diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 07:24:22 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 07:24:22 +0000 |
commit | 45d6379135504814ab723b57f0eb8be23393a51d (patch) | |
tree | d4f2ec4acca824a8446387a758b0ce4238a4dffa /bin/tests/system/coverage | |
parent | Initial commit. (diff) | |
download | bind9-upstream.tar.xz bind9-upstream.zip |
Adding upstream version 1:9.16.44.upstream/1%9.16.44upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
27 files changed, 413 insertions, 0 deletions
diff --git a/bin/tests/system/coverage/01-ksk-inactive/README b/bin/tests/system/coverage/01-ksk-inactive/README new file mode 100644 index 0000000..8102593 --- /dev/null +++ b/bin/tests/system/coverage/01-ksk-inactive/README @@ -0,0 +1,10 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-31-Jul (20:59:14): + Inactive: example.com/007/45435 (KSK) +No KSK's are active + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/01-ksk-inactive/expect b/bin/tests/system/coverage/01-ksk-inactive/expect new file mode 100644 index 0000000..3d342b1 --- /dev/null +++ b/bin/tests/system/coverage/01-ksk-inactive/expect @@ -0,0 +1,6 @@ +args="-d 1h -m 2h" +warn=0 +error=1 +ok=1 +retcode=1 +match="No KSK's are active" diff --git a/bin/tests/system/coverage/02-zsk-inactive/README b/bin/tests/system/coverage/02-zsk-inactive/README new file mode 100644 index 0000000..5d3fed1 --- /dev/null +++ b/bin/tests/system/coverage/02-zsk-inactive/README @@ -0,0 +1,10 @@ +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (20:39:32): + Inactive: example.com/005/08376 (ZSK) +No ZSK's are active diff --git a/bin/tests/system/coverage/02-zsk-inactive/expect b/bin/tests/system/coverage/02-zsk-inactive/expect new file mode 100644 index 0000000..a905b58 --- /dev/null +++ b/bin/tests/system/coverage/02-zsk-inactive/expect @@ -0,0 +1,6 @@ +args="-d 1h -m 2h" +warn=0 +error=1 +ok=1 +retcode=1 +match="No ZSK's are active" diff --git a/bin/tests/system/coverage/03-ksk-unpublished/README b/bin/tests/system/coverage/03-ksk-unpublished/README new file mode 100644 index 0000000..7d8a301 --- /dev/null +++ b/bin/tests/system/coverage/03-ksk-unpublished/README @@ -0,0 +1,10 @@ +This set contains one KSK rollover. The KSK is unpublished before its +successor is published. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-06-Oct (21:07:57): + Delete: example.com/007/23040 (KSK) +No KSK's are published + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/03-ksk-unpublished/expect b/bin/tests/system/coverage/03-ksk-unpublished/expect new file mode 100644 index 0000000..07bbff1 --- /dev/null +++ b/bin/tests/system/coverage/03-ksk-unpublished/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (KSK) is scheduled for +deletion before inactivation +No KSK's are published" diff --git a/bin/tests/system/coverage/04-zsk-unpublished/README b/bin/tests/system/coverage/04-zsk-unpublished/README new file mode 100644 index 0000000..5077abf --- /dev/null +++ b/bin/tests/system/coverage/04-zsk-unpublished/README @@ -0,0 +1,10 @@ +This set contains one ZSK rollover. The ZSK is unpublished before its +successor is published. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-06-Oct (21:13:45): + Delete: example.com/007/25967 (ZSK) +No ZSK's are published diff --git a/bin/tests/system/coverage/04-zsk-unpublished/expect b/bin/tests/system/coverage/04-zsk-unpublished/expect new file mode 100644 index 0000000..450ec24 --- /dev/null +++ b/bin/tests/system/coverage/04-zsk-unpublished/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (ZSK) is scheduled for +deletion before inactivation +No ZSK's are published" diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/README b/bin/tests/system/coverage/05-ksk-unpub-active/README new file mode 100644 index 0000000..119c1b2 --- /dev/null +++ b/bin/tests/system/coverage/05-ksk-unpub-active/README @@ -0,0 +1,12 @@ +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (21:22:19): + Delete: example.com/007/06219 (KSK) + Publish: example.com/007/20559 (KSK) +No KSK's are both active and published + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/expect b/bin/tests/system/coverage/05-ksk-unpub-active/expect new file mode 100644 index 0000000..2edfa0e --- /dev/null +++ b/bin/tests/system/coverage/05-ksk-unpub-active/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (KSK) is scheduled for +deletion before inactivation +No KSK's are both active and published" diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/README b/bin/tests/system/coverage/06-zsk-unpub-active/README