diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
commit | 3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch) | |
tree | 2e1c188dd7b8d7475cd163de9ae02c428343669b /bin/tests/system/inline | |
parent | Initial commit. (diff) | |
download | bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.tar.xz bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.zip |
Adding upstream version 1:9.18.19.upstream/1%9.18.19
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
34 files changed, 2987 insertions, 0 deletions
diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh new file mode 100644 index 0000000..79f3774 --- /dev/null +++ b/bin/tests/system/inline/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -rf ./*/*.jbk \ + ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \ + ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \ + ./*/trusted.conf \ + ./K* ./*/K* \ + ./checkecdsa \ + ./freeze.test* thaw.test* \ + ./import.key \ + ././ns*/managed-keys.bind* ./ns*/*.mkeys* \ + ./*/dsset-* ./*/nzf-* \ + ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ + ./*.out ./*.out* ./*/*.out ./*/*.out* \ + ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ + ns3/a-file ns3/removedkeys diff --git a/bin/tests/system/inline/ns1/named.conf.in b/bin/tests/system/inline/ns1/named.conf.in new file mode 100644 index 0000000..da27c58 --- /dev/null +++ b/bin/tests/system/inline/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in new file mode 100644 index 0000000..abc7370 --- /dev/null +++ b/bin/tests/system/inline/ns1/root.db.in @@ -0,0 +1,59 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +bits. NS ns3.bits. +bits. NS ns4.bits. +ns3.bits. A 10.53.0.3 +ns4.bits. A 10.53.0.4 + +noixfr. NS ns3.noixfr. +ns3.noixfr. A 10.53.0.3 + +primary. NS ns3.primary. +ns3.primary. A 10.53.0.3 + +dynamic. NS ns3.dynamic. +ns3.dynamic. A 10.53.0.3 + +updated. NS ns3.updated. +ns3.updated. A 10.53.0.3 + +expired. NS ns3.expired. +ns3.expired. A 10.53.0.3 + +retransfer. NS ns3.retransfer. +ns3.retransfer. A 10.53.0.3 + +nsec3. NS ns3.nsec3. +ns3.nsec3. A 10.53.0.3 + +externalkey. NS ns3.externalkey. +ns3.externalkey. A 10.53.0.3 + +retransfer3. NS ns3.retransfer. +ns3.retransfer3. A 10.53.0.3 + +inactiveksk. NS ns3.inactiveksk. +ns3.inactiveksk. A 10.53.0.3 + +inactivezsk. NS ns3.inactivezsk. +ns3.inactivezsk. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh new file mode 100644 index 0000000..c231713 --- /dev/null +++ b/bin/tests/system/inline/ns1/sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +zone=. +rm -f K.+*+*.key +rm -f K.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out +[ $? = 0 ] || cat signer.out + +keyfile_to_static_ds $keyname > trusted.conf +cp trusted.conf ../ns6/trusted.conf diff --git a/bin/tests/system/inline/ns2/bits.db.in b/bin/tests/system/inline/ns2/bits.db.in new file mode 100644 index 0000000..2652047 --- /dev/null +++ b/bin/tests/system/inline/ns2/bits.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in new file mode 100644 index 0000000..38e6e90 --- /dev/null +++ b/bin/tests/system/inline/ns2/named.conf.in @@ -0,0 +1,86 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; + allow-new-zones yes; + dnssec-validation no; +}; + +zone "bits" { + type primary; + file "bits.db"; + allow-update { any; }; +}; + +zone "retransfer" { + type primary; + file "retransfer.db"; + allow-update { any; }; + notify no; +}; + +zone "retransfer3" { + type primary; + file "retransfer3.db"; + allow-update { any; }; + allow-transfer { none; }; // changed dynamically by tests.sh + notify no; +}; + +zone "nsec3-loop" { + type primary; + file "nsec3-loop.db"; + notify no; +}; + +zone "inactiveksk" { + type primary; + file "inactiveksk.db"; + allow-update { any; }; +}; + +zone "inactivezsk" { + type primary; + file "inactivezsk.db"; + allow-update { any; }; +}; + +zone "nokeys" { + type primary; + file "nokeys.db"; + allow-update { any; }; +}; + +zone "removedkeys-secondary" { + type primary; + file "removedkeys-secondary.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/inline/ns2/nsec3-loop.db.in b/bin/tests/system/inline/ns2/nsec3-loop.db.in new file mode 100644 index 0000000..d12af8d --- /dev/null +++ b/bin/tests/system/inline/ns2/nsec3-loop.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; NOTE: This zone's data has been crafted in order to reproduce a very specific +; scenario (see ns7/named.conf for more details). Please do not modify this +; file. + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/inline/ns3/include.db.in b/bin/tests/system/inline/ns3/include.db.in new file mode 100644 index 0000000..c46a6a8 --- /dev/null +++ b/bin/tests/system/inline/ns3/include.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +f A 10.0.0.7 diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in new file mode 100644 index 0000000..6b3b3cd --- /dev/null +++ b/bin/tests/system/inline/ns3/named.conf.in @@ -0,0 +1,181 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + try-tcp-refresh no; + notify-delay 0; + allow-new-zones yes; + dnssec-validation no; +}; + +zone "bits" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + allow-update-forwarding { any; }; + file "bits.bk"; + sig-signing-signatures 1; // force incremental processing +}; + +server 10.53.0.4 { request-ixfr no; }; + +zone "noixfr" { + type secondary; + primaries { 10.53.0.4; }; + inline-signing yes; + auto-dnssec maintain; + allow-update-forwarding { any; }; + file "noixfr.bk"; +}; + +zone "primary" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "primary.db"; + notify explicit; + also-notify { + 10.53.0.3; + }; +}; + +zone "dynamic" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "dynamic.db"; +}; + +zone "updated" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { none; }; + file "updated.db"; +}; + +zone "expired" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "expired.db"; +}; + +zone "retransfer" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "retransfer.bk"; +}; + +zone "nsec3" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "nsec3.db"; +}; + +zone "externalkey" { + type primary; + inline-signing yes; + auto-dnssec maintain; + dnssec-dnskey-kskonly no; + allow-update { any; }; + file "externalkey.db"; +}; + +zone "retransfer3" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "retransfer3.bk"; +}; + +zone "inactiveksk" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + dnssec-dnskey-kskonly yes; + file "inactiveksk.bk"; +}; + +zone "inactivezsk" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "inactivezsk.bk"; +}; + +zone "nokeys" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "nokeys.bk"; +}; + +zone "delayedkeys" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "delayedkeys.db"; +}; + +zone "removedkeys-primary" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + also-notify { 10.53.0.2; }; + file "removedkeys-primary.db"; +}; + +zone "removedkeys-secondary" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "removedkeys-secondary.bk"; +}; + +zone "unsupported" { + type primary; + file "unsupported.db"; + inline-signing yes; + auto-dnssec maintain; +}; diff --git a/bin/tests/system/inline/ns3/primary.db.in b/bin/tests/system/inline/ns3/primary.db.in new file mode 100644 index 0000000..4d30cf6 --- /dev/null +++ b/bin/tests/system/inline/ns3/primary.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/inline/ns3/primary2.db.in b/bin/tests/system/inline/ns3/primary2.db.in new file mode 100644 index 0000000..24a0666 --- /dev/null +++ b/bin/tests/system/inline/ns3/primary2.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042408 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +e A 10.0.0.5 diff --git a/bin/tests/system/inline/ns3/primary3.db.in b/bin/tests/system/inline/ns3/primary3.db.in new file mode 100644 index 0000000..f3062c3 --- /dev/null +++ b/bin/tests/system/inline/ns3/primary3.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042409 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 diff --git a/bin/tests/system/inline/ns3/primary4.db.in b/bin/tests/system/inline/ns3/primary4.db.in new file mode 100644 index 0000000..737e2e2 --- /dev/null +++ b/bin/tests/system/inline/ns3/primary4.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 hostmaster. ( + 2000042410 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 diff --git a/bin/tests/system/inline/ns3/primary5.db.in b/bin/tests/system/inline/ns3/primary5.db.in new file mode 100644 index 0000000..a1e1300 --- /dev/null +++ b/bin/tests/system/inline/ns3/primary5.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042411 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 diff --git a/bin/tests/system/inline/ns3/primary6.db.in b/bin/tests/system/inline/ns3/primary6.db.in new file mode 100644 index 0000000..de3e651 --- /dev/null +++ b/bin/tests/system/inline/ns3/primary6.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042412 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 + +$INCLUDE missingfile.db diff --git a/bin/tests/system/inline/ns3/primary7.db.in b/bin/tests/system/inline/ns3/primary7.db.in new file mode 100644 index 0000000..a3e33e7 --- /dev/null +++ b/bin/tests/system/inline/ns3/primary7.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042412 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 + +$INCLUDE include.db diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh new file mode 100755 index 0000000..f17a8ad --- /dev/null +++ b/bin/tests/system/inline/ns3/sign.sh @@ -0,0 +1,159 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +# Fake an unsupported key +unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported) +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +mv ${unsupportedkey}.tmp ${unsupportedkey}.key + +zone=bits +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=noixfr +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=primary +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=dynamic +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=updated +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +cp primary2.db.in updated.db + +# signatures are expired and should be regenerated on startup +zone=expired +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null + +zone=retransfer +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=nsec3 +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=retransfer3 +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=inactiveksk +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=inactivezsk +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=delayedkeys +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +# Keys for the "delayedkeys" zone should not be initially accessible. +mv K${zone}.+*+*.* ../ + +zone=removedkeys-primary +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) + +zone=removedkeys-secondary +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) + +for s in a c d h k l m q z +do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +done + +for s in b f i o p t v +do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +done + +zone=externalkey +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private + +for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM} +do + k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + k2=$($KEYGEN -q -a $alg -n zone $zone) + k3=$($KEYGEN -q -a $alg -n zone $zone) + k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db + + # Convert k1 and k2 in to External Keys. + rm -f $k1.private + mv $k1.key a-file + $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 || + ( echo_i "importkey failed: $alg" ) + rm -f $k2.private + mv $k2.key a-file + $IMPORTKEY -f a-file $zone > /dev/null 2>&1 || + ( echo_i "importkey failed: $alg" ) +done diff --git a/bin/tests/system/inline/ns4/named.conf.in b/bin/tests/system/inline/ns4/named.conf.in new file mode 100644 index 0000000..c0745f4 --- /dev/null +++ b/bin/tests/system/inline/ns4/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; + dnssec-validation no; +}; + +zone "noixfr" { + type primary; + file "noixfr.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/inline/ns4/noixfr.db.in b/bin/tests/system/inline/ns4/noixfr.db.in new file mode 100644 index 0000000..c40f011 --- /dev/null +++ b/bin/tests/system/inline/ns4/noixfr.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns4 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns4 A 10.53.0.4 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post new file mode 100644 index 0000000..f454b35 --- /dev/null +++ b/bin/tests/system/inline/ns5/named.conf.post @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; + servfail-ttl 0; +}; + +zone "bits" { + type secondary; + primaries { 10.53.0.2; }; + file "bits.bk"; + auto-dnssec maintain; + inline-signing yes; +}; diff --git a/bin/tests/system/inline/ns5/named.conf.pre b/bin/tests/system/inline/ns5/named.conf.pre new file mode 100644 index 0000000..91844ac --- /dev/null +++ b/bin/tests/system/inline/ns5/named.conf.pre @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; +}; + +zone "bits" { + type secondary; + primaries { 10.53.0.2; }; + file "bits.bk"; +}; diff --git a/bin/tests/system/inline/ns6/named.conf.in b/bin/tests/system/inline/ns6/named.conf.in new file mode 100644 index 0000000..8237f31 --- /dev/null +++ b/bin/tests/system/inline/ns6/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + notify-delay 0; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in new file mode 100644 index 0000000..3a0cf86 --- /dev/null +++ b/bin/tests/system/inline/ns7/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * NS7 + * + * NOTE: This named instance is used to reproduce a scenario which involves a + * number of functions getting called in a very specific order which results in + * an infinite loop while iterating over NSEC3 red-black tree. Ensuring this + * happens requires carefully setting the number of signing keys, NSEC3 + * parameters (number of iterations and salt value), zone data and named + * configuration. Changing any of these and/or influencing this instance's + * behavior (e.g. by sending extra queries to it) might render this test moot + * as it will no longer be able to reproduce the exact scenario it attempts to. + * + * Given the above, please do not use this instance for any other test than the + * one it was meant for. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + notify no; + try-tcp-refresh no; + allow-new-zones yes; + sig-signing-nodes 100; + sig-signing-signatures 10; +}; diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh new file mode 100755 index 0000000..8ab8288 --- /dev/null +++ b/bin/tests/system/inline/ns7/sign.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +# NOTE: The number of signing keys generated below is not coincidental. More +# details can be found in the comment inside ns7/named.conf. + +zone=nsec3-loop +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) diff --git a/bin/tests/system/inline/ns8/example.com.db.in b/bin/tests/system/inline/ns8/example.com.db.in new file mode 100644 index 0000000..dfc7630 --- /dev/null +++ b/bin/tests/system/inline/ns8/example.com.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns8 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns8 +ns8 A 10.53.0.8 diff --git a/bin/tests/system/inline/ns8/example.db.in b/bin/tests/system/inline/ns8/example.db.in new file mode 100644 index 0000000..3ebf398 --- /dev/null +++ b/bin/tests/system/inline/ns8/example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns8 +ns8 A 10.53.0.8 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/inline/ns8/example2.db.in b/bin/tests/system/inline/ns8/example2.db.in new file mode 100644 index 0000000..1f42c3a --- /dev/null +++ b/bin/tests/system/inline/ns8/example2.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns8 +ns8 A 10.53.0.8 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/inline/ns8/example3.db.in b/bin/tests/system/inline/ns8/example3.db.in new file mode 100644 index 0000000..a9e3daa --- /dev/null +++ b/bin/tests/system/inline/ns8/example3.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 400 +@ IN SOA mname1. . ( + 3 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns8 +ns8 A 10.53.0.8 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in new file mode 100644 index 0000000..47bb991 --- /dev/null +++ b/bin/tests/system/inline/ns8/named.conf.in @@ -0,0 +1,163 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS8 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + try-tcp-refresh no; + notify-delay 0; + allow-new-zones yes; + dnssec-validation no; +}; + +zone "example01.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example01.com.db"; +}; + +zone "example02.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example02.com.db"; +}; + +zone "example03.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example03.com.db"; +}; + +zone "example04.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example04.com.db"; +}; + +zone "example05.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example05.com.db"; +}; + +zone "example06.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example06.com.db"; +}; + +zone "example07.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example07.com.db"; +}; + +zone "example08.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example08.com.db"; +}; + +zone "example09.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example09.com.db"; +}; + +zone "example10.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example10.com.db"; +}; + +zone "example11.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example11.com.db"; +}; + +zone "example12.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example12.com.db"; +}; + +zone "example13.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example13.com.db"; +}; + +zone "example14.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example14.com.db"; +}; + +zone "example15.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example15.com.db"; +}; + +zone "example16.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example16.com.db"; +}; + +zone example { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example.db"; +}; + +zone "unsigned-serial-test" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "unsigned-serial-test.db"; +}; diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh new file mode 100755 index 0000000..d9b95e4 --- /dev/null +++ b/bin/tests/system/inline/ns8/sign.sh @@ -0,0 +1,35 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +for zone in example01.com example02.com example03.com example04.com \ + example05.com example06.com example07.com example08.com \ + example09.com example10.com example11.com example12.com \ + example13.com example14.com example15.com example16.com +do + rm -f K${zone}.+*+*.key + rm -f K${zone}.+*+*.private + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) + cp example.com.db.in ${zone}.db + $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 +done + +for zone in example unsigned-serial-test; do + rm -f K${zone}.+*+*.key + rm -f K${zone}.+*+*.private + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) + cp example.db.in ${zone}.db +done diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh new file mode 100644 index 0000000..84233c8 --- /dev/null +++ b/bin/tests/system/inline/setup.sh @@ -0,0 +1,56 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +cp ns1/root.db.in ns1/root.db + +touch ns2/trusted.conf +cp ns2/nsec3-loop.db.in ns2/nsec3-loop.db +cp ns2/bits.db.in ns2/bits.db +cp ns2/bits.db.in ns2/inactiveksk.db +cp ns2/bits.db.in ns2/inactivezsk.db +cp ns2/bits.db.in ns2/nokeys.db +cp ns2/bits.db.in ns2/removedkeys-secondary.db +cp ns2/bits.db.in ns2/retransfer.db +cp ns2/bits.db.in ns2/retransfer3.db + +cp ns3/primary.db.in ns3/primary.db +cp ns3/primary.db.in ns3/dynamic.db +cp ns3/primary.db.in ns3/updated.db +cp ns3/primary.db.in ns3/unsupported.db +cp ns3/primary.db.in ns3/expired.db +cp ns3/primary.db.in ns3/nsec3.db +cp ns3/primary.db.in ns3/externalkey.db +cp ns3/primary.db.in ns3/delayedkeys.db +cp ns3/primary.db.in ns3/removedkeys-primary.db +cp ns3/include.db.in ns3/include.db + +mkdir ns3/removedkeys + +touch ns4/trusted.conf +cp ns4/noixfr.db.in ns4/noixfr.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.pre ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf + +(cd ns3; $SHELL -e sign.sh) +(cd ns1; $SHELL -e sign.sh) +(cd ns7; $SHELL -e sign.sh) +(cd ns8; $SHELL -e sign.sh) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh new file mode 100755 index 0000000..e9c4554 --- /dev/null +++ b/bin/tests/system/inline/tests.sh @@ -0,0 +1,1501 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +. ../conf.sh + +DIGOPTS="+tcp +dnssec -p ${PORT}" +RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" + +dig_with_opts() { + $DIG $DIGOPTS "$@" +} + +rndccmd() { + $RNDCCMD "$@" +} + +wait_for_serial() ( + $DIG $DIGOPTS "@$1" "$2" SOA > "$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] +) + +status=0 +n=0 +ret=0 + +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 || ret=1 + +for i in 1 2 3 4 5 6 7 8 9 0 +do + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1 + test "$nsec3param" = "1 0 0 -" && break + sleep 1 +done + +if [ $ret != 0 ]; then echo_i "pre-condition failed, test aborted"; exit 1; fi + +n=$((n + 1)) +echo_i "checking that an unsupported algorithm is not used for signing ($n)" +ret=0 +grep -q "algorithm is unsupported" ns3/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that rrsigs are replaced with ksk only ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr nsec3. | + awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the zone is signed on initial transfer ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking expired signatures are updated on load ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n || ret=1 +expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n) +[ "$expiry" = "20110101000000" ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking removal of private type record via 'rndc signing -clear' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 +keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) +for key in $keys; do + $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1 + break; # We only want to remove 1 record for now. +done 2>&1 |sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking private type was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 + grep "No signing records found" signing.out.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking negative private type response was properly signed ($n)" +ret=0 +sleep 1 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1 +grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the record is added on the hidden primary ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone bits +server 10.53.0.2 ${PORT} +update add added.bits 0 A 1.2.3.4 +send +EOF + +$DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that update has been transferred and has been signed ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone bits +server 10.53.0.2 ${PORT} +update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600 +send +EOF + +$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the zone is signed on initial transfer, noixfr ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the record is added on the hidden primary, noixfr ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone noixfr +server 10.53.0.4 ${PORT} +update add added.noixfr 0 A 1.2.3.4 +send +EOF + +$DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that update has been transferred and has been signed, noixfr ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone noixfr +server 10.53.0.4 ${PORT} +update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600 +send +EOF + +$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the primary zone signed on initial load ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 +keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) +for key in $keys; do + $RNDCCMD 10.53.0.3 signing -clear ${key} primary > /dev/null || ret=1 + break; # We only want to remove 1 record for now. +done 2>&1 |sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking private type was properly signed (primary) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 primary TYPE65534 > dig.out.ns6.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -clear all primary > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 + grep "No signing records found" signing.out.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check adding of record to unsigned primary ($n)" +ret=0 +cp ns3/primary2.db.in ns3/primary.db +rndc_reload ns3 10.53.0.3 primary +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 e.primary A > dig.out.ns3.test$n || ret=1 + grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check adding record fails when SOA serial not changed ($n)" +ret=0 +echo "c A 10.0.0.3" >> ns3/primary.db +rndc_reload ns3 10.53.0.3 +sleep 1 +$DIG $DIGOPTS @10.53.0.3 c.primary A > dig.out.ns3.