diff options
Diffstat (limited to '')
26 files changed, 416 insertions, 0 deletions
diff --git a/bin/tests/system/coverage/01-ksk-inactive/README b/bin/tests/system/coverage/01-ksk-inactive/README new file mode 100644 index 0000000..8102593 --- /dev/null +++ b/bin/tests/system/coverage/01-ksk-inactive/README @@ -0,0 +1,10 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-31-Jul (20:59:14): + Inactive: example.com/007/45435 (KSK) +No KSK's are active + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/01-ksk-inactive/expect b/bin/tests/system/coverage/01-ksk-inactive/expect new file mode 100644 index 0000000..3d342b1 --- /dev/null +++ b/bin/tests/system/coverage/01-ksk-inactive/expect @@ -0,0 +1,6 @@ +args="-d 1h -m 2h" +warn=0 +error=1 +ok=1 +retcode=1 +match="No KSK's are active" diff --git a/bin/tests/system/coverage/02-zsk-inactive/README b/bin/tests/system/coverage/02-zsk-inactive/README new file mode 100644 index 0000000..5d3fed1 --- /dev/null +++ b/bin/tests/system/coverage/02-zsk-inactive/README @@ -0,0 +1,10 @@ +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (20:39:32): + Inactive: example.com/005/08376 (ZSK) +No ZSK's are active diff --git a/bin/tests/system/coverage/02-zsk-inactive/expect b/bin/tests/system/coverage/02-zsk-inactive/expect new file mode 100644 index 0000000..a905b58 --- /dev/null +++ b/bin/tests/system/coverage/02-zsk-inactive/expect @@ -0,0 +1,6 @@ +args="-d 1h -m 2h" +warn=0 +error=1 +ok=1 +retcode=1 +match="No ZSK's are active" diff --git a/bin/tests/system/coverage/03-ksk-unpublished/README b/bin/tests/system/coverage/03-ksk-unpublished/README new file mode 100644 index 0000000..7d8a301 --- /dev/null +++ b/bin/tests/system/coverage/03-ksk-unpublished/README @@ -0,0 +1,10 @@ +This set contains one KSK rollover. The KSK is unpublished before its +successor is published. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-06-Oct (21:07:57): + Delete: example.com/007/23040 (KSK) +No KSK's are published + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/03-ksk-unpublished/expect b/bin/tests/system/coverage/03-ksk-unpublished/expect new file mode 100644 index 0000000..07bbff1 --- /dev/null +++ b/bin/tests/system/coverage/03-ksk-unpublished/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (KSK) is scheduled for +deletion before inactivation +No KSK's are published" diff --git a/bin/tests/system/coverage/04-zsk-unpublished/README b/bin/tests/system/coverage/04-zsk-unpublished/README new file mode 100644 index 0000000..5077abf --- /dev/null +++ b/bin/tests/system/coverage/04-zsk-unpublished/README @@ -0,0 +1,10 @@ +This set contains one ZSK rollover. The ZSK is unpublished before its +successor is published. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-06-Oct (21:13:45): + Delete: example.com/007/25967 (ZSK) +No ZSK's are published diff --git a/bin/tests/system/coverage/04-zsk-unpublished/expect b/bin/tests/system/coverage/04-zsk-unpublished/expect new file mode 100644 index 0000000..450ec24 --- /dev/null +++ b/bin/tests/system/coverage/04-zsk-unpublished/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (ZSK) is scheduled for +deletion before inactivation +No ZSK's are published" diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/README b/bin/tests/system/coverage/05-ksk-unpub-active/README new file mode 100644 index 0000000..119c1b2 --- /dev/null +++ b/bin/tests/system/coverage/05-ksk-unpub-active/README @@ -0,0 +1,12 @@ +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (21:22:19): + Delete: example.com/007/06219 (KSK) + Publish: example.com/007/20559 (KSK) +No KSK's are both active and published + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/expect b/bin/tests/system/coverage/05-ksk-unpub-active/expect new file mode 100644 index 0000000..2edfa0e --- /dev/null +++ b/bin/tests/system/coverage/05-ksk-unpub-active/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (KSK) is scheduled for +deletion before inactivation +No KSK's are both active and published" diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/README b/bin/tests/system/coverage/06-zsk-unpub-active/README new file mode 100644 index 0000000..84833f8 --- /dev/null +++ b/bin/tests/system/coverage/06-zsk-unpub-active/README @@ -0,0 +1,12 @@ +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (20:44:18): + Delete: example.com/007/26369 (ZSK) + Publish: example.com/007/21029 (ZSK) +No ZSK's are both active and published diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/expect