diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:29 +0000 |
commit | e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca (patch) | |
tree | 65e6bbf5e12c3fe09b43e577f8d1786d06bcd559 /bin/tests/system/dnssec/ns2 | |
parent | Releasing progress-linux version 1:9.18.19-1~deb12u1progress7u1. (diff) | |
download | bind9-e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca.tar.xz bind9-e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca.zip |
Merging upstream version 1:9.18.24.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/dnssec/ns2')
-rw-r--r-- | bin/tests/system/dnssec/ns2/named.conf.in | 2 | ||||
-rw-r--r-- | bin/tests/system/dnssec/ns2/sign.sh | 144 |
2 files changed, 72 insertions, 74 deletions
diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 94928c1..a854a08 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "trusted" { diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 47248a4..05e8293 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -17,15 +17,14 @@ set -e # Sign child zones (served by ns3). -( cd ../ns3 && $SHELL sign.sh ) +(cd ../ns3 && $SHELL sign.sh) echo_i "ns2/sign.sh" # Get the DS records for the "trusted." and "managed." zones. -for subdomain in secure unsupported disabled enabled -do - cp "../ns3/dsset-$subdomain.managed." . - cp "../ns3/dsset-$subdomain.trusted." . +for subdomain in secure unsupported disabled enabled; do + cp "../ns3/dsset-$subdomain.managed." . + cp "../ns3/dsset-$subdomain.trusted." . done # Sign the "trusted." and "managed." zones. @@ -36,9 +35,9 @@ zonefile=managed.db keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 zone=trusted. infile=key.db.in @@ -47,9 +46,9 @@ zonefile=trusted.db keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # The "example." zone. zone=example. @@ -58,23 +57,22 @@ zonefile=example.db # Get the DS records for the "example." zone. for subdomain in secure badds bogus dynamic keyless nsec3 optout \ - nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ - kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ - ttlpatch split-dnssec split-smart expired expiring upper lower \ - dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ - dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded -do - cp "../ns3/dsset-$subdomain.example." . + nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ + kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ + dnskey-nsec3-unknown managed-future revkey \ + dname-at-apex-nsec3 occluded; do + cp "../ns3/dsset-$subdomain.example." . done # Sign the "example." zone. keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # lower/uppercase the signature bits with the exception of the last characters @@ -82,8 +80,8 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" # zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 -"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | -awk ' +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | awk ' tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { for (i = 1; i <= NF; i++ ) { if (i <= 12) { @@ -122,7 +120,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { next; } -{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" +{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" # # signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. @@ -134,8 +132,8 @@ zonefile=in-addr.arpa.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # Sign the badparam secure file @@ -146,11 +144,11 @@ zonefile=badparam.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 -sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" +sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad" # Sign the single-nsec3 secure zone with optout @@ -161,9 +159,9 @@ zonefile=single-nsec3.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # algroll has just has the old DNSKEY records removed and is waiting @@ -179,9 +177,9 @@ keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zon keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" +cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile" -"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 +"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1 # # Make a zone big enough that it takes several seconds to generate a new @@ -189,7 +187,7 @@ cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" # zone=nsec3chain-test zonefile=nsec3chain-test.db -cat > "$zonefile" << EOF +cat >"$zonefile" <<EOF \$TTL 10 @ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 @ 10 NS ns2 @@ -199,22 +197,22 @@ ns3 10 A 10.53.0.3 EOF i=1 while [ $i -le 300 ]; do - echo "host$i 10 IN NS ns.elsewhere" - i=$((i+1)) -done >> "$zonefile" + echo "host$i 10 IN NS ns.elsewhere" + i=$((i + 1)) +done >>"$zonefile" key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$key1.key" "$key2.key" >> "$zonefile" -"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 +cat "$key1.key" "$key2.key" >>"$zonefile" +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1 zone=cds.secure infile=cds.secure.db.in zonefile=cds.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-x.secure infile=cds.secure.db.in @@ -222,43 +220,43 @@ zonefile=cds-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key2.key" > "$key2.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" -"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$DSFROMKEY" -C "$key2.key" >"$key2.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile" +"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-update.secure infile=cds-update.secure.db.in zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-kskonly.secure infile=cds-kskonly.secure.db.in zonefile=cds-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cds-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cds-kskonly.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in zonefile=cds-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=cdnskey.secure infile=cdnskey.secure.db.in zonefile=cdnskey.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-x.secure infile=cdnskey.secure.db.in @@ -266,34 +264,34 @@ zonefile=cdnskey-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" -"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile" +"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-update.secure infile=cdnskey-update.secure.db.in zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-kskonly.secure infile=cdnskey-kskonly.secure.db.in zonefile=cdnskey-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in zonefile=cdnskey-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=updatecheck-kskonly.secure infile=template.secure.db.in @@ -301,14 +299,14 @@ zonefile=${zone}.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") # Save key id's for checking active key usage -keyfile_to_key_id "$key1" > $zone.ksk.id -keyfile_to_key_id "$key2" > $zone.zsk.id -echo "${key1}" > $zone.ksk.key -echo "${key2}" > $zone.zsk.key +keyfile_to_key_id "$key1" >$zone.ksk.id +keyfile_to_key_id "$key2" >$zone.zsk.id +echo "${key1}" >$zone.ksk.key +echo "${key2}" >$zone.zsk.key # Add CDS and CDNSKEY records -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile" # Don't sign, let auto-dnssec maintain do it. mv $zonefile "$zonefile.signed" @@ -317,8 +315,8 @@ infile=hours-vs-days.db.in zonefile=hours-vs-days.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" # # Negative result from this zone should come back as insecure. @@ -328,5 +326,5 @@ infile=too-many-iterations.db.in zonefile=too-many-iterations.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1 |