771 lines
22 KiB
Bash
771 lines
22 KiB
Bash
#!/bin/sh
|
|
|
|
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
set -e
|
|
|
|
# shellcheck source=conf.sh
|
|
. ../conf.sh
|
|
# shellcheck source=kasp.sh
|
|
. ../kasp.sh
|
|
|
|
dig_with_opts() {
|
|
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT "$@"
|
|
}
|
|
|
|
start_time="$(TZ=UTC date +%s)"
|
|
status=0
|
|
n=0
|
|
|
|
set_zone "model2.multisigner"
|
|
set_policy "model2" "2" "3600"
|
|
|
|
# Key properties and states.
|
|
key_clear "KEY1"
|
|
set_keyrole "KEY1" "ksk"
|
|
set_keylifetime "KEY1" "0"
|
|
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
|
set_keysigning "KEY1" "yes"
|
|
set_zonesigning "KEY1" "no"
|
|
set_keystate "KEY1" "GOAL" "omnipresent"
|
|
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
|
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
|
|
set_keystate "KEY1" "STATE_DS" "omnipresent"
|
|
|
|
key_clear "KEY2"
|
|
set_keyrole "KEY2" "zsk"
|
|
set_keylifetime "KEY2" "0"
|
|
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
|
set_keysigning "KEY2" "no"
|
|
set_zonesigning "KEY2" "yes"
|
|
set_keystate "KEY2" "GOAL" "omnipresent"
|
|
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
|
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
|
|
|
|
key_clear "KEY3"
|
|
key_clear "KEY4"
|
|
|
|
set_keytimes_model2() {
|
|
# The first KSK is immediately published and activated.
|
|
created=$(key_get KEY1 CREATED)
|
|
set_keytime "KEY1" "PUBLISHED" "${created}"
|
|
set_keytime "KEY1" "ACTIVE" "${created}"
|
|
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
|
|
|
|
# The first ZSKs are immediately published and activated.
|
|
created=$(key_get KEY2 CREATED)
|
|
set_keytime "KEY2" "PUBLISHED" "${created}"
|
|
set_keytime "KEY2" "ACTIVE" "${created}"
|
|
}
|
|
|
|
set_server "ns3" "10.53.0.3"
|
|
check_keys
|
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
set_keytimes_model2
|
|
check_keytimes
|
|
check_apex
|
|
dnssec_verify
|
|
|
|
set_server "ns4" "10.53.0.4"
|
|
check_keys
|
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
set_keytimes_model2
|
|
check_keytimes
|
|
check_apex
|
|
dnssec_verify
|
|
|
|
#
|
|
# Update DNSKEY RRset.
|
|
#
|
|
|
|
# Check that the ZSKs from the other provider are published.
|
|
zsks_are_published() {
|
|
dig_with_opts "$ZONE" "@${SERVER}" DNSKEY >"dig.out.$DIR.test$n" || return 1
|
|
cat dig.out.$DIR.test$n | tr [:blank:] ' ' >dig.out.$DIR.test$n.tr || return 1
|
|
# We should have two ZSKs.
|
|
lines=$(grep "256 3 13" dig.out.$DIR.test$n.tr | wc -l)
|
|
test "$lines" -eq 2 || return 1
|
|
# Both ZSKs are published.
|
|
grep "$(cat ns3/${ZONE}.zsk | tr [:blank:] ' ')" dig.out.$DIR.test$n.tr >/dev/null || return 1
|
|
grep "$(cat ns4/${ZONE}.zsk | tr [:blank:] ' ')" dig.out.$DIR.test$n.tr >/dev/null || return 1
|
|
# And one KSK.
|
|
lines=$(grep "257 3 13" dig.out.$DIR.test$n.tr | wc -l)