b/bin/tests/system/coverage/06-zsk-unpub-active/expect new file mode 100644 index 0000000..0ef5b15 --- /dev/null +++ b/bin/tests/system/coverage/06-zsk-unpub-active/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (ZSK) is scheduled for +deletion before inactivation +No ZSK's are both active and published" diff --git a/bin/tests/system/coverage/07-ksk-ttl/README b/bin/tests/system/coverage/07-ksk-ttl/README new file mode 100644 index 0000000..2659099 --- /dev/null +++ b/bin/tests/system/coverage/07-ksk-ttl/README @@ -0,0 +1,4 @@ +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. + +Expected tool output TBD. diff --git a/bin/tests/system/coverage/07-ksk-ttl/expect b/bin/tests/system/coverage/07-ksk-ttl/expect new file mode 100644 index 0000000..eade21a --- /dev/null +++ b/bin/tests/system/coverage/07-ksk-ttl/expect @@ -0,0 +1,9 @@ +args="-d 1w -m 2w" +warn=1 +error=0 +ok=2 +retcode=0 +match="WARNING: Key .* (KSK) is activated too soon +after publication +Activation should be at least 7 days after +publication." diff --git a/bin/tests/system/coverage/08-zsk-ttl/README b/bin/tests/system/coverage/08-zsk-ttl/README new file mode 100644 index 0000000..2659099 --- /dev/null +++ b/bin/tests/system/coverage/08-zsk-ttl/README @@ -0,0 +1,4 @@ +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. + +Expected tool output TBD. diff --git a/bin/tests/system/coverage/08-zsk-ttl/expect b/bin/tests/system/coverage/08-zsk-ttl/expect new file mode 100644 index 0000000..150c9cd --- /dev/null +++ b/bin/tests/system/coverage/08-zsk-ttl/expect @@ -0,0 +1,9 @@ +args="-d 1w -m 2w" +warn=1 +error=0 +ok=2 +retcode=0 +match="WARNING: Key .* (ZSK) is activated too soon +after publication +Activation should be at least 7 days after +publication." diff --git a/bin/tests/system/coverage/09-check-zsk/README b/bin/tests/system/coverage/09-check-zsk/README new file mode 100644 index 0000000..bc5edc8 --- /dev/null +++ b/bin/tests/system/coverage/09-check-zsk/README @@ -0,0 +1,6 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated; however, as we are only checking ZSK's, +we should not detect the error. Tool output should resemble: + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/09-check-zsk/expect b/bin/tests/system/coverage/09-check-zsk/expect new file mode 100644 index 0000000..d56c4bf --- /dev/null +++ b/bin/tests/system/coverage/09-check-zsk/expect @@ -0,0 +1,6 @@ +args="-z -d 1h -m 2h" +warn=0 +error=0 +ok=1 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/10-check-ksk/README b/bin/tests/system/coverage/10-check-ksk/README new file mode 100644 index 0000000..948364d --- /dev/null +++ b/bin/tests/system/coverage/10-check-ksk/README @@ -0,0 +1,7 @@ +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated; however, as we are only +checking KSKs, we should not detect the error. Tool output should +resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/10-check-ksk/expect b/bin/tests/system/coverage/10-check-ksk/expect new file mode 100644 index 0000000..a03d2aa --- /dev/null +++ b/bin/tests/system/coverage/10-check-ksk/expect @@ -0,0 +1,6 @@ +args="-k -d 1h -m 2h" +warn=0 +error=0 +ok=1 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/11-cutoff/README b/bin/tests/system/coverage/11-cutoff/README new file mode 100644 index 0000000..8102593 --- /dev/null +++ b/bin/tests/system/coverage/11-cutoff/README @@ -0,0 +1,10 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-31-Jul (20:59:14): + Inactive: example.com/007/45435 (KSK) +No KSK's are active + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/11-cutoff/expect b/bin/tests/system/coverage/11-cutoff/expect new file mode 100644 index 0000000..bdf29d0 --- /dev/null +++ b/bin/tests/system/coverage/11-cutoff/expect @@ -0,0 +1,6 @@ +args="-l 1y -d 1h -m 2h" +warn=0 +error=0 +ok=2 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/clean.sh b/bin/tests/system/coverage/clean.sh new file mode 100644 index 0000000..253e8aa --- /dev/null +++ b/bin/tests/system/coverage/clean.sh @@ -0,0 +1,16 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f named-compilezone +rm -f */K*.key +rm -f */K*.private +rm -rf coverage.