tests.sh revision 1.1.1.6 
1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12set -e
13
14SYSTEMTESTTOP=..
15#shellcheck source=conf.sh
16. "$SYSTEMTESTTOP/conf.sh"
17
18dig_with_opts() (
19	"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@"
20)
21
22delv_with_opts() (
23	"$DELV" -a ns1/trusted.conf -p "${PORT}" "$@"
24)
25
26rndccmd() (
27	"$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@"
28)
29
30mkeys_reconfig_on() (
31	nsidx=$1
32	rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i
33)
34
35mkeys_reload_on() (
36	nsidx=$1
37	nextpart "ns${nsidx}"/named.run > /dev/null
38	rndc_reload "ns${nsidx}" "10.53.0.${nsidx}"
39	wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1
40)
41
42mkeys_loadkeys_on() (
43	nsidx=$1
44	nextpart "ns${nsidx}"/named.run > /dev/null
45	rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i
46	wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1
47)
48
49mkeys_refresh_on() (
50	nsidx=$1
51	nextpart "ns${nsidx}"/named.run > /dev/null
52	rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i
53	wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1
54)
55
56mkeys_sync_on() (
57	# No race with mkeys_refresh_on() is possible as even if the latter
58	# returns immediately after the expected log message is written, the
59	# managed-keys zone is already locked and the command below calls
60	# dns_zone_flush(), which also attempts to take that zone's lock
61	nsidx=$1
62	nextpart "ns${nsidx}"/named.run > /dev/null
63	rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i
64	wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1
65)
66
67mkeys_status_on() (
68	# No race with mkeys_refresh_on() is possible as even if the latter
69	# returns immediately after the expected log message is written, the
70	# managed-keys zone is already locked and the command below calls
71	# mkey_status(), which in turn calls dns_zone_getrefreshkeytime(),
72	# which also attempts to take that zone's lock
73	nsidx=$1
74	rndccmd "10.53.0.${nsidx}" managed-keys status
75)
76
77mkeys_flush_on() (
78	nsidx=$1
79	rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i
80)
81
82mkeys_secroots_on() (
83	nsidx=$1
84	rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i
85)
86
87original=$(cat ns1/managed.key)
88originalid=$(cat ns1/managed.key.id)
89
90status=0
91n=1
92
93rm -f dig.out.*
94
95echo_i "check for signed record ($n)"
96ret=0
97dig_with_opts +norec example.  @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1
98grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1
99grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n > /dev/null || ret=1
100if [ $ret != 0 ]; then echo_i "failed"; fi
101status=$((status+ret))
102
103n=$((n+1))
104echo_i "check positive validation with valid trust anchor ($n)"
105ret=0
106dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
107grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
108grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
109if [ $ret != 0 ]; then echo_i "failed"; fi
110status=$((status+ret))
111
112n=$((n+1))
113ret=0
114echo_i "check positive validation using delv ($n)"
115delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1
116grep "; fully validated" delv.out$n > /dev/null || ret=1	# redundant
117grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1
118grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1
119if [ $ret != 0 ]; then echo_i "failed"; fi
120status=$((status+ret))
121
122n=$((n+1))
123echo_i "check for failed validation due to wrong key in managed-keys ($n)"
124ret=0
125dig_with_opts +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
126grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
127grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1
128grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1
129if [ $ret != 0 ]; then echo_i "failed"; fi
130status=$((status+ret))
131
132n=$((n+1))
133echo_i "check new trust anchor can be added ($n)"
134ret=0
135standby1=$($KEYGEN -a rsasha256 -qfk -K ns1 .)