|
|
test "$lines" -eq 1 || return 1
|
|
}
|
|
|
|
# Test to make sure no DNSSEC records end up in the raw journal.
|
|
no_dnssec_in_journal() {
|
|
n=$((n + 1))
|
|
ret=0
|
|
echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
|
|
$JOURNALPRINT "${DIR}/${ZONE}.db.jnl" >"${DIR}/${ZONE}.journal.out.test$n"
|
|
rrset_exists NSEC "${DIR}/${ZONE}.journal.out.test$n" && ret=1
|
|
rrset_exists NSEC3 "${DIR}/${ZONE}.journal.out.test$n" && ret=1
|
|
rrset_exists NSEC3PARAM "${DIR}/${ZONE}.journal.out.test$n" && ret=1
|
|
rrset_exists RRSIG "${DIR}/${ZONE}.journal.out.test$n" && ret= 1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
}
|
|
|
|
# Check if a certain RRtype is present in the journal file.
|
|
rrset_exists() (
|
|
rrtype=$1
|
|
file=$2
|
|
lines=$(awk -v rt="${rrtype}" '$5 == rt {print}' ${file} | wc -l)
|
|
test "$lines" -gt 0
|
|
)
|
|
|
|
n=$((n + 1))
|
|
echo_i "add dnskey record: update zone ${ZONE} at ns3 with ZSK from provider ns4 ($n)"
|
|
ret=0
|
|
set_server "ns3" "10.53.0.3"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "ns4/${ZONE}.zsk")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Check the new DNSKEY RRset.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 zsks_are_published || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Check the logs for find zone keys errors.
|
|
n=$((n + 1))
|
|
echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)"
|
|
ret=0
|
|
grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Verify again.
|
|
dnssec_verify
|
|
|
|
n=$((n + 1))
|
|
echo_i "add dnskey record: - update zone ${ZONE} at ns4 with ZSK from provider ns3 ($n)"
|
|
ret=0
|
|
set_server "ns4" "10.53.0.4"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "ns3/${ZONE}.zsk")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Check the new DNSKEY RRset.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 zsks_are_published || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Check the logs for find zone keys errors.
|
|
n=$((n + 1))
|
|
echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)"
|
|
ret=0
|
|
grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Verify again.
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove dnskey record: - try to remove ns3 ZSK from provider ns3 (should fail) ($n)"
|
|
ret=0
|
|
set_server "ns3" "10.53.0.3"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "ns3/${ZONE}.zsk")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Both ZSKs should still be published.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} DNSKEY RRset after failed update ($n)"
|
|
ret=0
|
|
retry_quiet 10 zsks_are_published || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove dnskey record: remove ns4 ZSK from provider ns3 ($n)"
|
|
ret=0
|
|
set_server "ns3" "10.53.0.3"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "ns4/${ZONE}.zsk")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# We should have only the KSK and ZSK from provider ns3.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
|
|
ret=0
|
|
check_keys
|
|
check_apex
|
|
dnssec_verify
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove dnskey record: try to remove ns4 ZSK from provider ns4 (should fail) ($n)"
|
|
ret=0
|
|
set_server "ns4" "10.53.0.4"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "ns4/${ZONE}.zsk")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Both ZSKs should still be published.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} DNSKEY RRset after failed update ($n)"
|
|
ret=0
|
|
retry_quiet 10 zsks_are_published || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove dnskey record: remove ns3 ZSK from provider ns4 ($n)"
|
|
ret=0
|
|
set_server "ns4" "10.53.0.4"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "ns3/${ZONE}.zsk")
|
|
echo send
|
|
) | $NSUPDATE
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# We should have only the KSK and ZSK from provider ns4.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
|
|
ret=0
|
|
check_keys
|
|
check_apex
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
|
|
#
|
|
# Update CDNSKEY RRset.
|
|
#
|
|
|
|
# Check that the CDNSKEY from both providers are published.
|
|
records_published() {
|
|
_rrtype=$1
|
|
_expect=$2
|
|
|
|
dig_with_opts "$ZONE" "@${SERVER}" "${_rrtype}" >"dig.out.$DIR.test$n" || return 1
|
|
lines=$(awk -v rt="${_rrtype}" '$4 == rt {print}' dig.out.$DIR.test$n | wc -l)
