diff options
Diffstat (limited to 'bin/tests/system/mkeys')
-rw-r--r-- | bin/tests/system/mkeys/ns1/sign.sh | 24 | ||||
-rw-r--r-- | bin/tests/system/mkeys/ns4/sign.sh | 4 | ||||
-rw-r--r-- | bin/tests/system/mkeys/ns6/setup.sh | 2 | ||||
-rw-r--r-- | bin/tests/system/mkeys/setup.sh | 10 | ||||
-rw-r--r-- | bin/tests/system/mkeys/tests.sh | 581 |
5 files changed, 327 insertions, 294 deletions
diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index fa57307..43f7300 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -20,8 +20,8 @@ zonefile=sub.tld.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null -keyfile_to_initial_ds $keyname > island.conf +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null +keyfile_to_initial_ds $keyname >island.conf cp island.conf ../ns5/island.conf zone=tld @@ -30,7 +30,7 @@ zonefile=tld.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null zone=. zonefile=root.db @@ -38,18 +38,18 @@ zonefile=root.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null # Configure the resolving server with an initializing key. -keyfile_to_initial_ds $keyname > managed.conf +keyfile_to_initial_ds $keyname >managed.conf cp managed.conf ../ns2/managed.conf cp managed.conf ../ns4/managed.conf cp managed.conf ../ns5/managed.conf # Configure broken trust anchor for ns3 # Rotate each nibble in the digest by -1 -$DSFROMKEY $keyname.key | -awk '!/^; /{ +$DSFROMKEY $keyname.key \ + | awk '!/^; /{ printf "trust-anchors {\n" printf "\t\""$1"\" initial-ds " printf $4 " " $5 " " $6 " \"" @@ -77,10 +77,10 @@ awk '!/^; /{ } printf "\";\n" printf "};\n" - }' > ../ns3/broken.conf + }' >../ns3/broken.conf # Configure a static key to be used by delv. -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf # Prepare an unsupported algorithm key. unsupportedkey=Kunknown.+255+00000 @@ -89,6 +89,6 @@ cp unsupported.key "${unsupportedkey}.key" # # Save keyname and keyid for managed key id test. # -echo "$keyname" > managed.key -echo "$zskkeyname" > zone.key -keyfile_to_key_id $keyname > managed.key.id +echo "$keyname" >managed.key +echo "$zskkeyname" >zone.key +keyfile_to_key_id $keyname >managed.key.id diff --git a/bin/tests/system/mkeys/ns4/sign.sh b/bin/tests/system/mkeys/ns4/sign.sh index 13d7640..a227567 100644 --- a/bin/tests/system/mkeys/ns4/sign.sh +++ b/bin/tests/system/mkeys/ns4/sign.sh @@ -20,6 +20,6 @@ zonefile=sub.foo.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null -keyfile_to_initial_ds $keyname > private.conf +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null +keyfile_to_initial_ds $keyname >private.conf cp private.conf ../ns5/private.conf diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh index 1bfdc7f..3814d10 100644 --- a/bin/tests/system/mkeys/ns6/setup.sh +++ b/bin/tests/system/mkeys/ns6/setup.sh @@ -31,4 +31,4 @@ cp "../ns1/${rootkey}.key" . # Configure the resolving server with an initializing key. # (We use key-format trust anchors here because otherwise the # unsupported algorithm test won't work.) -keyfile_to_initial_keys $unsupportedkey $islandkey $rootkey > managed.conf +keyfile_to_initial_keys $unsupportedkey $islandkey $rootkey >managed.conf diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh index b110094..4e1aea8 100644 --- a/bin/tests/system/mkeys/setup.sh +++ b/bin/tests/system/mkeys/setup.sh @@ -18,8 +18,8 @@ export ALGORITHM_SET="ecc_default" # Ensure the selected algorithm set is okay. if [ "$ALGORITHM_SET" = "error" ]; then - echofail "Algorithm selection failed." >&2 - exit 1 + echofail "Algorithm selection failed." >&2 + exit 1 fi copy_setports ns1/named1.conf.in ns1/named.conf @@ -32,9 +32,9 @@ copy_setports ns7/named.conf.in ns7/named.conf cp ns5/named1.args ns5/named.args -( cd ns1 && $SHELL sign.sh ) -( cd ns4 && $SHELL sign.sh ) -( cd ns6 && $SHELL setup.sh ) +(cd ns1 && $SHELL sign.sh) +(cd ns4 && $SHELL sign.sh) +(cd ns6 && $SHELL setup.sh) cp ns2/managed.conf ns2/managed1.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index 5999e21..838eb28 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -19,72 +19,72 @@ export ALGORITHM_SET="ecc_default" . "$SYSTEMTESTTOP/conf.sh" dig_with_opts() ( - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" ) delv_with_opts() ( - "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" + "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" ) rndccmd() ( - "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@" ) mkeys_reconfig_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i ) mkeys_reload_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" - wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" + wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 ) mkeys_loadkeys_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 ) mkeys_refresh_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 ) mkeys_sync_on() ( - # No race with mkeys_refresh_on() is possible as even if the latter - # returns immediately after the expected log message is written, the - # managed-keys zone is already locked and the command below calls - # dns_zone_flush(), which also attempts to take that zone's lock - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # dns_zone_flush(), which also attempts to take that zone's lock + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 ) mkeys_status_on() ( - # No race with mkeys_refresh_on() is possible as even if the latter - # returns immediately after the expected log message is written, the - # managed-keys zone is already locked and the command below calls - # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), - # which also attempts to take that zone's lock - nsidx=$1 - rndccmd "10.53.0.${nsidx}" managed-keys status + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), + # which also attempts to take that zone's lock + nsidx=$1 + rndccmd "10.53.0.${nsidx}" managed-keys status ) mkeys_flush_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i ) mkeys_secroots_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i ) original=$(cat ns1/managed.key) @@ -97,50 +97,50 @@ rm -f dig.out.* echo_i "check for signed record ($n)" ret=0 -dig_with_opts +norec example. @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1 -grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n > /dev/null || ret=1 +dig_with_opts +norec example. @10.53.0.1 TXT >dig.out.ns1.test$n || ret=1 +grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check positive validation with valid trust anchor ($n)" ret=0 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) if [ -x "$DELV" ]; then - n=$((n+1)) - ret=0 - echo_i "check positive validation using delv ($n)" - delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1 - grep "; fully validated" delv.out$n > /dev/null || ret=1 # redundant - grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1 - grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + ret=0 + echo_i "check positive validation using delv ($n)" + delv_with_opts @10.53.0.1 txt example >delv.out$n || ret=1 + grep "; fully validated" delv.out$n >/dev/null || ret=1 # redundant + grep "example..*TXT.*This is a test" delv.out$n >/dev/null || ret=1 + grep "example..*.RRSIG..*TXT" delv.out$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check for failed validation due to wrong key in managed-keys ($n)" ret=0 -dig_with_opts +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1 -grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n >/dev/null && ret=1 +grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check new trust anchor can be added ($n)" ret=0 standby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # there should be two keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -154,13 +154,13 @@ count=$(grep -c "trusted since" rndc.out.$n) || true count=$(grep -c "trust pending" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check new trust anchor can't be added with bad initial key ($n)" ret=0 mkeys_refresh_on 3 || ret=1 -mkeys_status_on 3 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 3 >rndc.out.$n 2>&1 || ret=1 # there should be one key listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 @@ -171,14 +171,14 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "no trust" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "remove untrusted standby key, check timer restarts ($n)" ret=0 mkeys_sync_on 2 || ret=1 t1=$(grep "trust pending" ns2/managed-keys.bind) || true -$SETTIME -D now -K ns1 "$standby1" > /dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -192,14 +192,14 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "restore untrusted standby key, revoke original key ($n)" t1=$t2 -$SETTIME -D none -K ns1 "$standby1" > /dev/null -$SETTIME -R now -K ns1 "$original" > /dev/null +$SETTIME -D none -K ns1 "$standby1" >/dev/null +$SETTIME -R now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -208,7 +208,7 @@ mkeys_loadkeys_on 1 || ret=1 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -229,9 +229,9 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "refresh managed-keys, ensure same result ($n)" t1=$t2 @@ -242,7 +242,7 @@ t1=$t2 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -263,15 +263,15 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "restore revoked key, ensure same result ($n)" t1=$t2 -$SETTIME -R none -D now -K ns1 "$original" > /dev/null +$SETTIME -R none -D now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 -$SETTIME -D none -K ns1 "$original" > /dev/null +$SETTIME -D none -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -280,7 +280,7 @@ mkeys_loadkeys_on 1 || ret=1 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -301,36 +301,36 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors, add second key to bind.keys" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* -keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" > ns2/managed.conf -nextpart ns2/named.run > /dev/null +keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" >ns2/managed.conf +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check that no key from bind.keys is marked as an initializing key ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 mkeys_secroots_on 2 || ret=1 -grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1 +grep '; initializing' ns2/named.secroots >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors, revert to one key in bind.keys" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* mv ns2/managed1.conf ns2/managed.conf -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check that standby key is now trusted ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -341,16 +341,16 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke original key, add new standby ($n)" ret=0 standby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) -$SETTIME -R now -K ns1 "$original" > /dev/null +$SETTIME -R now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # three keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -373,48 +373,66 @@ count=$(grep -c "trust pending" rndc.out.$n) || true count=$(grep -c "remove at" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke standby before it is trusted ($n)" ret=0 standby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 # four keys listed count=$(grep -c "keyid: " rndc.out.1.$n) || true -[ "$count" -eq 4 ] || { echo_i "keyid: count ($count) != 4"; ret=1; } +[ "$count" -eq 4 ] || { + echo_i "keyid: count ($count) != 4" + ret=1 +} # one revoked count=$(grep -c "trust revoked" rndc.out.1.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "trust revoked count ($count) != 1" + ret=1 +} # two pending count=$(grep -c "trust pending" rndc.out.1.$n) || true -[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; } -$SETTIME -R now -K ns1 "$standby3" > /dev/null +[ "$count" -eq 2 ] || { + echo_i "trust pending count ($count) != 2" + ret=1 +} +$SETTIME -R now -K ns1 "$standby3" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 # now three keys listed count=$(grep -c "keyid: " rndc.out.2.$n) || true -[ "$count" -eq 3 ] || { echo_i "keyid: count ($count) != 3"; ret=1; } +[ "$count" -eq 3 ] || { + echo_i "keyid: count ($count) != 3" + ret=1 +} # one revoked count=$(grep -c "trust revoked" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "trust revoked count ($count) != 1" + ret=1 +} # one pending count=$(grep -c "trust pending" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; } -$SETTIME -D now -K ns1 "$standby3" > /dev/null +[ "$count" -eq 1 ] || { + echo_i "trust pending count ($count) != 1" + ret=1 +} +$SETTIME -D now -K ns1 "$standby3" >/dev/null mkeys_loadkeys_on 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)" ret=0 sleep 20 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -428,17 +446,17 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke all keys, confirm roll to insecure ($n)" ret=0 -$SETTIME -D now -K ns1 "$original" > /dev/null -$SETTIME -R now -K ns1 "$standby1" > /dev/null -$SETTIME -R now -K ns1 "$standby2" > /dev/null +$SETTIME -D now -K ns1 "$original" >/dev/null +$SETTIME -R now -K ns1 "$standby1" >/dev/null +$SETTIME -R now -K ns1 "$standby2" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -455,51 +473,51 @@ count=$(grep -c "trust revoked" rndc.out.$n) || true count=$(grep -c "remove at" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check for insecure response ($n)" ret=0 mkeys_refresh_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reset the root server ($n)" ret=0 -$SETTIME -D none -R none -K ns1 "$original" > /dev/null -$SETTIME -D now -K ns1 "$standby1" > /dev/null -$SETTIME -D now -K ns1 "$standby2" > /dev/null +$SETTIME -D none -R none -K ns1 "$original" >/dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null +$SETTIME -D now -K ns1 "$standby2" >/dev/null sleep 1 # ensure modification time changes -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null copy_setports ns1/named2.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl mkeys_reconfig_on 1 || ret=1 mkeys_reload_on 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check positive validation ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke key with bad signature, check revocation is ignored ($n)" ret=0 revoked=$($REVOKE -K ns1 "$original") @@ -509,8 +527,8 @@ rm -f ns1/root.db.signed.jnl # failing. Alternatively, we could use -P to disable post-sign verification, # but we actually do want post-sign verification to happen to ensure the zone # is correct before we break it on purpose. -$SETTIME -R none -D none -K ns1 "$standby1" > /dev/null -$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null +$SETTIME -R none -D none -K ns1 "$standby1" >/dev/null +$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db >/dev/null 2>/dev/null cp -f ns1/root.db.signed ns1/root.db.tmp BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" # Less than a second may have passed since ns1 was started. If we call @@ -519,110 +537,125 @@ BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89h # "nanoseconds" field of isc_time_t, due to zone load time being seemingly # equal to master file modification time. sleep 1 -sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed +sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n >ns1/root.db.signed mkeys_reload_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # one key listed count=$(grep -c "keyid: " rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'keyid:' count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'keyid:' count ($count) != 1" + ret=1 +} # it's the original key id count=$(grep -c "keyid: $originalid" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'keyid: $originalid' count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'keyid: $originalid' count ($count) != 1" + ret=1 +} # not revoked count=$(grep -c "REVOKE" rndc.out.$n) || true -[ "$count" -eq 0 ] || { echo_i "'REVOKE' count ($count) != 0"; ret=1; } +[ "$count" -eq 0 ] || { + echo_i "'REVOKE' count ($count) != 0" + ret=1 +} # trust is still current count=$(grep -c "trust" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'trust' count != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'trust' count != 1" + ret=1 +} count=$(grep -c "trusted since" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'trusted since' count != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'trusted since' count != 1" + ret=1 +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check validation fails with bad DNSKEY rrset ($n)" ret=0 mkeys_flush_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "restore DNSKEY rrset, check validation succeeds again ($n)" ret=0 rm -f "${revoked}".key "${revoked}".private rm -f ns1/root.db.signed.jnl -$SETTIME -D none -R none -K ns1 "$original" > /dev/null -$SETTIME -D now -K ns1 "$standby1" > /dev/null +$SETTIME -D none -R none -K ns1 "$original" >/dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null # Less than a second may have passed since ns1 was started. If we call # dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the # subsequent "rndc reload ." call on platforms which do not set the # "nanoseconds" field of isc_time_t, due to zone load time being seemingly # equal to master file modification time. sleep 1 -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null mkeys_reload_on 1 || ret=1 mkeys_flush_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) if [ ! "$CYGWIN" ]; then - n=$((n+1)) - echo_i "reset the root server with no keys, check for minimal update ($n)" - ret=0 - # Refresh keys first to prevent previous checks from influencing this one. - # Note that we might still get occasional false negatives on some really slow - # machines, when $t1 equals $t2 due to the time elapsed between "rndc - # managed-keys status" calls being equal to the normal active refresh period - # (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as - # set using -T mkeytimers). - mkeys_refresh_on 2 || ret=1 - mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 - t1=$(grep 'next refresh:' rndc.out.1.$n) || true - stop_server --use-rndc --port "${CONTROLPORT}" ns1 - rm -f ns1/root.db.signed.jnl - cp ns1/root.db ns1/root.db.signed - nextpart ns1/named.run > /dev/null - start_server --noclean --restart --port "${PORT}" ns1 - wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 - mkeys_refresh_on 2 || ret=1 - mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 - # one key listed - count=$(grep -c "keyid: " rndc.out.2.$n) || true - [ "$count" -eq 1 ] || ret=1 - # it's the original key id - count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true - [ "$count" -eq 1 ] || ret=1 - # not revoked - count=$(grep -c "REVOKE" rndc.out.2.$n) || true - [ "$count" -eq 0 ] || ret=1 - # trust is still current - count=$(grep -c "trust" rndc.out.2.$n) || true - [ "$count" -eq 1 ] || ret=1 - count=$(grep -c "trusted since" rndc.out.2.$n) || true - [ "$count" -eq 1 ] || ret=1 - t2=$(grep 'next refresh:' rndc.out.2.$n) || true - [ "$t1" = "$t2" ] && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + echo_i "reset the root server with no keys, check for minimal update ($n)" + ret=0 + # Refresh keys first to prevent previous checks from influencing this one. + # Note that we might still get occasional false negatives on some really slow + # machines, when $t1 equals $t2 due to the time elapsed between "rndc + # managed-keys status" calls being equal to the normal active refresh period + # (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as + # set using -T mkeytimers). + mkeys_refresh_on 2 || ret=1 + mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 + t1=$(grep 'next refresh:' rndc.out.1.