136mkeys_loadkeys_on 1 || ret=1
137mkeys_refresh_on 2 || ret=1
138mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
139# there should be two keys listed now
140count=$(grep -c "keyid: " rndc.out.$n) || true
141[ "$count" -eq 2 ] || ret=1
142# two lines indicating trust status
143count=$(grep -c "trust" rndc.out.$n) || true
144[ "$count" -eq 2 ] || ret=1
145# one indicates current trust
146count=$(grep -c "trusted since" rndc.out.$n) || true
147[ "$count" -eq 1 ] || ret=1
148# one indicates pending trust
149count=$(grep -c "trust pending" rndc.out.$n) || true
150[ "$count" -eq 1 ] || ret=1
151if [ $ret != 0 ]; then echo_i "failed"; fi
152status=$((status+ret))
153
154n=$((n+1))
155echo_i "check new trust anchor can't be added with bad initial key ($n)"
156ret=0
157mkeys_refresh_on 3 || ret=1
158mkeys_status_on 3 > rndc.out.$n 2>&1 || ret=1
159# there should be one key listed now
160count=$(grep -c "keyid: " rndc.out.$n) || true
161[ "$count" -eq 1 ] || ret=1
162# one line indicating trust status
163count=$(grep -c "trust" rndc.out.$n) || true
164[ "$count" -eq 1 ] || ret=1
165# ... and the key is not trusted
166count=$(grep -c "no trust" rndc.out.$n) || true
167[ "$count" -eq 1 ] || ret=1
168if [ $ret != 0 ]; then echo_i "failed"; fi
169status=$((status+ret))
170
171n=$((n+1))
172echo_i "remove untrusted standby key, check timer restarts ($n)"
173ret=0
174mkeys_sync_on 2 || ret=1
175t1=$(grep "trust pending" ns2/managed-keys.bind) || true
176$SETTIME -D now -K ns1 "$standby1" > /dev/null
177mkeys_loadkeys_on 1 || ret=1
178# Less than a second may have passed since the last time ns2 received a
179# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
180# timestamp to prevent false negatives caused by the acceptance timer getting
181# reset to the same timestamp.
182sleep 1
183mkeys_refresh_on 2 || ret=1
184mkeys_sync_on 2 || ret=1
185t2=$(grep "trust pending" ns2/managed-keys.bind) || true
186# trust pending date must be different
187[ -n "$t2" ] || ret=1
188[ "$t1" = "$t2" ] && ret=1
189if [ $ret != 0 ]; then echo_i "failed"; fi
190status=$((status+ret))
191
192n=$((n+1))
193ret=0
194echo_i "restore untrusted standby key, revoke original key ($n)"
195t1=$t2
196$SETTIME -D none -K ns1 "$standby1" > /dev/null
197$SETTIME -R now -K ns1 "$original" > /dev/null
198mkeys_loadkeys_on 1 || ret=1
199# Less than a second may have passed since the last time ns2 received a
200# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
201# timestamp to prevent false negatives caused by the acceptance timer getting
202# reset to the same timestamp.
203sleep 1
204mkeys_refresh_on 2 || ret=1
205mkeys_sync_on 2 || ret=1
206mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
207# two keys listed
208count=$(grep -c "keyid: " rndc.out.$n) || true
209[ "$count" -eq 2 ] || ret=1
210# two lines indicating trust status
211count=$(grep -c "trust" rndc.out.$n) || true
212[ "$count" -eq 2 ] || ret=1
213# trust is revoked
214count=$(grep -c "trust revoked" rndc.out.$n) || true
215[ "$count" -eq 1 ] || ret=1
216# removal scheduled
217count=$(grep -c "remove at" rndc.out.$n) || true
218[ "$count" -eq 1 ] || ret=1
219# trust is still pending on the standby key
220count=$(grep -c "trust pending" rndc.out.$n) || true
221[ "$count" -eq 1 ] || ret=1
222# pending date moved forward for the standby key
223t2=$(grep "trust pending" ns2/managed-keys.bind) || true
224[ -n "$t2" ] || ret=1
225[ "$t1" = "$t2" ] && ret=1
226if [ $ret != 0 ]; then echo_i "failed"; fi
227status=$((status+ret))
228
229n=$((n+1))
230ret=0
231echo_i "refresh managed-keys, ensure same result ($n)"
232t1=$t2
233# Less than a second may have passed since the last time ns2 received a
234# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
235# timestamp to prevent false negatives caused by the acceptance timer getting
236# reset to the same timestamp.