|
|
test "$lines" -eq "$_expect" || return 1
|
|
}
|
|
|
|
# Retrieve CDNSKEY records from the other provider.
|
|
dig_with_opts ${ZONE} @10.53.0.3 CDNSKEY >dig.out.ns3.cdnskey
|
|
awk '$4 == "CDNSKEY" {print}' dig.out.ns3.cdnskey >cdnskey.ns3
|
|
dig_with_opts ${ZONE} @10.53.0.4 CDNSKEY >dig.out.ns4.cdnskey
|
|
awk '$4 == "CDNSKEY" {print}' dig.out.ns4.cdnskey >cdnskey.ns4
|
|
|
|
n=$((n + 1))
|
|
echo_i "add cdnskey record: update zone ${ZONE} at ns3 with CDNSKEY from provider ns4 ($n)"
|
|
ret=0
|
|
set_server "ns3" "10.53.0.3"
|
|
# Initially there should be one CDNSKEY.
|
|
retry_quiet 10 records_published CDNSKEY 1 || ret=1
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "cdnskey.ns4")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be two CDNSKEY records (we test that BIND does not
|
|
# skip it during DNSSEC maintenance).
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDNSKEY 2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "add cdnskey record: update zone ${ZONE} at ns4 with CDNSKEY from provider ns3 ($n)"
|
|
ret=0
|
|
set_server "ns4" "10.53.0.4"
|
|
# Initially there should be one CDNSKEY.
|
|
retry_quiet 10 records_published CDNSKEY 1 || ret=1
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "cdnskey.ns3")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be two CDNSKEY records (we test that BIND does not
|
|
# skip it during DNSSEC maintenance).
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDNSKEY 2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# No DNSSEC in raw journal.
|
|
no_dnssec_in_journal
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove cdnskey record: remove ns4 CDNSKEY from provider ns3 ($n)"
|
|
ret=0
|
|
set_server "ns3" "10.53.0.3"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "cdnskey.ns4")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be one CDNSKEY record again.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDNSKEY 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove cdnskey record: remove ns3 CDNSKEY from provider ns4 ($n)"
|
|
ret=0
|
|
set_server "ns4" "10.53.0.4"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "cdnskey.ns3")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be one CDNSKEY record again.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"ret=0
|
|
retry_quiet 10 records_published CDNSKEY 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# No DNSSEC in raw journal.
|
|
no_dnssec_in_journal
|
|
|
|
#
|
|
# Update CDS RRset.
|
|
#
|
|
|
|
# Retrieve CDS records from the other provider.
|
|
dig_with_opts ${ZONE} @10.53.0.3 CDS >dig.out.ns3.cds
|
|
awk '$4 == "CDS" {print}' dig.out.ns3.cds >cds.ns3
|
|
dig_with_opts ${ZONE} @10.53.0.4 CDS >dig.out.ns4.cds
|
|
awk '$4 == "CDS" {print}' dig.out.ns4.cds >cds.ns4
|
|
|
|
n=$((n + 1))
|
|
echo_i "add cds record: update zone ${ZONE} at ns3 with CDS from provider ns4 ($n)"
|
|
ret=0
|
|
set_server "ns3" "10.53.0.3"
|
|
# Initially there should be one CDS.
|
|
retry_quiet 10 records_published CDS 1 || ret=1
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "cds.ns4")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be two CDS records (we test that BIND does not
|
|
# skip it during DNSSEC maintenance).
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} CDS RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDS 2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "add cds record: update zone ${ZONE} at ns4 with CDS from provider ns3 ($n)"
|
|
ret=0
|
|
set_server "ns4" "10.53.0.4"
|
|
# Initially there should be one CDS.
|
|
retry_quiet 10 records_published CDS 1 || ret=1
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "cds.ns3")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be two CDS records (we test that BIND does not
|
|
# skip it during DNSSEC maintenance).
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} CDS RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDS 2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# No DNSSEC in raw journal.
|
|
no_dnssec_in_journal
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove cds record: remove ns4 CDS from provider ns3 ($n)"
|
|
ret=0
|
|
set_server "ns3" "10.53.0.3"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "cds.ns4")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be one CDS record again.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} CDS RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDS 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove cds record: remove ns3 CDS from provider ns4 ($n)"
|
|
ret=0
|
|
set_server "ns4" "10.53.0.4"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "cds.ns3")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be one CDS record again.
|
|
n=$((n + 1))
|
|
echo_i "check zone ${ZONE} CDS RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDS 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# No DNSSEC in raw journal.
|
|
no_dnssec_in_journal
|
|
|
|
#
|
|
# Check secondary server behaviour.
|
|
#
|
|
set_zone "model2.secondary"
|
|
set_policy "model2" "2" "3600"
|
|
|
|
set_server "ns3" "10.53.0.3"
|
|
check_keys
|
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
set_keytimes_model2
|
|
check_keytimes
|
|
check_apex
|
|
dnssec_verify
|
|
|
|
set_server "ns4" "10.53.0.4"
|
|
check_keys
|
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
set_keytimes_model2
|
|
check_keytimes
|
|
check_apex
|
|
dnssec_verify
|
|
|
|
#
|
|
# Update DNSKEY RRset.
|
|
#
|
|
n=$((n + 1))
|
|
echo_i "add dnskey record: update zone ${ZONE} at ns5 with ZSKs from providers ns3 and ns4 ($n)"
|
|
ret=0
|
|
set_server "ns5" "10.53.0.5"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "ns3/${ZONE}.zsk")
|
|
echo update add $(cat "ns4/${ZONE}.zsk")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# NS3
|
|
n=$((n + 1))
|
|
set_server "ns3" "10.53.0.3"
|
|
echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 zsks_are_published || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# NS4
|
|
n=$((n + 1))
|
|
set_server "ns4" "10.53.0.4"
|
|
echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 zsks_are_published || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove dnskey record: remove ns3 and ns4 DNSKEY records from primary ns5 ($n)"
|
|
ret=0
|
|
set_server "ns5" "10.53.0.5"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "ns3/${ZONE}.zsk")
|
|
echo update del $(cat "ns4/${ZONE}.zsk")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be one DNSKEY record again.
|
|
# While we did remove both DNSKEY records, the bump in the wire signer, i.e
|
|
# the secondary inline-signing zone, should add back the DNSKEY belonging to
|
|
# its own KSK when re-signing the zone.
|
|
#
|
|
# NS3
|
|
n=$((n + 1))
|
|
set_server "ns3" "10.53.0.3"
|
|
echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
|
|
ret=0
|
|
check_keys
|
|
check_apex
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
# NS4
|
|
n=$((n + 1))
|
|
set_server "ns4" "10.53.0.4"
|
|
echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
|
|
ret=0
|
|
check_keys
|
|
check_apex
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
|
|
#
|
|
# Update CDNSKEY RRset.
|
|
#
|
|
|
|
# Retrieve CDNSKEY records from the providers.
|
|
n=$((n + 1))
|
|
echo_i "check initial CDSNKEY response for zone ${ZONE} at ns3 and ns4 ($n)"
|
|
ret=0
|
|
dig_with_opts ${ZONE} @10.53.0.3 CDNSKEY >dig.out.ns3.secondary.cdnskey
|
|
awk '$4 == "CDNSKEY" {print}' dig.out.ns3.secondary.cdnskey >secondary.cdnskey.ns3
|
|
dig_with_opts ${ZONE} @10.53.0.4 CDNSKEY >dig.out.ns4.secondary.cdnskey
|
|
awk '$4 == "CDNSKEY" {print}' dig.out.ns4.secondary.cdnskey >secondary.cdnskey.ns4
|
|
# Initially there should be one CDNSKEY.
|
|
set_server "ns3" "10.53.0.3"
|
|
retry_quiet 10 records_published CDNSKEY 1 || ret=1
|
|
set_server "ns4" "10.53.0.4"
|
|
retry_quiet 10 records_published CDNSKEY 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "add cdnskey record: update zone ${ZONE} at ns5 with CDNSKEY records from providers ns3 and ns4 ($n)"
|
|
ret=0
|
|
set_server "ns5" "10.53.0.5"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "secondary.cdnskey.ns3")
|
|
echo update add $(cat "secondary.cdnskey.ns4")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be two CDNSKEY records (we test that BIND does not
|
|
# skip it during DNSSEC maintenance).
|
|
#
|
|
# NS3
|
|
n=$((n + 1))
|
|
set_server "ns3" "10.53.0.3"
|
|
echo_i "check server ${DIR} zone ${ZONE} CDNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDNSKEY 2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
# NS4
|
|
n=$((n + 1))
|
|
set_server "ns4" "10.53.0.4"
|
|
echo_i "check server ${DIR} zone ${ZONE} CDNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDNSKEY 2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove cdnskey record: remove ns3 and ns4 CDNSKEY records from primary ns5 ($n)"
|
|
ret=0
|
|
set_server "ns5" "10.53.0.5"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "secondary.cdnskey.ns3")
|
|
echo update del $(cat "secondary.cdnskey.ns4")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be one CDNSKEY record again.