* +rm -f ns*/named.lock diff --git a/bin/tests/system/coverage/prereq.sh b/bin/tests/system/coverage/prereq.sh new file mode 100644 index 0000000..a0d4e9c --- /dev/null +++ b/bin/tests/system/coverage/prereq.sh @@ -0,0 +1,15 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +exec $SHELL ../testcrypto.sh diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh new file mode 100644 index 0000000..84ca137 --- /dev/null +++ b/bin/tests/system/coverage/setup.sh @@ -0,0 +1,131 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +KEYGEN="$KEYGEN -qr $RANDFILE" + +$SHELL clean.sh + +ln -s $CHECKZONE named-compilezone + +# Test 1: KSK goes inactive before successor is active +dir=01-ksk-inactive +rm -f $dir/K*.key +rm -f $dir/K*.private +ksk1=`$KEYGEN -K $dir -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -3 example.com` + +# Test 2: ZSK goes inactive before successor is active +dir=02-zsk-inactive +rm -f $dir/K*.key +rm -f $dir/K*.private +zsk1=`$KEYGEN -K $dir -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -3fk example.com` + +# Test 3: KSK is unpublished before its successor is published +dir=03-ksk-unpublished +rm -f $dir/K*.key +rm -f $dir/K*.private +ksk1=`$KEYGEN -K $dir -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -3 example.com` + +# Test 4: ZSK is unpublished before its successor is published +dir=04-zsk-unpublished +rm -f $dir/K*.key +rm -f $dir/K*.private +zsk1=`$KEYGEN -K $dir -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -3fk example.com` + +# Test 5: KSK deleted and successor published before KSK is deactivated +# and successor activated. +dir=05-ksk-unpub-active +rm -f $dir/K*.key +rm -f $dir/K*.private +ksk1=`$KEYGEN -K $dir -3fk example.com` +$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +zsk1=`$KEYGEN -K $dir -3 example.com` + +# Test 6: ZSK deleted and successor published before ZSK is deactivated +# and successor activated. +dir=06-zsk-unpub-active +rm -f $dir/K*.key +rm -f $dir/K*.private +zsk1=`$KEYGEN -K $dir -3 example.com` +$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +ksk1=`$KEYGEN -K $dir -3fk example.com` + +# Test 7: KSK rolled with insufficient delay after prepublication. +dir=07-ksk-ttl +rm -f $dir/K*.key +rm -f $dir/K*.private +ksk1=`$KEYGEN -K $dir -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -3 example.com` + +# Test 8: ZSK rolled with insufficient delay after prepublication. +dir=08-zsk-ttl +rm -f $dir/K*.key +rm -f $dir/K*.private +zsk1=`$KEYGEN -K $dir -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -3fk example.com` + +# Test 9: KSK goes inactive before successor is active, but checking ZSKs +dir=09-check-zsk +rm -f $dir/K*.key +rm -f $dir/K*.private +ksk1=`$KEYGEN -K $dir -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -3 example.com` + +# Test 10: ZSK goes inactive before successor is active, but checking KSKs +dir=10-check-ksk +rm -f $dir/K*.key +rm -f $dir/K*.private +zsk1=`$KEYGEN -K $dir -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -3fk example.com` + +# Test 11: ZSK goes inactive before successor is active, but after cutoff +dir=11-cutoff +rm -f $dir/K*.key +rm -f $dir/K*.private +zsk1=`$KEYGEN -K $dir -3 example.com` +$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -3fk example.com` diff --git a/bin/tests/system/coverage/tests.sh b/bin/tests/system/coverage/tests.sh new file mode 100644 index 0000000..c5ba211 --- /dev/null +++ b/bin/tests/system/coverage/tests.sh @@ -0,0 +1,79 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +COVERAGE="$COVERAGE -c ./named-compilezone" + +status=0 +n=1 + +matchall () { + file=$1 + echo "$2" | while read matchline; do + grep "$matchline" $file > /dev/null 2>&1 || { + echo "FAIL" + return + } + done +} + +echo_i "checking for DNSSEC key coverage issues" +ret=0 +for dir in [0-9][0-9]-*; do + ret=0 + echo_i "$dir" + args= warn= error= ok= retcode= match= + . $dir/expect + $COVERAGE $args -K $dir example.com > coverage.$n 2>&1 + + # check that return code matches expectations + found=$? + if [ $found -ne $retcode ]; then + echo "retcode was $found expected $retcode" + ret=1 + fi + + # check for correct number of errors + found=`grep ERROR coverage.$n | wc -l` + if [ $found -ne $error ]; then + echo "error count was $found expected $error" + ret=1 + fi + + # check for correct number of warnings + found=`grep WARNING coverage.$n | wc -l` + if [ $found -ne $warn ]; then + echo "warning count was $found expected $warn" + ret=1 + fi + + # check for correct number of OKs + found=`grep "No errors found" coverage.$n | wc -l` + if [ $found -ne $ok ]; then + echo "good count was $found expected $ok" + ret=1 + fi + + found=`matchall coverage.$n "$match"` + if [ "$found" = "FAIL" ]; then + echo "no match on '$match'" + ret=1 + fi + + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |