summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/cds
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/cds')
-rw-r--r--bin/tests/system/cds/checkmtime.pl18
-rw-r--r--bin/tests/system/cds/checktime.pl27
-rw-r--r--bin/tests/system/cds/clean.sh23
-rw-r--r--bin/tests/system/cds/mangle.pl19
-rw-r--r--bin/tests/system/cds/setup.sh133
-rw-r--r--bin/tests/system/cds/tests.sh243
6 files changed, 463 insertions, 0 deletions
diff --git a/bin/tests/system/cds/checkmtime.pl b/bin/tests/system/cds/checkmtime.pl
new file mode 100644
index 0000000..be53584
--- /dev/null
+++ b/bin/tests/system/cds/checkmtime.pl
@@ -0,0 +1,18 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+my $target = shift;
+my $file = shift;
+my $mtime = time - (stat $file)[9];
+die "bad mtime $mtime"
+ unless ($mtime - $target >= 0 && $mtime - $target < 60);
diff --git a/bin/tests/system/cds/checktime.pl b/bin/tests/system/cds/checktime.pl
new file mode 100644
index 0000000..d85fd91
--- /dev/null
+++ b/bin/tests/system/cds/checktime.pl
@@ -0,0 +1,27 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+my $target = shift;
+my $notbefore;
+my $inception;
+while (<>) {
+ $notbefore = $1 if m{^.* must not be signed before \d+ [(](\d+)[)]};
+ $inception = $1 if m{^.* inception time \d+ [(](\d+)[)]};
+}
+die "missing notbefore time" unless $notbefore;
+die "missing inception time" unless $inception;
+my $delta = $inception - $notbefore;
+die "bad inception time $delta" unless abs($delta - $target) <= 10;
diff --git a/bin/tests/system/cds/clean.sh b/bin/tests/system/cds/clean.sh
new file mode 100644
index 0000000..b9743a5
--- /dev/null
+++ b/bin/tests/system/cds/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f CDNSKEY* CDS* DS*
+rm -f K*
+rm -f UP*
+rm -f brk.*
+rm -f db.*
+rm -f dsset-*
+rm -f empty
+rm -f sig.*
+rm -f vars.sh
+rm -f err* out* xerr xout
diff --git a/bin/tests/system/cds/mangle.pl b/bin/tests/system/cds/mangle.pl
new file mode 100644
index 0000000..9268cc0
--- /dev/null
+++ b/bin/tests/system/cds/mangle.pl
@@ -0,0 +1,19 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+my $re = $ARGV[0];
+shift;
+while (<>) {
+ s{($re)........}{${1}00000000};
+ print;
+}
diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh
new file mode 100644
index 0000000..6e3197d
--- /dev/null
+++ b/bin/tests/system/cds/setup.sh
@@ -0,0 +1,133 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+set -u
+
+touch empty
+
+Z=cds.test
+
+keyz=$($KEYGEN -q -a $DEFAULT_ALGORITHM $Z)
+key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z)
+key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z)
+
+idz=$(keyfile_to_key_id $keyz)
+id1=$(keyfile_to_key_id $key1)
+id2=$(keyfile_to_key_id $key2)
+
+cat <<EOF >vars.sh
+Z=$Z
+key1=$key1
+key2=$key2
+idz=$idz
+id1=$id1
+id2=$id2
+EOF
+
+tac() {
+ $PERL -e 'print reverse <>'
+}
+
+convert() {
+ key=$1
+ n=$2
+ $DSFROMKEY -12 $key >DS.$n
+ grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1
+ grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2
+ sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
+ sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
+ sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
+ sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
+ tac <DS.$n >DS.rev$n
+}
+convert $key1 1
+convert $key2 2
+
+# consistent order wrt IDs
+sort DS.1 DS.2 >DS.both
+
+cp DS.1 DS.inplace
+$PERL -we 'utime time, time - 7200, "DS.inplace" or die'
+
+mangle="$PERL mangle.pl"
+
+$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <DS.1 >DS.broke1
+$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 2 " <DS.1 >DS.broke2
+$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} [12] " <DS.1 >DS.broke12
+
+sed 's/^/update add /
+$a\
+send
+' <DS.2 >UP.add2
+
+sed 's/^/update del /
+$a\
+send
+' <DS.1 >UP.del1
+
+cat UP.add2 UP.del1 | sed 3d >UP.swap
+
+sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
+
+sign() {
+ cat >db.$1
+ $SIGNER >/dev/null \
+ -S -O full -o $Z -f sig.$1 db.$1
+}
+
+sign null <<EOF
+\$TTL 1h
+@ SOA localhost. root.localhost. (
+ 1 ; serial
+ 1h ; refresh
+ 1h ; retry
+ 1w ; expiry
+ 1h ; minimum
+ )
+;
+ NS localhost.
+;
+EOF
+
+cat sig.null CDS.1 >brk.unsigned-cds
+
+cat db.null CDS.1 | sign cds.1
+cat db.null CDS.2 | sign cds.2
+cat db.null CDS.1 CDS.2 | sign cds.both
+
+tac <sig.cds.1 >sig.cds.rev1
+
+cat db.null CDNSKEY.2 | sign cdnskey.2
+cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2
+
+$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \
+ <sig.cds.1 >brk.rrsig.cds.zsk
+$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \
+ <sig.cds.1 >brk.rrsig.cds.ksk
+
+$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 |
+sign cds-mangled
+
+bad=$($PERL -le "print ($id1 ^ 255);")
+sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 |
+sign bad-digests
+
+sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 |
+sign bad-algos
+
+rm -f dsset-*
diff --git a/bin/tests/system/cds/tests.sh b/bin/tests/system/cds/tests.sh
new file mode 100644
index 0000000..700ae63
--- /dev/null
+++ b/bin/tests/system/cds/tests.sh
@@ -0,0 +1,243 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+fail() {
+ echo_i "failed"
+ status=$((status + 1))
+}
+
+runcmd() {
+ "$@" 1> out.$n 2> err.$n
+ echo $?
+}
+
+testcase() {
+ n=$((n + 1))
+ echo_i "$name ($n)"
+ expect=$1
+ shift
+ result=$(runcmd "$@")
+ check_stdout
+ check_stderr
+ if [ "$expect" -ne "$result" ]; then
+ echo_d "exit status does not match $expect"
+ fail
+ fi
+ unset name err out
+}
+
+check_stderr() {
+ if [ -n "${err:=}" ]; then
+ grep -E "$err" err.$n >/dev/null && return 0
+ echo_d "stderr did not match '$err'"
+ else
+ [ -s err.$n ] || return 0
+ fi
+ cat err.$n | cat_d
+ fail
+}
+
+check_stdout() {
+ $DIFF out.$n "${out:-empty}" >/dev/null && return
+ echo_d "stdout did not match '$out'"
+ ( echo "wanted"
+ cat "$out"
+ echo "got"
+ cat out.$n
+ ) | cat_d
+ fail
+}
+
+Z=cds.test
+
+name='usage'
+err='Usage'
+testcase 1 $CDS
+
+name='need a DS file'
+err='DS pathname'
+testcase 1 $CDS $Z
+
+name='name of dsset in directory'
+err="./dsset-$Z.: file not found"
+testcase 1 $CDS -d . $Z
+
+name='load a file'
+err='could not find DS records'
+testcase 1 $CDS -d empty $Z
+
+name='load DS records'
+err='path to file containing child data must be specified'
+testcase 1 $CDS -d DS.1 $Z
+
+name='missing DNSKEY'
+err='could not find signed DNSKEY RRset'
+testcase 1 $CDS -f db.null -d DS.1 $Z
+
+name='sigs too old'
+err='could not validate child DNSKEY RRset'
+testcase 1 $CDS -f sig.null -d DS.1 $Z
+
+name='sigs too old, verbosely'
+err='skip RRSIG by key [0-9]+: too old'
+testcase 1 $CDS -v1 -f sig.null -d DS.1 $Z
+
+name='old sigs are allowed'
+err='found RRSIG by key'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
+
+name='no CDS/CDNSKEY records'
+out=DS.1
+testcase 0 $CDS -s -7200 -f sig.null -d DS.1 $Z
+
+name='no child records, verbosely'
+err='has neither CDS nor CDNSKEY records'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
+
+name='unsigned CDS'
+err='missing RRSIG CDS records'
+testcase 1 $CDS -f brk.unsigned-cds -d DS.1 $Z
+
+name='correct signature inception time'
+$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr
+testcase 0 $PERL checktime.pl 3600 xerr
+
+name='in-place reads modification time'
+testcase 0 $CDS -f sig.cds.1 -i.bak -d DS.inplace $Z