new file mode 100644 index 0000000..84833f8 --- /dev/null +++ b/bin/tests/system/coverage/06-zsk-unpub-active/README @@ -0,0 +1,12 @@ +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (20:44:18): + Delete: example.com/007/26369 (ZSK) + Publish: example.com/007/21029 (ZSK) +No ZSK's are both active and published diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/expect b/bin/tests/system/coverage/06-zsk-unpub-active/expect new file mode 100644 index 0000000..0ef5b15 --- /dev/null +++ b/bin/tests/system/coverage/06-zsk-unpub-active/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (ZSK) is scheduled for +deletion before inactivation +No ZSK's are both active and published" diff --git a/bin/tests/system/coverage/07-ksk-ttl/README b/bin/tests/system/coverage/07-ksk-ttl/README new file mode 100644 index 0000000..2659099 --- /dev/null +++ b/bin/tests/system/coverage/07-ksk-ttl/README @@ -0,0 +1,4 @@ +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. + +Expected tool output TBD. diff --git a/bin/tests/system/coverage/07-ksk-ttl/expect b/bin/tests/system/coverage/07-ksk-ttl/expect new file mode 100644 index 0000000..eade21a --- /dev/null +++ b/bin/tests/system/coverage/07-ksk-ttl/expect @@ -0,0 +1,9 @@ +args="-d 1w -m 2w" +warn=1 +error=0 +ok=2 +retcode=0 +match="WARNING: Key .* (KSK) is activated too soon +after publication +Activation should be at least 7 days after +publication." diff --git a/bin/tests/system/coverage/08-zsk-ttl/README b/bin/tests/system/coverage/08-zsk-ttl/README new file mode 100644 index 0000000..2659099 --- /dev/null +++ b/bin/tests/system/coverage/08-zsk-ttl/README @@ -0,0 +1,4 @@ +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. + +Expected tool output TBD. diff --git a/bin/tests/system/coverage/08-zsk-ttl/expect b/bin/tests/system/coverage/08-zsk-ttl/expect new file mode 100644 index 0000000..150c9cd --- /dev/null +++ b/bin/tests/system/coverage/08-zsk-ttl/expect @@ -0,0 +1,9 @@ +args="-d 1w -m 2w" +warn=1 +error=0 +ok=2 +retcode=0 +match="WARNING: Key .* (ZSK) is activated too soon +after publication +Activation should be at least 7 days after +publication." diff --git a/bin/tests/system/coverage/09-check-zsk/README b/bin/tests/system/coverage/09-check-zsk/README new file mode 100644 index 0000000..bc5edc8 --- /dev/null +++ b/bin/tests/system/coverage/09-check-zsk/README @@ -0,0 +1,6 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated; however, as we are only checking ZSK's, +we should not detect the error. Tool output should resemble: + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/09-check-zsk/expect b/bin/tests/system/coverage/09-check-zsk/expect new file mode 100644 index 0000000..d56c4bf --- /dev/null +++ b/bin/tests/system/coverage/09-check-zsk/expect @@ -0,0 +1,6 @@ +args="-z -d 1h -m 2h" +warn=0 +error=0 +ok=1 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/10-check-ksk/README b/bin/tests/system/coverage/10-check-ksk/README new file mode 100644 index 0000000..948364d --- /dev/null +++ b/bin/tests/system/coverage/10-check-ksk/README @@ -0,0 +1,7 @@ +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated; however, as we are only +checking KSKs, we should not detect the error. Tool output should +resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/10-check-ksk/expect b/bin/tests/system/coverage/10-check-ksk/expect new file mode 100644 index 0000000..a03d2aa --- /dev/null +++ b/bin/tests/system/coverage/10-check-ksk/expect @@ -0,0 +1,6 @@ +args="-k -d 1h -m 2h" +warn=0 +error=0 +ok=1 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/11-cutoff/README b/bin/tests/system/coverage/11-cutoff/README new file mode 100644 index 0000000..8102593 --- /dev/null +++ b/bin/tests/system/coverage/11-cutoff/README @@ -0,0 +1,10 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-31-Jul (20:59:14): + Inactive: example.com/007/45435 (KSK) +No KSK's are active + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/11-cutoff/expect b/bin/tests/system/coverage/11-cutoff/expect new file mode 100644 index 0000000..bdf29d0 --- /dev/null +++ b/bin/tests/system/coverage/11-cutoff/expect @@ -0,0 +1,6 @@ +args="-l 1y -d 1h -m 2h" +warn=0 +error=0 +ok=2 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/12-ksk-deletion/expect b/bin/tests/system/coverage/12-ksk-deletion/expect new file mode 100644 index 0000000..898c0bf --- /dev/null +++ b/bin/tests/system/coverage/12-ksk-deletion/expect @@ -0,0 +1,6 @@ +args= +warn=4 +error=1 +ok=1 +retcode=1 +match=0 diff --git a/bin/tests/system/coverage/13-dotted-dotless/expect b/bin/tests/system/coverage/13-dotted-dotless/expect new file mode 100644 index 0000000..5760d29 --- /dev/null +++ b/bin/tests/system/coverage/13-dotted-dotless/expect @@ -0,0 +1,7 @@ +args="-z -m2h" +warn=0 +error=0 +ok=2 +retcode=0 +match= +zones="one.example. two.example" diff --git a/bin/tests/system/coverage/clean.sh b/bin/tests/system/coverage/clean.sh new file mode 100644 index 0000000..5527946 --- /dev/null +++ b/bin/tests/system/coverage/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f named-compilezone +rm -f */K*.key +rm -f */K*.private +rm -rf coverage.* +rm -rf dotted-dotless +rm -f ns*/named.lock diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh new file mode 100644 index 0000000..7de73b8 --- /dev/null +++ b/bin/tests/system/coverage/setup.sh @@ -0,0 +1,119 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +ln -s $CHECKZONE named-compilezone + +# Test 1: KSK goes inactive before successor is active +dir=01-ksk-inactive +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 2: ZSK goes inactive before successor is active +dir=02-zsk-inactive +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 3: KSK is unpublished before its successor is published +dir=03-ksk-unpublished +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 4: ZSK is unpublished before its successor is published +dir=04-zsk-unpublished +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 5: KSK deleted and successor published before KSK is deactivated +# and successor activated. +dir=05-ksk-unpub-active +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 6: ZSK deleted and successor published before ZSK is deactivated +# and successor activated. +dir=06-zsk-unpub-active +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 7: KSK rolled with insufficient delay after prepublication. +dir=07-ksk-ttl +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 8: ZSK rolled with insufficient delay after prepublication. +dir=08-zsk-ttl +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 9: KSK goes inactive before successor is active, but checking ZSKs +dir=09-check-zsk +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 10: ZSK goes inactive before successor is active, but checking KSKs +dir=10-check-ksk +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 11: ZSK goes inactive before successor is active, but after cutoff +dir=11-cutoff +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 12: Too early KSK deletion +dir=12-ksk-deletion +ksk1=$($KEYGEN -q -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com) +ksk2=$($KEYGEN -q -K $dir -S $ksk1.key example.com) + +# Test 13: check names with/without dots at the end +dir=13-dotted-dotless +zsk1=$($KEYGEN -q -K $dir -a rsasha256 one.example) +zsk2=$($KEYGEN -q -K $dir -a rsasha256 two.example) diff --git a/bin/tests/system/coverage/tests.sh b/bin/tests/system/coverage/tests.sh new file mode 100644 index 0000000..e0da919 --- /dev/null +++ b/bin/tests/system/coverage/tests.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +COVERAGE="$COVERAGE -c ./named-compilezone" + +status=0 +n=1 + +matchall () { + file=$1 + echo "$2" | while read matchline; do + grep "$matchline" $file > /dev/null 2>&1 || { + echo "FAIL" + return + } + done +} + +echo_i "checking for DNSSEC key coverage issues" +ret=0 +for dir in [0-9][0-9]-*; do + ret=0 + echo_i "$dir" + args= warn= error= ok= retcode= match= zones= + . $dir/expect + $COVERAGE $args -K $dir ${zones:-example.com} > coverage.$n 2>&1 + + # check that return code matches expectations + found=$? + if [ $found -ne $retcode ]; then + echo "retcode was $found expected $retcode" + ret=1 + fi + + # check for correct number of errors + found=`grep ERROR coverage.$n | wc -l` + if [ $found -ne $error ]; then + echo "error count was $found expected $error" + ret=1 + fi + + # check for correct number of warnings + found=`grep WARNING coverage.$n | wc -l` + if [ $found -ne $warn ]; then + echo "warning count was $found expected $warn" + ret=1 + fi + + # check for correct number of OKs + found=`grep "No errors found" coverage.$n | wc -l` + if [ $found -ne $ok ]; then + echo "good count was $found expected $ok" + ret=1 + fi + + found=`matchall coverage.$n "$match"` + if [ "$found" = "FAIL" ]; then + echo "no match on '$match'" + ret=1 + fi + + found=`grep Traceback coverage.$n | wc -l` + if [ $found -ne 0 ]; then + echo "python exception detected" + ret=1 + fi + + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |