
822grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
823[ $lines -eq 2 ] || ret=1
824if [ $ret != 0 ]; then echo_i "failed"; fi
825status=`expr $status + $ret`
826
827echo_i "exit status: $status"
828[ $status -eq 0 ] || exit 1
829