+
+name='in-place output correct modification time'
+testcase 0 $PERL checkmtime.pl 3600 DS.inplace
+
+name='in-place backup correct modification time'
+testcase 0 $PERL checkmtime.pl 7200 DS.inplace.bak
+
+name='in-place correct output'
+testcase 0 $DIFF DS.1 DS.inplace
+
+name='in-place backup unmodified'
+testcase 0 $DIFF DS.1 DS.inplace.bak
+
+name='one mangled DS'
+err='found RRSIG by key'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke1 $Z
+
+name='other mangled DS'
+err='found RRSIG by key'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke2 $Z
+
+name='both mangled DS'
+err='could not validate child DNSKEY RRset'
+testcase 1 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke12 $Z
+
+name='mangle RRSIG CDS by ZSK'
+err='found RRSIG by key'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z
+
+name='mangle RRSIG CDS by KSK'
+err='could not validate child CDS RRset'
+testcase 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z
+
+name='mangle CDS 1'
+err='could not validate child DNSKEY RRset with new DS records'
+testcase 1 $CDS -s -7200 -f sig.cds-mangled -d DS.1 $Z
+
+name='inconsistent digests'
+err='do not cover each key with the same set of digest types'
+testcase 1 $CDS -s -7200 -f sig.bad-digests -d DS.1 $Z
+
+name='inconsistent algorithms'
+err='missing signature for algorithm'
+testcase 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z
+
+name='add DS records'
+out=DS.both
+$CDS -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out
+# sort to allow for numerical vs lexical order of key tags
+testcase 0 sort DS.out
+
+name='update add'
+out=UP.add2
+testcase 0 $CDS -u -s -7200 -f sig.cds.both -d DS.1 $Z
+
+name='remove DS records'
+out=DS.2
+testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.both $Z
+
+name='update del'
+out=UP.del1
+testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.both $Z
+
+name='swap DS records'
+out=DS.2
+testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update swap'
+out=UP.swap
+testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='TTL from -T'
+out=DS.ttl2
+testcase 0 $CDS -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update TTL from -T'
+out=UP.swapttl
+testcase 0 $CDS -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update TTL from dsset'
+out=UP.swapttl
+testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
+
+name='TTL from -T overrides dsset'
+out=DS.ttlong2
+testcase 0 $CDS -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
+
+name='stable DS record order (changes)'
+out=DS.1
+testcase 0 $CDS -s -7200 -f sig.cds.rev1 -d DS.2 $Z
+
+name='CDNSKEY default algorithm'
+out=DS.2-2
+testcase 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY SHA1'
+out=DS.2-1
+testcase 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY two algorithms'
+out=DS.2
+testcase 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY two algorithms, reversed'
+out=DS.2
+testcase 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY and CDS'
+out=DS.2
+testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
+
+name='prefer CDNSKEY'
+out=DS.2-2
+testcase 0 $CDS -D -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1