tests.sh revision 1.1.1.6
1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12set -e 13 14SYSTEMTESTTOP=.. 15#shellcheck source=conf.sh 16. "$SYSTEMTESTTOP/conf.sh" 17 18dig_with_opts() ( 19 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" 20) 21 22delv_with_opts() ( 23 "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" 24) 25 26rndccmd() ( 27 "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@" 28) 29 30mkeys_reconfig_on() ( 31 nsidx=$1 32 rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i 33) 34 35mkeys_reload_on() ( 36 nsidx=$1 37 nextpart "ns${nsidx}"/named.run > /dev/null 38 rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" 39 wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 40) 41 42mkeys_loadkeys_on() ( 43 nsidx=$1 44 nextpart "ns${nsidx}"/named.run > /dev/null 45 rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i 46 wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 47) 48 49mkeys_refresh_on() ( 50 nsidx=$1 51 nextpart "ns${nsidx}"/named.run > /dev/null 52 rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i 53 wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 54) 55 56mkeys_sync_on() ( 57 # No race with mkeys_refresh_on() is possible as even if the latter 58 # returns immediately after the expected log message is written, the 59 # managed-keys zone is already locked and the command below calls 60 # dns_zone_flush(), which also attempts to take that zone's lock 61 nsidx=$1 62 nextpart "ns${nsidx}"/named.run > /dev/null 63 rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i 64 wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 65) 66 67mkeys_status_on() ( 68 # No race with mkeys_refresh_on() is possible as even if the latter 69 # returns immediately after the expected log message is written, the 70 # managed-keys zone is already locked and the command below calls 71 # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), 72 # which also attempts to take that zone's lock 73 nsidx=$1 74 rndccmd "10.53.0.${nsidx}" managed-keys status 75) 76 77mkeys_flush_on() ( 78 nsidx=$1 79 rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i 80) 81 82mkeys_secroots_on() ( 83 nsidx=$1 84 rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i 85) 86 87original=$(cat ns1/managed.key) 88originalid=$(cat ns1/managed.key.id) 89 90status=0 91n=1 92 93rm -f dig.out.* 94 95echo_i "check for signed record ($n)" 96ret=0 97dig_with_opts +norec example. @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1 98grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1 99grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n > /dev/null || ret=1 100if [ $ret != 0 ]; then echo_i "failed"; fi 101status=$((status+ret)) 102 103n=$((n+1)) 104echo_i "check positive validation with valid trust anchor ($n)" 105ret=0 106dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 107grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 108grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 109if [ $ret != 0 ]; then echo_i "failed"; fi 110status=$((status+ret)) 111 112n=$((n+1)) 113ret=0 114echo_i "check positive validation using delv ($n)" 115delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1 116grep "; fully validated" delv.out$n > /dev/null || ret=1 # redundant 117grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1 118grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1 119if [ $ret != 0 ]; then echo_i "failed"; fi 120status=$((status+ret)) 121 122n=$((n+1)) 123echo_i "check for failed validation due to wrong key in managed-keys ($n)" 124ret=0 125dig_with_opts +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 126grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 127grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1 128grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1 129if [ $ret != 0 ]; then echo_i "failed"; fi 130status=$((status+ret)) 131 132n=$((n+1)) 133echo_i "check new trust anchor can be added ($n)" 134ret=0 135standby1=$($KEYGEN -a rsasha256 -qfk -K ns1 .) 