$n) || true + stop_server --use-rndc --port "${CONTROLPORT}" ns1 + rm -f ns1/root.db.signed.jnl + cp ns1/root.db ns1/root.db.signed + nextpart ns1/named.run >/dev/null + start_server --noclean --restart --port "${PORT}" ns1 + wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 + mkeys_refresh_on 2 || ret=1 + mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 + # one key listed + count=$(grep -c "keyid: " rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + # it's the original key id + count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + # not revoked + count=$(grep -c "REVOKE" rndc.out.2.$n) || true + [ "$count" -eq 0 ] || ret=1 + # trust is still current + count=$(grep -c "trust" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + count=$(grep -c "trusted since" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + t2=$(grep 'next refresh:' rndc.out.2.$n) || true + [ "$t1" = "$t2" ] && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "reset the root server with no signatures, check for minimal update ($n)" ret=0 # Refresh keys first to prevent previous checks from influencing this one mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 t1=$(grep 'next refresh:' rndc.out.1.$n) || true stop_server --use-rndc --port "${CONTROLPORT}" ns1 rm -f ns1/root.db.signed.jnl -cat ns1/K*.key >> ns1/root.db.signed -nextpart ns1/named.run > /dev/null +cat ns1/K*.key >>ns1/root.db.signed +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns1 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 # Less than a second may have passed since the last time ns2 received a @@ -630,7 +663,7 @@ wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 # timestamp to prevent minimal update from resetting it to the same timestamp. sleep 1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 # one key listed count=$(grep -c "keyid: " rndc.out.2.$n) || true [ "$count" -eq 1 ] || ret=1 @@ -648,53 +681,53 @@ count=$(grep -c "trusted since" rndc.out.2.$n) || true t2=$(grep 'next refresh:' rndc.out.2.$n) || true [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "restore root server, check validation succeeds again ($n)" ret=0 rm -f ns1/root.db.signed.jnl -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null mkeys_reload_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries are received ($n)" ret=0 -grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1 +grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc-managed-keys destroy' ($n)" ret=0 rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 -grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 +grep "no views with managed keys" rndc.out.1.$n >/dev/null || ret=1 mkeys_reconfig_on 2 || ret=1 check_root_trust_anchor_is_present_in_status() { - mkeys_status_on 2 > rndc.out.2.$n 2>&1 || return 1 - grep "name: \." rndc.out.2.$n > /dev/null || return 1 - return 0 + mkeys_status_on 2 >rndc.out.2.$n 2>&1 || return 1 + grep "name: \." rndc.out.2.$n >/dev/null || return 1 + return 0 } retry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)" ret=0 # convert the hexadecimal key from the TAT query into decimal and @@ -704,19 +737,19 @@ tatkey=$($PERL -e 'printf("%d\n", hex(@ARGV[0]));' "$tathex") realkey=$(rndccmd 10.53.0.2 secroots - | sed -n "s#.*${DEFAULT_ALGORITHM}/\([0-9][0-9]*\) ; .*managed.*#\1#p") [ "$tatkey" -eq "$realkey" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check initialization fails if managed-keys can't be created ($n)" ret=0 mkeys_secroots_on 4 || ret=1 -grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1 -grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1 -grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1 +grep '; initializing managed' ns4/named.secroots >/dev/null 2>&1 || ret=1 +grep '; managed' ns4/named.secroots >/dev/null 2>&1 && ret=1 +grep '; trusted' ns4/named.secroots >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)" ret=0 # By the time we get here, ns5 should have attempted refreshing its managed @@ -726,7 +759,7 @@ ret=0 # key refresh failure instead of just a few seconds, in order to prevent races # between the next scheduled key refresh time and startup time of restarted ns5. stop_server --use-rndc --port "${CONTROLPORT}" ns5 -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns5 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 @@ -736,13 +769,13 @@ wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" count=$(grep -c "Creating key fetch" ns5/named.run) || true [ "$count" -lt 2 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" ret=0 mkeys_sync_on 5 -mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 5 >rndc.out.$n 2>&1 || ret=1 # there should be three keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -753,9 +786,9 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check key refreshes are resumed after root servers become available ($n)" ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns5 @@ -764,53 +797,53 @@ rm -f ns5/managed-keys.bind* # named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for # an "hour" until keys are refreshed again after initial failure cp ns5/named2.args ns5/named.args -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns5 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 -grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 +grep '; initializing managed' ns5/named.secroots >/dev/null 2>&1 || ret=1 # ns1 should still REFUSE queries from ns5, so resolving should be impossible -dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1 -grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.5 txt >dig.out.ns5.a.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n >/dev/null && ret=1 +grep "status: SERVFAIL" dig.out.ns5.a.test$n >/dev/null || ret=1 # Allow queries from ns5 to ns1 copy_setports ns1/named3.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null mkeys_reconfig_on 1 || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 -grep '; managed' ns5/named.secroots > /dev/null || ret=1 +grep '; managed' ns5/named.secroots >/dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be # correctly refreshed and resolving should succeed -dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.5 txt >dig.out.ns5.b.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns5.b.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns6 rm -f ns6/managed-keys.bind* -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns6 # log when an unsupported algorithm is encountered during startup wait_for_log 20 "ignoring initial-key for 'unsupported.': algorithm is unsupported" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "ignoring unsupported algorithm in managed-keys ($n)" ret=0 -mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 6 >rndc.out.$n 2>&1 || ret=1 # there should still be only two keys listed (for . and island.) count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -818,26 +851,26 @@ count=$(grep -c "keyid: " rndc.out.$n) || true count=$(grep -c "trust" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" ret=0 cp ns1/root.db ns1/root.db.orig ksk=$(cat ns1/managed.key) zsk=$(cat ns1/zone.key) -cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db -grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db > /dev/null || ret=1 -$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" > /dev/null 2>/dev/null || ret=1 -grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 +cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >>ns1/root.db +grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db >/dev/null || ret=1 +$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" >/dev/null 2>/dev/null || ret=1 +grep "DNSKEY.*257 3 255" ns1/root.db.signed >/dev/null || ret=1 cp ns1/root.db.orig ns1/root.db if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "ignoring unsupported algorithm in rollover ($n)" ret=0 mkeys_reload_on 1 || ret=1 mkeys_refresh_on 6 || ret=1 -mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 6 >rndc.out.$n 2>&1 || ret=1 # there should still be only two keys listed (for . and island.) count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -847,28 +880,28 @@ count=$(grep -c "trust" rndc.out.$n) || true # log when an unsupported algorithm is encountered during rollover wait_for_log 20 "Cannot compute tag for key in zone .: algorithm is unsupported" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and views ($n)" ret=0 -rndccmd 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1 -grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1 -lines=$(wc -l < rndc.out.ns7.view1.test$n) +rndccmd 10.53.0.7 managed-keys refresh in view1 >rndc.out.ns7.view1.test$n || ret=1 +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n >/dev/null || ret=1 +lines=$(wc -l <rndc.out.ns7.view1.test$n) [ "$lines" -eq 1 ] || ret=1 -rndccmd 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1 -lines=$(wc -l < rndc.out.ns7.view2.test$n) -grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 -grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 +rndccmd 10.53.0.7 managed-keys refresh >rndc.out.ns7.view2.test$n || ret=1 +lines=$(wc -l <rndc.out.ns7.view2.test$n) +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n >/dev/null || ret=1 +grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n >/dev/null || ret=1 [ "$lines" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" ret=0 mkeys_sync_on 5 -mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 5 >rndc.out.$n 2>&1 || ret=1 # there should be three keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -879,7 +912,7 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 |