237sleep 1
238mkeys_refresh_on 2 || ret=1
239mkeys_sync_on 2 || ret=1
240mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
241# two keys listed
242count=$(grep -c "keyid: " rndc.out.$n) || true
243[ "$count" -eq 2 ] || ret=1
244# two lines indicating trust status
245count=$(grep -c "trust" rndc.out.$n) || true
246[ "$count" -eq 2 ] || ret=1
247# trust is revoked
248count=$(grep -c "trust revoked" rndc.out.$n) || true
249[ "$count" -eq 1 ] || ret=1
250# removal scheduled
251count=$(grep -c "remove at" rndc.out.$n) || true
252[ "$count" -eq 1 ] || ret=1
253# trust is still pending on the standby key
254count=$(grep -c "trust pending" rndc.out.$n) || true
255[ "$count" -eq 1 ] || ret=1
256# pending date moved forward for the standby key
257t2=$(grep "trust pending" ns2/managed-keys.bind) || true
258[ -n "$t2" ] || ret=1
259[ "$t1" = "$t2" ] && ret=1
260if [ $ret != 0 ]; then echo_i "failed"; fi
261status=$((status+ret))
262
263n=$((n+1))
264ret=0
265echo_i "restore revoked key, ensure same result ($n)"
266t1=$t2
267$SETTIME -R none -D now -K ns1 "$original" > /dev/null
268mkeys_loadkeys_on 1 || ret=1
269$SETTIME -D none -K ns1 "$original" > /dev/null
270mkeys_loadkeys_on 1 || ret=1
271# Less than a second may have passed since the last time ns2 received a
272# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
273# timestamp to prevent false negatives caused by the acceptance timer getting
274# reset to the same timestamp.
275sleep 1
276mkeys_refresh_on 2 || ret=1
277mkeys_sync_on 2 || ret=1
278mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
279# two keys listed
280count=$(grep -c "keyid: " rndc.out.$n) || true
281[ "$count" -eq 2 ] || ret=1
282# two lines indicating trust status
283count=$(grep -c "trust" rndc.out.$n) || true
284[ "$count" -eq 2 ] || ret=1
285# trust is revoked
286count=$(grep -c "trust revoked" rndc.out.$n) || true
287[ "$count" -eq 1 ] || ret=1
288# removal scheduled
289count=$(grep -c "remove at" rndc.out.$n) || true
290[ "$count" -eq 1 ] || ret=1
291# trust is still pending on the standby key
292count=$(grep -c "trust pending" rndc.out.$n) || true
293[ "$count" -eq 1 ] || ret=1
294# pending date moved forward for the standby key
295t2=$(grep "trust pending" ns2/managed-keys.bind) || true
296[ -n "$t2" ] || ret=1
297[ "$t1" = "$t2" ] && ret=1
298if [ $ret != 0 ]; then echo_i "failed"; fi
299status=$((status+ret))
300
301echo_i "reinitialize trust anchors, add second key to bind.keys"
302$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns2
303rm -f ns2/managed-keys.bind*
304keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" > ns2/managed.conf
305nextpart ns2/named.run > /dev/null
306$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns2
307
308n=$((n+1))
309echo_i "check that no key from bind.keys is marked as an initializing key ($n)"
310ret=0
311wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1
312mkeys_secroots_on 2 || ret=1
313grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1
314if [ $ret != 0 ]; then echo_i "failed"; fi
315status=$((status+ret))
316
317echo_i "reinitialize trust anchors, revert to one key in bind.keys"
318$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns2
319rm -f ns2/managed-keys.bind*
320mv ns2/managed1.conf ns2/managed.conf
321nextpart ns2/named.run > /dev/null
322$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns2
323
324n=$((n+1))
325echo_i "check that standby key is now trusted ($n)"
326ret=0
327wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1
328mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
329# two keys listed
330count=$(grep -c "keyid: " rndc.out.$n) || true
331[ "$count" -eq 2 ] || ret=1
332# two lines indicating trust status
333count=$(grep -c "trust" rndc.out.$n) || true
334[ "$count" -eq 2 ] || ret=1
335# both indicate current trust
336count=$(grep -c "trusted since" rndc.out.$n) || true
337[ "$count" -eq 2 ] || ret=1
338if [ $ret != 0 ]; then echo_i "failed"; fi
339status=$((status+ret))
340
341n=$((n+1))
342echo_i "revoke original key, add new standby ($n)"
343ret=0
344standby2=$($KEYGEN -a rsasha256 -qfk -K ns1 .)
345$SETTIME -R now -K ns1 "$original" > /dev/null
346mkeys_loadkeys_on 1 || ret=1
347mkeys_refresh_on 2 || ret=1
348mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
349# three keys listed
350count=$(grep -c "keyid: " rndc.out.$n) || true
351[ "$count" -eq 3 ] || ret=1
352# one is revoked
353count=$(grep -c "REVOKE" rndc.out.$n) || true
354[ "$count" -eq 1 ] || ret=1
355# three lines indicating trust status
356count=$(grep -c "trust" rndc.out.$n) || true
357[ "$count" -eq 3 ] || ret=1
358# one indicates current trust
359count=$(grep -c "trusted since" rndc.out.$n) || true
360[ "$count" -eq 1 ] || ret=1
361# one indicates revoked trust
362count=$(grep -c "trust revoked" rndc.out.$n) || true
363[ "$count" -eq 1 ] || ret=1
364# one indicates trust pending
365count=$(grep -c "trust pending" rndc.out.$n) || true
366[ "$count" -eq 1 ] || ret=1
367# removal scheduled
368count=$(grep -c "remove at" rndc.out.$n) || true
369[ "$count" -eq 1 ] || ret=1
370if [ $ret != 0 ]; then echo_i "failed"; fi
371status=$((status+ret))
372
373n=$((n+1))
374echo_i "revoke standby before it is trusted ($n)"
375ret=0
376standby3=$($KEYGEN -a rsasha256 -qfk -K ns1 .)
377mkeys_loadkeys_on 1 || ret=1
378mkeys_refresh_on 2 || ret=1
379mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
380# four keys listed
381count=$(grep -c "keyid: " rndc.out.1.$n) || true
382[ "$count" -eq 4 ] || { echo_i "keyid: count ($count) != 4"; ret=1; }
383# one revoked
384count=$(grep -c "trust revoked" rndc.out.1.$n) || true
385[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; }
386# two pending
387count=$(grep -c "trust pending" rndc.out.1.$n) || true
388[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; }
389$SETTIME -R now -K ns1 "$standby3" > /dev/null
390mkeys_loadkeys_on 1 || ret=1
391mkeys_refresh_on 2 || ret=1
392mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
393# now three keys listed
394count=$(grep -c "keyid: " rndc.out.2.$n) || true
395[ "$count" -eq 3 ] || { echo_i "keyid: count ($count) != 3"; ret=1; }
396# one revoked
397count=$(grep -c "trust revoked" rndc.out.2.$n) || true
398[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; }
399# one pending
400count=$(grep -c "trust pending" rndc.out.2.$n) || true
401[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; }
402$SETTIME -D now -K ns1 "$standby3" > /dev/null
403mkeys_loadkeys_on 1 || ret=1
404if [ $ret != 0 ]; then echo_i "failed"; fi
405status=$((status+ret))
406
407n=$((n+1))
408echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)"
409ret=0
410sleep 20
411mkeys_refresh_on 2 || ret=1
412mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
413# two keys listed
414count=$(grep -c "keyid: " rndc.out.$n) || true
415[ "$count" -eq 2 ] || ret=1
416# none revoked
417count=$(grep -c "REVOKE" rndc.out.$n) || true
418[ "$count" -eq 0 ] || ret=1
419# two lines indicating trust status
420count=$(grep -c "trust" rndc.out.$n) || true
421[ "$count" -eq 2 ] || ret=1
422# both indicate current trust
423count=$(grep -c "trusted since" rndc.out.$n) || true
424[ "$count" -eq 2 ] || ret=1
425if [ $ret != 0 ]; then echo_i "failed"; fi
426status=$((status+ret))
427
428n=$((n+1))
429echo_i "revoke all keys, confirm roll to insecure ($n)"
430ret=0
431$SETTIME -D now -K ns1 "$original" > /dev/null
432$SETTIME -R now -K ns1 "$standby1" > /dev/null
433$SETTIME -R now -K ns1 "$standby2" > /dev/null
434mkeys_loadkeys_on 1 || ret=1
435mkeys_refresh_on 2 || ret=1
436mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
437# two keys listed
438count=$(grep -c "keyid: " rndc.out.$n) || true
439[ "$count" -eq 2 ] || ret=1
440# both revoked
441count=$(grep -c "REVOKE" rndc.out.$n) || true
442[ "$count" -eq 2 ] || ret=1
443# two lines indicating trust status
444count=$(grep -c "trust" rndc.out.$n) || true
445[ "$count" -eq 2 ] || ret=1
446# both indicate trust revoked
447count=$(grep -c "trust revoked" rndc.out.$n) || true
448[ "$count" -eq 2 ] || ret=1
449# both have removal scheduled
450count=$(grep -c "remove at" rndc.out.$n) || true
451[ "$count" -eq 2 ] || ret=1
452if [ $ret != 0 ]; then echo_i "failed"; fi
453status=$((status+ret))
454
455n=$((n+1))
456echo_i "check for insecure response ($n)"
457ret=0
458mkeys_refresh_on 2 || ret=1
459dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
460grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
461grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
462grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
463if [ $ret != 0 ]; then echo_i "failed"; fi
464status=$((status+ret))
465
466n=$((n+1))
467echo_i "reset the root server ($n)"
468ret=0
469$SETTIME -D none -R none -K ns1 "$original" > /dev/null
470$SETTIME -D now -K ns1 "$standby1" > /dev/null
471$SETTIME -D now -K ns1 "$standby2" > /dev/null
472$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
473copy_setports ns1/named2.conf.in ns1/named.conf
474rm -f ns1/root.db.signed.jnl
475mkeys_reconfig_on 1 || ret=1
476mkeys_reload_on 1 || ret=1
477if [ $ret != 0 ]; then echo_i "failed"; fi
478status=$((status+ret))
479
480echo_i "reinitialize trust anchors"
481$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns2
482rm -f ns2/managed-keys.bind*
483nextpart ns2/named.run > /dev/null
484$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns2
485
486n=$((n+1))
487echo_i "check positive validation ($n)"
488ret=0
489wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1
490dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
491grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
492grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
493if [ $ret != 0 ]; then echo_i "failed"; fi
494status=$((status+ret))
495
496n=$((n+1))
497echo_i "revoke key with bad signature, check revocation is ignored ($n)"
498ret=0
499revoked=$($REVOKE -K ns1 "$original")
500rkeyid=$(keyfile_to_key_id "$revoked")
501rm -f ns1/root.db.signed.jnl
502# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from
503# failing.  Alternatively, we could use -P to disable post-sign verification,
504# but we actually do want post-sign verification to happen to ensure the zone
505# is correct before we break it on purpose.
506$SETTIME -R none -D none -K ns1 "$standby1" > /dev/null
507$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null
508cp -f ns1/root.db.signed ns1/root.db.tmp
509BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
510# Less than a second may have passed since ns1 was started.  If we call
511# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
512# subsequent "rndc reload ." call on platforms which do not set the
513# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
514# equal to master file modification time.
515sleep 1
516sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed
517mkeys_reload_on 1 || ret=1
518mkeys_refresh_on 2 || ret=1
519mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
520# one key listed
521count=$(grep -c "keyid: " rndc.out.$n) || true
522[ "$count" -eq 1 ] || { echo_i "'keyid:' count ($count) != 1"; ret=1; }
523# it's the original key id
524count=$(grep -c "keyid: $originalid" rndc.out.$n) || true
525[ "$count" -eq 1 ] || { echo_i "'keyid: $originalid' count ($count) != 1"; ret=1; }
526# not revoked
527count=$(grep -c "REVOKE" rndc.out.$n) || true
528[ "$count" -eq 0 ] || { echo_i "'REVOKE' count ($count) != 0"; ret=1; }
529# trust is still current
530count=$(grep -c "trust" rndc.out.$n) || true
531[ "$count" -eq 1 ] || { echo_i "'trust' count != 1"; ret=1; }
532count=$(grep -c "trusted since" rndc.out.$n) || true
533[ "$count" -eq 1 ] || { echo_i "'trusted since' count != 1"; ret=1; }
534if [ $ret != 0 ]; then echo_i "failed"; fi
535status=$((status+ret))
536
537n=$((n+1))
538echo_i "check validation fails with bad DNSKEY rrset ($n)"
539ret=0
540mkeys_flush_on 2 || ret=1
541dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
542grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1
543if [ $ret != 0 ]; then echo_i "failed"; fi
544status=$((status+ret))
545
546n=$((n+1))
547echo_i "restore DNSKEY rrset, check validation succeeds again ($n)"
548ret=0
549rm -f "${revoked}".key "${revoked}".private
550rm -f ns1/root.db.signed.jnl
551$SETTIME -D none -R none -K ns1 "$original" > /dev/null
552$SETTIME -D now -K ns1 "$standby1" > /dev/null
553# Less than a second may have passed since ns1 was started.  If we call
554# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
555# subsequent "rndc reload ." call on platforms which do not set the
556# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
557# equal to master file modification time.
558sleep 1
559$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
560mkeys_reload_on 1 || ret=1
561mkeys_flush_on 2 || ret=1
562dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
563grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
564grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
565if [ $ret != 0 ]; then echo_i "failed"; fi
566status=$((status+ret))
567
568n=$((n+1))
569echo_i "reset the root server with no keys, check for minimal update ($n)"
570ret=0
571# Refresh keys first to prevent previous checks from influencing this one.
572# Note that we might still get occasional false negatives on some really slow
573# machines, when $t1 equals $t2 due to the time elapsed between "rndc
574# managed-keys status" calls being equal to the normal active refresh period
575# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as
576# set using -T mkeytimers).
577mkeys_refresh_on 2 || ret=1
578mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
579t1=$(grep 'next refresh:' rndc.out.1.$n) || true
580$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns1
581rm -f ns1/root.db.signed.jnl
582cp ns1/root.db ns1/root.db.signed
583nextpart ns1/named.run > /dev/null
584$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns1
585wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
586mkeys_refresh_on 2 || ret=1
587mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
588# one key listed
589count=$(grep -c "keyid: " rndc.out.2.$n) || true
590[ "$count" -eq 1 ] || ret=1
591# it's the original key id
592count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true
593[ "$count" -eq 1 ] || ret=1
594# not revoked
595count=$(grep -c "REVOKE" rndc.out.2.$n) || true
596[ "$count" -eq 0 ] || ret=1
597# trust is still current
598count=$(grep -c "trust" rndc.out.2.$n) || true
599[ "$count" -eq 1 ] || ret=1
600count=$(grep -c "trusted since" rndc.out.2.$n) || true
601[ "$count" -eq 1 ] || ret=1
602t2=$(grep 'next refresh:' rndc.out.2.$n) || true
603[ "$t1" = "$t2" ] && ret=1
604if [ $ret != 0 ]; then echo_i "failed"; fi
605status=$((status+ret))
606
607n=$((n+1))
608echo_i "reset the root server with no signatures, check for minimal update ($n)"
609ret=0
610# Refresh keys first to prevent previous checks from influencing this one
611mkeys_refresh_on 2 || ret=1
612mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
613t1=$(grep 'next refresh:' rndc.out.1.$n) || true
614$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns1
615rm -f ns1/root.db.signed.jnl
616cat ns1/K*.key >> ns1/root.db.signed
617nextpart ns1/named.run > /dev/null
618$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns1
619wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
620# Less than a second may have passed since the last time ns2 received a
621# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
622# timestamp to prevent minimal update from resetting it to the same timestamp.
623sleep 1
624mkeys_refresh_on 2 || ret=1
625mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
626# one key listed
627count=$(grep -c "keyid: " rndc.out.2.$n) || true
628[ "$count" -eq 1 ] || ret=1
629# it's the original key id
630count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true
631[ "$count" -eq 1 ] || ret=1
632# not revoked
633count=$(grep -c "REVOKE" rndc.out.2.$n) || true
634[ "$count" -eq 0 ] || ret=1
635# trust is still current
636count=$(grep -c "trust" rndc.out.2.$n) || true
637[ "$count" -eq 1 ] || ret=1
638count=$(grep -c "trusted since" rndc.out.2.$n) || true
639[ "$count" -eq 1 ] || ret=1
640t2=$(grep 'next refresh:' rndc.out.2.$n) || true
641[ "$t1" = "$t2" ] && ret=1
642if [ $ret != 0 ]; then echo_i "failed"; fi
643status=$((status+ret))
644
645n=$((n+1))
646echo_i "restore root server, check validation succeeds again ($n)"
647ret=0
648rm -f ns1/root.db.signed.jnl
649$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
650mkeys_reload_on 1 || ret=1
651mkeys_refresh_on 2 || ret=1
652mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
653dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
654grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
655grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
656if [ $ret != 0 ]; then echo_i "failed"; fi
657status=$((status+ret))
658
659n=$((n+1))
660echo_i "check that trust-anchor-telemetry queries are logged ($n)"
661ret=0
662grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1
663if [ $ret != 0 ]; then echo_i "failed"; fi
664status=$((status+ret))
665
666n=$((n+1))
667echo_i "check that trust-anchor-telemetry queries are received ($n)"
668ret=0
669grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1
670if [ $ret != 0 ]; then echo_i "failed"; fi
671status=$((status+ret))
672
673n=$((n+1))
674echo_i "check 'rndc-managed-keys destroy' ($n)"
675ret=0
676rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i
677mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
678grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1
679mkeys_reconfig_on 2 || ret=1
680mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
681grep "name: \." rndc.out.2.$n > /dev/null || ret=1
682if [ $ret != 0 ]; then echo_i "failed"; fi
683status=$((status+ret))
684
685n=$((n+1))
686echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)"
687ret=0
688# convert the hexadecimal key from the TAT query into decimal and
689# compare against the known key.
690tathex=$(grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/') || true
691tatkey=$($PERL -e 'printf("%d\n", hex(@ARGV[0]));' "$tathex")
692realkey=$(rndccmd 10.53.0.2 secroots - | sed -n 's#.*SHA256/\([0-9][0-9]*\) ; .*managed.*#\1#p')
693[ "$tatkey" -eq "$realkey" ] || ret=1
694if [ $ret != 0 ]; then echo_i "failed"; fi
695status=$((status+ret))
696
697n=$((n+1))
698echo_i "check initialization fails if managed-keys can't be created ($n)"
699ret=0
700mkeys_secroots_on 4 || ret=1
701grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1
702grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1
703grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1
704if [ $ret != 0 ]; then echo_i "failed"; fi
705status=$((status+ret))
706
707n=$((n+1))
708echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)"
709ret=0
710# By the time we get here, ns5 should have attempted refreshing its managed
711# keys.  These attempts should fail as ns1 is configured to REFUSE all queries
712# from ns5.  Note that named1.args does not contain "-T mkeytimers"; this is to
713# ensure key refresh retry will be scheduled to one actual hour after the first
714# key refresh failure instead of just a few seconds, in order to prevent races
715# between the next scheduled key refresh time and startup time of restarted ns5.
716$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns5
717nextpart ns5/named.run > /dev/null
718$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns5
719wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1
720# ns5/named.run will contain logs from both the old instance and the new
721# instance.  In order for the test to pass, both must attempt a fetch.