136mkeys_loadkeys_on 1 || ret=1 137mkeys_refresh_on 2 || ret=1 138mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 139# there should be two keys listed now 140count=$(grep -c "keyid: " rndc.out.$n) || true 141[ "$count" -eq 2 ] || ret=1 142# two lines indicating trust status 143count=$(grep -c "trust" rndc.out.$n) || true 144[ "$count" -eq 2 ] || ret=1 145# one indicates current trust 146count=$(grep -c "trusted since" rndc.out.$n) || true 147[ "$count" -eq 1 ] || ret=1 148# one indicates pending trust 149count=$(grep -c "trust pending" rndc.out.$n) || true 150[ "$count" -eq 1 ] || ret=1 151if [ $ret != 0 ]; then echo_i "failed"; fi 152status=$((status+ret)) 153 154n=$((n+1)) 155echo_i "check new trust anchor can't be added with bad initial key ($n)" 156ret=0 157mkeys_refresh_on 3 || ret=1 158mkeys_status_on 3 > rndc.out.$n 2>&1 || ret=1 159# there should be one key listed now 160count=$(grep -c "keyid: " rndc.out.$n) || true 161[ "$count" -eq 1 ] || ret=1 162# one line indicating trust status 163count=$(grep -c "trust" rndc.out.$n) || true 164[ "$count" -eq 1 ] || ret=1 165# ... and the key is not trusted 166count=$(grep -c "no trust" rndc.out.$n) || true 167[ "$count" -eq 1 ] || ret=1 168if [ $ret != 0 ]; then echo_i "failed"; fi 169status=$((status+ret)) 170 171n=$((n+1)) 172echo_i "remove untrusted standby key, check timer restarts ($n)" 173ret=0 174mkeys_sync_on 2 || ret=1 175t1=$(grep "trust pending" ns2/managed-keys.bind) || true 176$SETTIME -D now -K ns1 "$standby1" > /dev/null 177mkeys_loadkeys_on 1 || ret=1 178# Less than a second may have passed since the last time ns2 received a 179# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 180# timestamp to prevent false negatives caused by the acceptance timer getting 181# reset to the same timestamp. 182sleep 1 183mkeys_refresh_on 2 || ret=1 184mkeys_sync_on 2 || ret=1 185t2=$(grep "trust pending" ns2/managed-keys.bind) || true 186# trust pending date must be different 187[ -n "$t2" ] || ret=1 188[ "$t1" = "$t2" ] && ret=1 189if [ $ret != 0 ]; then echo_i "failed"; fi 190status=$((status+ret)) 191 192n=$((n+1)) 193ret=0 194echo_i "restore untrusted standby key, revoke original key ($n)" 195t1=$t2 196$SETTIME -D none -K ns1 "$standby1" > /dev/null 197$SETTIME -R now -K ns1 "$original" > /dev/null 198mkeys_loadkeys_on 1 || ret=1 199# Less than a second may have passed since the last time ns2 received a 200# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 201# timestamp to prevent false negatives caused by the acceptance timer getting 202# reset to the same timestamp. 203sleep 1 204mkeys_refresh_on 2 || ret=1 205mkeys_sync_on 2 || ret=1 206mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 207# two keys listed 208count=$(grep -c "keyid: " rndc.out.$n) || true 209[ "$count" -eq 2 ] || ret=1 210# two lines indicating trust status 211count=$(grep -c "trust" rndc.out.$n) || true 212[ "$count" -eq 2 ] || ret=1 213# trust is revoked 214count=$(grep -c "trust revoked" rndc.out.$n) || true 215[ "$count" -eq 1 ] || ret=1 216# removal scheduled 217count=$(grep -c "remove at" rndc.out.$n) || true 218[ "$count" -eq 1 ] || ret=1 219# trust is still pending on the standby key 220count=$(grep -c "trust pending" rndc.out.$n) || true 221[ "$count" -eq 1 ] || ret=1 222# pending date moved forward for the standby key 223t2=$(grep "trust pending" ns2/managed-keys.bind) || true 224[ -n "$t2" ] || ret=1 225[ "$t1" = "$t2" ] && ret=1 226if [ $ret != 0 ]; then echo_i "failed"; fi 227status=$((status+ret)) 228 229n=$((n+1)) 230ret=0 231echo_i "refresh managed-keys, ensure same result ($n)" 232t1=$t2 233# Less than a second may have passed since the last time ns2 received a 234# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 235# timestamp to prevent false negatives caused by the acceptance timer getting 236# reset to the same timestamp. 237sleep 1 238mkeys_refresh_on 2 || ret=1 239mkeys_sync_on 2 || ret=1 240mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 241# two keys listed 242count=$(grep -c "keyid: " rndc.out.$n) || true 243[ "$count" -eq 2 ] || ret=1 244# two lines indicating trust status 245count=$(grep -c "trust" rndc.out.