|
|
# While we did remove both CDNSKEY records, the bump in the wire signer, i.e
|
|
# the secondary inline-signing zone, should add back the CDNSKEY belonging to
|
|
# its own KSK when re-signing the zone.
|
|
#
|
|
# NS3
|
|
n=$((n + 1))
|
|
set_server "ns3" "10.53.0.3"
|
|
echo_i "check server ${DIR} zone ${ZONE} CDNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDNSKEY 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
# NS4
|
|
n=$((n + 1))
|
|
set_server "ns4" "10.53.0.4"
|
|
echo_i "check server ${DIR} zone ${ZONE} CDNSKEY RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDNSKEY 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
|
|
#
|
|
# Update CDS RRset.
|
|
#
|
|
|
|
# Retrieve CDS records from the other provider.
|
|
n=$((n + 1))
|
|
echo_i "check initial CDS response for zone ${ZONE} at ns3 and ns4 ($n)"
|
|
ret=0
|
|
dig_with_opts ${ZONE} @10.53.0.3 CDS >dig.out.ns3.secondary.cds
|
|
awk '$4 == "CDS" {print}' dig.out.ns3.secondary.cds >secondary.cds.ns3
|
|
dig_with_opts ${ZONE} @10.53.0.4 CDS >dig.out.ns4.secondary.cds
|
|
awk '$4 == "CDS" {print}' dig.out.ns4.secondary.cds >secondary.cds.ns4
|
|
# Initially there should be one CDS.
|
|
set_server "ns3" "10.53.0.3"
|
|
retry_quiet 10 records_published CDS 1 || ret=1
|
|
set_server "ns4" "10.53.0.4"
|
|
retry_quiet 10 records_published CDS 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
|
|
n=$((n + 1))
|
|
echo_i "add cds record: update zone ${ZONE} at ns5 with CDS from provider ns4 ($n)"
|
|
ret=0
|
|
set_server "ns5" "10.53.0.5"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update add $(cat "secondary.cds.ns3")
|
|
echo update add $(cat "secondary.cds.ns4")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be two CDS records (we test that BIND does not
|
|
# skip it during DNSSEC maintenance).
|
|
#
|
|
# NS3
|
|
n=$((n + 1))
|
|
set_server "ns3" "10.53.0.3"
|
|
echo_i "check server ${DIR} zone ${ZONE} CDS RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDS 2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
# NS4
|
|
n=$((n + 1))
|
|
set_server "ns4" "10.53.0.4"
|
|
echo_i "check server ${DIR} zone ${ZONE} CDS RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDS 2 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
|
|
n=$((n + 1))
|
|
echo_i "remove cds record: remove ns3 and ns4 CDS records from primary ns5 ($n)"
|
|
ret=0
|
|
set_server "ns5" "10.53.0.5"
|
|
(
|
|
echo zone "${ZONE}"
|
|
echo server "${SERVER}" "${PORT}"
|
|
echo update del $(cat "secondary.cds.ns3")
|
|
echo update del $(cat "secondary.cds.ns4")
|
|
echo send
|
|
) | $NSUPDATE || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
# Now there should be one CDS record again.
|
|
# While we did remove both CDS records, the bump in the wire signer, i.e
|
|
# the secondary inline-signing zone, should add back the CDS belonging to
|
|
# its own KSK when re-signing the zone.
|
|
#
|
|
# NS3
|
|
n=$((n + 1))
|
|
set_server "ns3" "10.53.0.3"
|
|
echo_i "check server ${DIR} zone ${ZONE} CDS RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDS 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
# NS4
|
|
n=$((n + 1))
|
|
set_server "ns4" "10.53.0.4"
|
|
echo_i "check server ${DIR} zone ${ZONE} CDS RRset after update ($n)"
|
|
ret=0
|
|
retry_quiet 10 records_published CDS 1 || ret=1
|
|
test "$ret" -eq 0 || echo_i "failed"
|
|
status=$((status + ret))
|
|
dnssec_verify
|
|
no_dnssec_in_journal
|
|
|
|
echo_i "exit status: $status"
|
|
[ $status -eq 0 ] || exit 1
|