diff options
Diffstat (limited to 'bin/tests/system/dsdigest')
| -rw-r--r-- | bin/tests/system/dsdigest/clean.sh | 21 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns1/named.conf.in | 35 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns1/root.db.in | 24 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns1/sign.sh | 35 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns2/bad.db.in | 21 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns2/good.db.in | 21 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns2/named.conf.in | 45 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns2/sign.sh | 46 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns3/named.conf.in | 38 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/ns4/named.conf.in | 36 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/prereq.sh | 28 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/setup.sh | 22 | ||||
| -rw-r--r-- | bin/tests/system/dsdigest/tests.sh | 52 |
13 files changed, 424 insertions, 0 deletions
diff --git a/bin/tests/system/dsdigest/clean.sh b/bin/tests/system/dsdigest/clean.sh new file mode 100644 index 0000000..bb40bcb --- /dev/null +++ b/bin/tests/system/dsdigest/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f supported +rm -f */K* */dsset-* */*.signed */trusted.conf +rm -f ns1/root.db +rm -f ns1/signer.err +rm -f ns2/good.db ns2/bad.db +rm -f dig.out* +rm -f */named.conf +rm -f */named.run +rm -f */named.memstats +rm -f ns*/named.lock diff --git a/bin/tests/system/dsdigest/ns1/named.conf.in b/bin/tests/system/dsdigest/ns1/named.conf.in new file mode 100644 index 0000000..215800c --- /dev/null +++ b/bin/tests/system/dsdigest/ns1/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type master; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/ns1/root.db.in b/bin/tests/system/dsdigest/ns1/root.db.in new file mode 100644 index 0000000..5223279 --- /dev/null +++ b/bin/tests/system/dsdigest/ns1/root.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2012062000 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +good. NS ns2.good. +ns2.good. A 10.53.0.2 +bad. NS ns2.bad. +ns2.bad. A 10.53.0.2 diff --git a/bin/tests/system/dsdigest/ns1/sign.sh b/bin/tests/system/dsdigest/ns1/sign.sh new file mode 100644 index 0000000..81156c4 --- /dev/null +++ b/bin/tests/system/dsdigest/ns1/sign.sh @@ -0,0 +1,35 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL sign.sh) + +cp ../ns2/dsset-good$TP . +cp ../ns2/dsset-bad$TP . + +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 2048 -n zone -f KSK $zone` + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +# Configure the resolving server with a trusted key. +keyfile_to_trusted_keys $key2 > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/dsdigest/ns2/bad.db.in b/bin/tests/system/dsdigest/ns2/bad.db.in new file mode 100644 index 0000000..ab5ce91 --- /dev/null +++ b/bin/tests/system/dsdigest/ns2/bad.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 diff --git a/bin/tests/system/dsdigest/ns2/good.db.in b/bin/tests/system/dsdigest/ns2/good.db.in new file mode 100644 index 0000000..ab5ce91 --- /dev/null +++ b/bin/tests/system/dsdigest/ns2/good.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 diff --git a/bin/tests/system/dsdigest/ns2/named.conf.in b/bin/tests/system/dsdigest/ns2/named.conf.in new file mode 100644 index 0000000..73a41ba --- /dev/null +++ b/bin/tests/system/dsdigest/ns2/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "good" { + type master; + file "good.db.signed"; +}; + +zone "bad" { + type master; + file "bad.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/ns2/sign.sh b/bin/tests/system/dsdigest/ns2/sign.sh new file mode 100644 index 0000000..2c52d3b --- /dev/null +++ b/bin/tests/system/dsdigest/ns2/sign.sh @@ -0,0 +1,46 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone1=good. +infile1=good.db.in +zonefile1=good.db +zone2=bad. +infile2=bad.db.in +zonefile2=bad.db + +keyname11=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone1` +keyname12=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone1` +keyname21=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone2` +keyname22=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone2` + +cat $infile1 $keyname11.key $keyname12.key >$zonefile1 +cat $infile2 $keyname21.key $keyname22.key >$zonefile2 + +$SIGNER -P -g -r $RANDFILE -o $zone1 $zonefile1 > /dev/null +$SIGNER -P -g -r $RANDFILE -o $zone2 $zonefile2 > /dev/null + +DSFILENAME1=dsset-`echo $zone1 |sed -e "s/\.$//g"`$TP +DSFILENAME2=dsset-`echo $zone2 |sed -e "s/\.$//g"`$TP +$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1 +$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2 + +supported=`cat ../supported` +case "$supported" in + gost) algo=GOST ;; + *) algo=SHA-384 ;; +esac + +$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1 +$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2 + diff --git a/bin/tests/system/dsdigest/ns3/named.conf.in b/bin/tests/system/dsdigest/ns3/named.conf.in new file mode 100644 index 0000000..1bc6215 --- /dev/null +++ b/bin/tests/system/dsdigest/ns3/named.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-enable yes; + dnssec-validation yes; + dnssec-must-be-secure . yes; + /* only SHA-256 is enabled */ + disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; }; + +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/ns4/named.conf.in b/bin/tests/system/dsdigest/ns4/named.conf.in new file mode 100644 index 0000000..b5a4959 --- /dev/null +++ b/bin/tests/system/dsdigest/ns4/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-enable yes; + dnssec-validation yes; + /* only SHA-256 is enabled */ + disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/prereq.sh b/bin/tests/system/dsdigest/prereq.sh new file mode 100644 index 0000000..1febbd5 --- /dev/null +++ b/bin/tests/system/dsdigest/prereq.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +gostfail=0 ecdsafail=0 +$SHELL ../testcrypto.sh -q gost || gostfail=1 +$SHELL ../testcrypto.sh -q ecdsa || ecdsafail=1 + +if [ $gostfail = 0 -a $ecdsafail = 0 ]; then + echo both > supported +elif [ $gostfail = 1 -a $ecdsafail = 1 ]; then + echo_i "This test requires support for ECDSA or GOST cryptography." >&2 + exit 255 +elif [ $gostfail = 0 ]; then + echo gost > supported +else + echo ecdsa > supported +fi diff --git a/bin/tests/system/dsdigest/setup.sh b/bin/tests/system/dsdigest/setup.sh new file mode 100644 index 0000000..71e16a6 --- /dev/null +++ b/bin/tests/system/dsdigest/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +cd ns1 && $SHELL sign.sh diff --git a/bin/tests/system/dsdigest/tests.sh b/bin/tests/system/dsdigest/tests.sh new file mode 100644 index 0000000..8f9eb58 --- /dev/null +++ b/bin/tests/system/dsdigest/tests.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +# Check the good. domain + +echo_i "checking that validation with enabled digest types works" +ret=0 +$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1 +grep "status: NOERROR" dig.out.good > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the bad. domain + +echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL" +ret=0 +$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1 +grep "SERVFAIL" dig.out.bad > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that validation with no supported digest algorithms results in insecure" +ret=0 +$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1 +grep "NOERROR" dig.out.ds > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1 +$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1 +grep "NOERROR" dig.out.insecure > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +echo_i "exit status: $status" + +[ $status -eq 0 ] || exit 1 |