$n) || true 246[ "$count" -eq 2 ] || ret=1 247# trust is revoked 248count=$(grep -c "trust revoked" rndc.out.$n) || true 249[ "$count" -eq 1 ] || ret=1 250# removal scheduled 251count=$(grep -c "remove at" rndc.out.$n) || true 252[ "$count" -eq 1 ] || ret=1 253# trust is still pending on the standby key 254count=$(grep -c "trust pending" rndc.out.$n) || true 255[ "$count" -eq 1 ] || ret=1 256# pending date moved forward for the standby key 257t2=$(grep "trust pending" ns2/managed-keys.bind) || true 258[ -n "$t2" ] || ret=1 259[ "$t1" = "$t2" ] && ret=1 260if [ $ret != 0 ]; then echo_i "failed"; fi 261status=$((status+ret)) 262 263n=$((n+1)) 264ret=0 265echo_i "restore revoked key, ensure same result ($n)" 266t1=$t2 267$SETTIME -R none -D now -K ns1 "$original" > /dev/null 268mkeys_loadkeys_on 1 || ret=1 269$SETTIME -D none -K ns1 "$original" > /dev/null 270mkeys_loadkeys_on 1 || ret=1 271# Less than a second may have passed since the last time ns2 received a 272# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 273# timestamp to prevent false negatives caused by the acceptance timer getting 274# reset to the same timestamp. 275sleep 1 276mkeys_refresh_on 2 || ret=1 277mkeys_sync_on 2 || ret=1 278mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 279# two keys listed 280count=$(grep -c "keyid: " rndc.out.$n) || true 281[ "$count" -eq 2 ] || ret=1 282# two lines indicating trust status 283count=$(grep -c "trust" rndc.out.$n) || true 284[ "$count" -eq 2 ] || ret=1 285# trust is revoked 286count=$(grep -c "trust revoked" rndc.out.$n) || true 287[ "$count" -eq 1 ] || ret=1 288# removal scheduled 289count=$(grep -c "remove at" rndc.out.$n) || true 290[ "$count" -eq 1 ] || ret=1 291# trust is still pending on the standby key 292count=$(grep -c "trust pending" rndc.out.$n) || true 293[ "$count" -eq 1 ] || ret=1 294# pending date moved forward for the standby key 295t2=$(grep "trust pending" ns2/managed-keys.bind) || true 296[ -n "$t2" ] || ret=1 297[ "$t1" = "$t2" ] && ret=1 298if [ $ret != 0 ]; then echo_i "failed"; fi 299status=$((status+ret)) 300 301echo_i "reinitialize trust anchors, add second key to bind.keys" 302$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns2 303rm -f ns2/managed-keys.bind* 304keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" > ns2/managed.conf 305nextpart ns2/named.run > /dev/null 306$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns2 307 308n=$((n+1)) 309echo_i "check that no key from bind.keys is marked as an initializing key ($n)" 310ret=0 311wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 312mkeys_secroots_on 2 || ret=1 313grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1 314if [ $ret != 0 ]; then echo_i "failed"; fi 315status=$((status+ret)) 316 317echo_i "reinitialize trust anchors, revert to one key in bind.keys" 318$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns2 319rm -f ns2/managed-keys.bind* 320mv ns2/managed1.conf ns2/managed.conf 321nextpart ns2/named.run > /dev/null 322$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns2 323 324n=$((n+1)) 325echo_i "check that standby key is now trusted ($n)" 326ret=0 327wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 328mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 329# two keys listed 330count=$(grep -c "keyid: " rndc.out.$n) || true 331[ "$count" -eq 2 ] || ret=1 332# two lines indicating trust status 333count=$(grep -c "trust" rndc.out.$n) || true 334[ "$count" -eq 2 ] || ret=1 335# both indicate current trust 336count=$(grep -c "trusted since" rndc.out.$n) || true 337[ "$count" -eq 2 ] || ret=1 338if [ $ret != 0 ]; then echo_i "failed"; fi 339status=$((status+ret)) 340 341n=$((n+1)) 342echo_i "revoke original key, add new standby ($n)" 343ret=0 344standby2=$($KEYGEN -a rsasha256 -qfk -K ns1 .) 345$SETTIME -R now -K ns1 "$original" > /dev/null 346mkeys_loadkeys_on 1 || ret=1 347mkeys_refresh_on 2 || ret=1 348mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 349# three keys listed 350count=$(grep -c "keyid: " rndc.out.$n) || true 351[ "$count" -eq 3 ] || ret=1 352# one is revoked 353count=$(grep -c "REVOKE" rndc.out.$n) || true 354[ "$count" -eq 1 ] || ret=1 355# three lines indicating trust status 356count=$(grep -c "trust" rndc.out.$n) || true 357[ "$count" -eq 3 ] || ret=1 358# one indicates current trust 359count=$(grep -c "trusted since" rndc.out.$n) || true 360[ "$count" -eq 1 ] || ret=1 361# one indicates revoked trust 362count=$(grep -c "trust revoked" rndc.out.$n) || true 363[ "$count" -eq 1 ] || ret=1 364# one indicates trust pending 365count=$(grep -c "trust pending" rndc.out.$n) || true 366[ "$count" -eq 1 ] || ret=1 367# removal scheduled 368count=$(grep -c "remove at" rndc.out.$n) || true 369[ "$count" -eq 1 ] || ret=1 370if [ $ret != 0 ]; then echo_i "failed"; fi 371status=$((status+ret)) 372 373n=$((n+1)) 374echo_i "revoke standby before it is trusted ($n)" 375ret=0 376standby3=$($KEYGEN -a rsasha256 -qfk -K ns1 .) 377mkeys_loadkeys_on 1 || ret=1 378mkeys_refresh_on 2 || ret=1 379mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 380# four keys listed 381count=$(grep -c "keyid: " rndc.out.1.$n) || true 382[ "$count" -eq 4 ] || { echo_i "keyid: count ($count) != 4"; ret=1; } 383# one revoked 384count=$(grep -c "trust revoked" rndc.out.1.$n) || true 385[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } 386# two pending 387count=$(grep -c "trust pending" rndc.out.1.$n) || true 388[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; } 389$SETTIME -R now -K ns1 "$standby3" > /dev/null 390mkeys_loadkeys_on 1 || ret=1 391mkeys_refresh_on 2 || ret=1 392mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 393# now three keys listed 394count=$(grep -c "keyid: " rndc.out.2.$n) || true 395[ "$count" -eq 3 ] || { echo_i "keyid: count ($count) != 3"; ret=1; } 396# one revoked 397count=$(grep -c "trust revoked" rndc.out.2.$n) || true 398[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } 399# one pending 400count=$(grep -c "trust pending" rndc.out.2.$n) || true 401[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; } 402$SETTIME -D now -K ns1 "$standby3" > /dev/null 403mkeys_loadkeys_on 1 || ret=1 404if [ $ret != 0 ]; then echo_i "failed"; fi 405status=$((status+ret)) 406 407n=$((n+1)) 408echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)" 409ret=0 410sleep 20 411mkeys_refresh_on 2 || ret=1 412mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 413# two keys listed 414count=$(grep -c "keyid: " rndc.out.$n) || true 415[ "$count" -eq 2 ] || ret=1 416# none revoked 417count=$(grep -c "REVOKE" rndc.out.$n) || true 418[ "$count" -eq 0 ] || ret=1 419# two lines indicating trust status 420count=$(grep -c "trust" rndc.out.$n) || true 421[ "$count" -eq 2 ] || ret=1 422# both indicate current trust 423count=$(grep -c "trusted since" rndc.out.$n) || true 424[ "$count" -eq 2 ] || ret=1 425if [ $ret != 0 ]; then echo_i "failed"; fi 426status=$((status+ret)) 427 428n=$((n+1)) 429echo_i "revoke all keys, confirm roll to insecure ($n)" 430ret=0 431$SETTIME -D now -K ns1 "$original" > /dev/null 432$SETTIME -R now -K ns1 "$standby1" > /dev/null 433$SETTIME -R now -K ns1 "$standby2" > /dev/null 434mkeys_loadkeys_on 1 || ret=1 435mkeys_refresh_on 2 || ret=1 436mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 437# two keys listed 438count=$(grep -c "keyid: " rndc.out.$n) || true 439[ "$count" -eq 2 ] || ret=1 440# both revoked 441count=$(grep -c "REVOKE" rndc.out.$n) || true 442[ "$count" -eq 2 ] || ret=1 443# two lines indicating trust status 444count=$(grep -c "trust" rndc.out.$n) || true 445[ "$count" -eq 2 ] || ret=1 446# both indicate trust revoked 447count=$(grep -c "trust revoked" rndc.out.$n) || true 448[ "$count" -eq 2 ] || ret=1 449# both have removal scheduled 450count=$(grep -c "remove at" rndc.out.