722count=$(grep -c "Creating key fetch" ns5/named.run) || true
723[ "$count" -lt 2 ] && ret=1
724if [ $ret != 0 ]; then echo_i "failed"; fi
725status=$((status+ret))
726
727n=$((n+1))
728echo_i "check key refreshes are resumed after root servers become available ($n)"
729ret=0
730$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns5
731# Prevent previous check from affecting this one
732rm -f ns5/managed-keys.bind*
733# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for
734# an "hour" until keys are refreshed again after initial failure
735cp ns5/named2.args ns5/named.args
736nextpart ns5/named.run > /dev/null
737$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns5
738wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
739mkeys_secroots_on 5 || ret=1
740grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
741# ns1 should still REFUSE queries from ns5, so resolving should be impossible
742dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1
743grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1
744grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1
745grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1
746# Allow queries from ns5 to ns1
747copy_setports ns1/named3.conf.in ns1/named.conf
748rm -f ns1/root.db.signed.jnl
749nextpart ns5/named.run > /dev/null
750mkeys_reconfig_on 1 || ret=1
751wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
752mkeys_secroots_on 5 || ret=1
753grep '; managed' ns5/named.secroots > /dev/null || ret=1
754# ns1 should not longer REFUSE queries from ns5, so managed keys should be
755# correctly refreshed and resolving should succeed
756dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
757grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1
758grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1
759grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
760if [ $ret != 0 ]; then echo_i "failed"; fi
761status=$((status+ret))
762
763n=$((n+1))
764echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
765ret=0
766$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns6
767rm -f ns6/managed-keys.bind*
768nextpart ns6/named.run > /dev/null
769$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns6
770# log when an unsupported algorithm is encountered during startup
771wait_for_log 20 "ignoring initial-key for 'unsupported.': algorithm is unsupported" ns6/named.run || ret=1
772if [ $ret != 0 ]; then echo_i "failed"; fi
773status=$((status+ret))
774
775n=$((n+1))
776echo_i "ignoring unsupported algorithm in managed-keys ($n)"
777ret=0
778mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1
779# there should still be only two keys listed (for . and rsasha256.)
780count=$(grep -c "keyid: " rndc.out.$n) || true
781[ "$count" -eq 2 ] || ret=1
782# two lines indicating trust status
783count=$(grep -c "trust" rndc.out.$n) || true
784[ "$count" -eq 2 ] || ret=1
785
786n=$((n+1))
787echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
788ret=0
789cp ns1/root.db ns1/root.db.orig
790ksk=$(cat ns1/managed.key)
791zsk=$(cat ns1/zone.key)
792cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
793grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db > /dev/null || ret=1
794$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" > /dev/null 2>/dev/null || ret=1
795grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
796cp ns1/root.db.orig ns1/root.db
797if [ $ret != 0 ]; then echo_i "failed"; fi
798status=$((status+ret))
799
800n=$((n+1))
801echo_i "ignoring unsupported algorithm in rollover ($n)"
802ret=0
803mkeys_reload_on 1 || ret=1
804mkeys_refresh_on 6 || ret=1
805mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1
806# there should still be only two keys listed (for . and rsasha256.)
807count=$(grep -c "keyid: " rndc.out.$n) || true
808[ "$count" -eq 2 ] || ret=1
809# two lines indicating trust status
810count=$(grep -c "trust" rndc.out.$n) || true
811[ "$count" -eq 2 ] || ret=1
812# log when an unsupported algorithm is encountered during rollover
813wait_for_log 20 "Cannot compute tag for key in zone .: algorithm is unsupported" ns6/named.run || ret=1
814if [ $ret != 0 ]; then echo_i "failed"; fi
815status=$((status+ret))
816
817n=$((n+1))
818echo_i "check 'rndc managed-keys' and views ($n)"
819ret=0
820rndccmd 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1
821grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1
822lines=$(wc -l < rndc.out.ns7.view1.test$n)
823[ "$lines" -eq 1 ] || ret=1
824rndccmd 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1
825lines=$(wc -l < rndc.out.ns7.view2.test$n)
826grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
827grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
828[ "$lines" -eq 2 ] || ret=1
829if [ $ret != 0 ]; then echo_i "failed"; fi
830status=$((status+ret))
831
832echo_i "exit status: $status"
833[ $status -eq 0 ] || exit 1
834