$n) || true 451[ "$count" -eq 2 ] || ret=1 452if [ $ret != 0 ]; then echo_i "failed"; fi 453status=$((status+ret)) 454 455n=$((n+1)) 456echo_i "check for insecure response ($n)" 457ret=0 458mkeys_refresh_on 2 || ret=1 459dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 460grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 461grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 462grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 463if [ $ret != 0 ]; then echo_i "failed"; fi 464status=$((status+ret)) 465 466n=$((n+1)) 467echo_i "reset the root server ($n)" 468ret=0 469$SETTIME -D none -R none -K ns1 "$original" > /dev/null 470$SETTIME -D now -K ns1 "$standby1" > /dev/null 471$SETTIME -D now -K ns1 "$standby2" > /dev/null 472$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null 473copy_setports ns1/named2.conf.in ns1/named.conf 474rm -f ns1/root.db.signed.jnl 475mkeys_reconfig_on 1 || ret=1 476mkeys_reload_on 1 || ret=1 477if [ $ret != 0 ]; then echo_i "failed"; fi 478status=$((status+ret)) 479 480echo_i "reinitialize trust anchors" 481$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns2 482rm -f ns2/managed-keys.bind* 483nextpart ns2/named.run > /dev/null 484$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns2 485 486n=$((n+1)) 487echo_i "check positive validation ($n)" 488ret=0 489wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 490dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 491grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 492grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 493if [ $ret != 0 ]; then echo_i "failed"; fi 494status=$((status+ret)) 495 496n=$((n+1)) 497echo_i "revoke key with bad signature, check revocation is ignored ($n)" 498ret=0 499revoked=$($REVOKE -K ns1 "$original") 500rkeyid=$(keyfile_to_key_id "$revoked") 501rm -f ns1/root.db.signed.jnl 502# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from 503# failing. Alternatively, we could use -P to disable post-sign verification, 504# but we actually do want post-sign verification to happen to ensure the zone 505# is correct before we break it on purpose. 506$SETTIME -R none -D none -K ns1 "$standby1" > /dev/null 507$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null 508cp -f ns1/root.db.signed ns1/root.db.tmp 509BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" 510# Less than a second may have passed since ns1 was started. If we call 511# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the 512# subsequent "rndc reload ." call on platforms which do not set the 513# "nanoseconds" field of isc_time_t, due to zone load time being seemingly 514# equal to master file modification time. 515sleep 1 516sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed 517mkeys_reload_on 1 || ret=1 518mkeys_refresh_on 2 || ret=1 519mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 520# one key listed 521count=$(grep -c "keyid: " rndc.out.$n) || true 522[ "$count" -eq 1 ] || { echo_i "'keyid:' count ($count) != 1"; ret=1; } 523# it's the original key id 524count=$(grep -c "keyid: $originalid" rndc.out.$n) || true 525[ "$count" -eq 1 ] || { echo_i "'keyid: $originalid' count ($count) != 1"; ret=1; } 526# not revoked 527count=$(grep -c "REVOKE" rndc.out.$n) || true 528[ "$count" -eq 0 ] || { echo_i "'REVOKE' count ($count) != 0"; ret=1; } 529# trust is still current 530count=$(grep -c "trust" rndc.out.$n) || true 531[ "$count" -eq 1 ] || { echo_i "'trust' count != 1"; ret=1; } 532count=$(grep -c "trusted since" rndc.out.$n) || true 533[ "$count" -eq 1 ] || { echo_i "'trusted since' count != 1"; ret=1; } 534if [ $ret != 0 ]; then echo_i "failed"; fi 535status=$((status+ret)) 536 537n=$((n+1)) 538echo_i "check validation fails with bad DNSKEY rrset ($n)" 539ret=0 540mkeys_flush_on 2 || ret=1 541dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 542grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1 543if [ $ret != 0 ]; then echo_i "failed"; fi 544status=$((status+ret)) 545 546n=$((n+1)) 547echo_i "restore DNSKEY rrset, check validation succeeds again ($n)" 548ret=0 549rm -f "${revoked}".key "${revoked}".private 550rm -f ns1/root.db.signed.jnl 551$SETTIME -D none -R none -K ns1 "$original" > /dev/null 552$SETTIME -D now -K ns1 "$standby1" > /dev/null 553# Less than a second may have passed since ns1 was started. If we call 554# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the 555# subsequent "rndc reload ." call on platforms which do not set the 556# "nanoseconds" field of isc_time_t, due to zone load time being seemingly 557# equal to master file modification time. 558sleep 1 559$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null 560mkeys_reload_on 1 || ret=1 561mkeys_flush_on 2 || ret=1 562dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 563grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 564grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 565if [ $ret != 0 ]; then echo_i "failed"; fi 566status=$((status+ret)) 567 568n=$((n+1)) 569echo_i "reset the root server with no keys, check for minimal update ($n)" 570ret=0 571# Refresh keys first to prevent previous checks from influencing this one. 572# Note that we might still get occasional false negatives on some really slow 573# machines, when $t1 equals $t2 due to the time elapsed between "rndc 574# managed-keys status" calls being equal to the normal active refresh period 575# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as 576# set using -T mkeytimers). 577mkeys_refresh_on 2 || ret=1 578mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 579t1=$(grep 'next refresh:' rndc.out.1.$n) || true 580$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns1 581rm -f ns1/root.db.signed.jnl 582cp ns1/root.db ns1/root.db.signed 583nextpart ns1/named.run > /dev/null 584$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns1 585wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 586mkeys_refresh_on 2 || ret=1 587mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 588# one key listed 589count=$(grep -c "keyid: " rndc.out.2.$n) || true 590[ "$count" -eq 1 ] || ret=1 591# it's the original key id 592count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true 593[ "$count" -eq 1 ] || ret=1 594# not revoked 595count=$(grep -c "REVOKE" rndc.out.2.$n) || true 596[ "$count" -eq 0 ] || ret=1 597# trust is still current 598count=$(grep -c "trust" rndc.out.2.$n) || true 599[ "$count" -eq 1 ] || ret=1 600count=$(grep -c "trusted since" rndc.out.2.$n) || true 601[ "$count" -eq 1 ] || ret=1 602t2=$(grep 'next refresh:' rndc.out.2.$n) || true 603[ "$t1" = "$t2" ] && ret=1 604if [ $ret != 0 ]; then echo_i "failed"; fi 605status=$((status+ret)) 606 607n=$((n+1)) 608echo_i "reset the root server with no signatures, check for minimal update ($n)" 609ret=0 610# Refresh keys first to prevent previous checks from influencing this one 611mkeys_refresh_on 2 || ret=1 612mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 613t1=$(grep 'next refresh:' rndc.out.1.$n) || true 614$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns1 615rm -f ns1/root.db.signed.jnl 616cat ns1/K*.key >> ns1/root.db.signed 617nextpart ns1/named.run > /dev/null 618$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns1 619wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 620# Less than a second may have passed since the last time ns2 received a 621# ./DNSKEY response from ns1. Ensure keys are refreshed at a different 622# timestamp to prevent minimal update from resetting it to the same timestamp. 623sleep 1 624mkeys_refresh_on 2 || ret=1 625mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 626# one key listed 627count=$(grep -c "keyid: " rndc.out.2.$n) || true 628[ "$count" -eq 1 ] || ret=1 629# it's the original key id 630count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true 631[ "$count" -eq 1 ] || ret=1 632# not revoked 633count=$(grep -c "REVOKE" rndc.out.2.$n) || true 634[ "$count" -eq 0 ] || ret=1 635# trust is still current 636count=$(grep -c "trust" rndc.out.2.$n) || true 637[ "$count" -eq 1 ] || ret=1 638count=$(grep -c "trusted since" rndc.out.2.$n) || true 639[ "$count" -eq 1 ] || ret=1 640t2=$(grep 'next refresh:' rndc.out.2.$n) || true 641[ "$t1" = "$t2" ] && ret=1 642if [ $ret != 0 ]; then echo_i "failed"; fi 643status=$((status+ret)) 644 645n=$((n+1)) 646echo_i "restore root server, check validation succeeds again ($n)" 647ret=0 648rm -f ns1/root.db.signed.jnl 649$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null 650mkeys_reload_on 1 || ret=1 651mkeys_refresh_on 2 || ret=1 652mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 653dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 654grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 655grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 656if [ $ret != 0 ]; then echo_i "failed"; fi 657status=$((status+ret)) 658 659n=$((n+1)) 660echo_i "check that trust-anchor-telemetry queries are logged ($n)" 661ret=0 662grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1 663if [ $ret != 0 ]; then echo_i "failed"; fi 664status=$((status+ret)) 665 666n=$((n+1)) 667echo_i "check that trust-anchor-telemetry queries are received ($n)" 668ret=0 669grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1 670if [ $ret != 0 ]; then echo_i "failed"; fi 671status=$((status+ret)) 672 673n=$((n+1)) 674echo_i "check 'rndc-managed-keys destroy' ($n)" 675ret=0 676rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i 677mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 678grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1 679mkeys_reconfig_on 2 || ret=1 680mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 681grep "name: \." rndc.out.2.$n > /dev/null || ret=1 682if [ $ret != 0 ]; then echo_i "failed"; fi 683status=$((status+ret)) 684 685n=$((n+1)) 686echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)" 687ret=0 688# convert the hexadecimal key from the TAT query into decimal and 689# compare against the known key. 690tathex=$(grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/') || true 691tatkey=$($PERL -e 'printf("%d\n", hex(@ARGV[0]));' "$tathex") 692realkey=$(rndccmd 10.53.0.2 secroots - | sed -n 's#.*SHA256/\([0-9][0-9]*\) ; .*managed.*#\1#p') 693[ "$tatkey" -eq "$realkey" ] || ret=1 694if [ $ret != 0 ]; then echo_i "failed"; fi 695status=$((status+ret)) 696 697n=$((n+1)) 698echo_i "check initialization fails if managed-keys can't be created ($n)" 699ret=0 700mkeys_secroots_on 4 || ret=1 701grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1 702grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1 703grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1 704if [ $ret != 0 ]; then echo_i "failed"; fi 705status=$((status+ret)) 706 707n=$((n+1)) 708echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)" 709ret=0 710# By the time we get here, ns5 should have attempted refreshing its managed 711# keys. These attempts should fail as ns1 is configured to REFUSE all queries 712# from ns5. Note that named1.args does not contain "-T mkeytimers"; this is to 713# ensure key refresh retry will be scheduled to one actual hour after the first 714# key refresh failure instead of just a few seconds, in order to prevent races 715# between the next scheduled key refresh time and startup time of restarted ns5. 716$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns5 717nextpart ns5/named.run > /dev/null 718$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns5 719wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1 720# ns5/named.run will contain logs from both the old instance and the new 721# instance. In order for the test to pass, both must attempt a fetch. 722count=$(grep -c "Creating key fetch" ns5/named.run) || true 723[ "$count" -lt 2 ] && ret=1 724if [ $ret != 0 ]; then echo_i "failed"; fi 725status=$((status+ret)) 726 727n=$((n+1)) 728echo_i "check key refreshes are resumed after root servers become available ($n)" 729ret=0 730$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns5 731# Prevent previous check from affecting this one 732rm -f ns5/managed-keys.bind* 733# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for 734# an "hour" until keys are refreshed again after initial failure 735cp ns5/named2.args ns5/named.args 736nextpart ns5/named.run > /dev/null 737$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns5 738wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 739mkeys_secroots_on 5 || ret=1 740grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 741# ns1 should still REFUSE queries from ns5, so resolving should be impossible 742dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1 743grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1 744grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1 745grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1 746# Allow queries from ns5 to ns1 747copy_setports ns1/named3.conf.in ns1/named.conf 748rm -f ns1/root.db.signed.jnl 749nextpart ns5/named.run > /dev/null 750mkeys_reconfig_on 1 || ret=1 751wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 752mkeys_secroots_on 5 || ret=1 753grep '; managed' ns5/named.secroots > /dev/null || ret=1 754# ns1 should not longer REFUSE queries from ns5, so managed keys should be 755# correctly refreshed and resolving should succeed 756dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 757grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1 758grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1 759grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 760if [ $ret != 0 ]; then echo_i "failed"; fi 761status=$((status+ret)) 762 763n=$((n+1)) 764echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" 765ret=0 766$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port "${CONTROLPORT}" mkeys ns6 767rm -f ns6/managed-keys.bind* 768nextpart ns6/named.run > /dev/null 769$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port "${PORT}" mkeys ns6 770# log when an unsupported algorithm is encountered during startup 771wait_for_log 20 "ignoring initial-key for 'unsupported.': algorithm is unsupported" ns6/named.run || ret=1 772if [ $ret != 0 ]; then echo_i "failed"; fi 773status=$((status+ret)) 774 775n=$((n+1)) 776echo_i "ignoring unsupported algorithm in managed-keys ($n)" 777ret=0 778mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 779# there should still be only two keys listed (for . and rsasha256.) 780count=$(grep -c "keyid: " rndc.out.$n) || true 781[ "$count" -eq 2 ] || ret=1 782# two lines indicating trust status 783count=$(grep -c "trust" rndc.out.$n) || true 784[ "$count" -eq 2 ] || ret=1 785 786n=$((n+1)) 787echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" 788ret=0 789cp ns1/root.db ns1/root.db.orig 790ksk=$(cat ns1/managed.key) 791zsk=$(cat ns1/zone.key) 792cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db 793grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db > /dev/null || ret=1 794$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" > /dev/null 2>/dev/null || ret=1 795grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 796cp ns1/root.db.orig ns1/root.db 797if [ $ret != 0 ]; then echo_i "failed"; fi 798status=$((status+ret)) 799 800n=$((n+1)) 801echo_i "ignoring unsupported algorithm in rollover ($n)" 802ret=0 803mkeys_reload_on 1 || ret=1 804mkeys_refresh_on 6 || ret=1 805mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 806# there should still be only two keys listed (for . and rsasha256.) 807count=$(grep -c "keyid: " rndc.out.$n) || true 808[ "$count" -eq 2 ] || ret=1 809# two lines indicating trust status 810count=$(grep -c "trust" rndc.out.$n) || true 811[ "$count" -eq 2 ] || ret=1 812# log when an unsupported algorithm is encountered during rollover 813wait_for_log 20 "Cannot compute tag for key in zone .: algorithm is unsupported" ns6/named.run || ret=1 814if [ $ret != 0 ]; then echo_i "failed"; fi 815status=$((status+ret)) 816 817n=$((n+1)) 818echo_i "check 'rndc managed-keys' and views ($n)" 819ret=0 820rndccmd 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1 821grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1 822lines=$(wc -l < rndc.out.ns7.view1.test$n) 823[ "$lines" -eq 1 ] || ret=1 824rndccmd 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1 825lines=$(wc -l < rndc.out.ns7.view2.test$n) 826grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 827grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 828[ "$lines" -eq 2 ] || ret=1 829if [ $ret != 0 ]; then echo_i "failed"; fi 830status=$((status+ret)) 831 832echo_i "exit status: $status" 833[ $status -eq 0 ] || exit 1 834