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check adding record works after updating SOA serial ($n)" +ret=0 +cp ns3/primary3.db.in ns3/primary.db +$RNDCCMD 10.53.0.3 reload primary 2>&1 | sed 's/^/ns3 /' | cat_i +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 c.primary A > dig.out.ns3.test$n || ret=1 + grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check the added record was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 e.primary A > dig.out.ns6.test$n || ret=1 +grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the dynamic primary zone signed on initial load ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking primary zone that was updated while offline is correct ($n)" +ret=0 +$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n || ret=1 +serial=$(awk '{print $3}' dig.out.ns2.soa.test$n) +# serial should have changed +[ "$serial" = "2000042407" ] && ret=1 +# e.updated should exist and should be signed +$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 +# updated.db.signed.jnl should exist, should have the source serial +# of primary2.db, and should show a minimal diff: no more than 8 added +# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records +# (SOA/RRSIG, NSEC/RRSIG). +$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n || ret=1 +serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n) +[ "$serial" = "2000042408" ] || ret=1 +diffsize=$(wc -l < journalprint.out.test$n) +[ "$diffsize" -le 13 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking adding of record to unsigned primary using UPDATE ($n)" +ret=0 + +[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo_i "journal exists (pretest)" ; } + +$NSUPDATE << EOF || ret=1 +zone dynamic +server 10.53.0.3 ${PORT} +update add e.dynamic 0 A 1.2.3.4 +send +EOF + +[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo_i "journal does not exist (posttest)" ; } + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; } + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "stop bump in the wire signer server ($n)" +ret=0 +stop_server ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "restart bump in the wire signer server ($n)" +ret=0 +start_server --noclean --restart --port ${PORT} ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone bits +server 10.53.0.2 ${PORT} +update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600 +send +EOF + +$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone noixfr +server 10.53.0.4 ${PORT} +update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600 +send +EOF + +$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking forwarded update on hidden primary ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone bits +server 10.53.0.3 ${PORT} +update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600 +send +EOF + +$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking forwarded update on signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking forwarded update on hidden primary, noixfr ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone noixfr +server 10.53.0.3 ${PORT} +update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600 +send +EOF + +$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking forwarded update on signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +ret=0 +n=$((n + 1)) +echo_i "checking turning on of inline signing in a secondary zone via reload ($n)" +$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "setup broken"; fi +status=$((status + ret)) +copy_setports ns5/named.conf.post ns5/named.conf +(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1 +(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1 +rndc_reload ns5 10.53.0.5 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n || ret=1 + grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)" +ret=0 +$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1; } +sleep 1 +$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; } +sleep 1 +grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + + +n=$((n + 1)) +echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)" +ret=0 +$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1 +sleep 1 +awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } + { print; } + END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new +mv ns3/dynamic.db.new ns3/dynamic.db +$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check added record freeze1.dynamic ($n)" +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + test $ret = 0 && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# allow 1 second so that file time stamps change +sleep 1 + +n=$((n + 1)) +echo_i "checking rndc freeze/thaw of server ($n)" +ret=0 +$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1 +sleep 1 +awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } + { print; } + END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new +mv ns3/dynamic.db.new ns3/dynamic.db +$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check added record freeze2.dynamic ($n)" +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + test $ret = 0 && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc reload allows reuse of inline-signing zones ($n)" +ret=0 +{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i +grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc sync removes both signed and unsigned journals ($n)" +ret=0 +[ -f ns3/dynamic.db.jnl ] || ret=1 +[ -f ns3/dynamic.db.signed.jnl ] || ret=1 +$RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1 +[ -f ns3/dynamic.db.jnl ] && ret=1 +[ -f ns3/dynamic.db.signed.jnl ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the retransfer record is added on the hidden primary ($n)" +ret=0 + +$NSUPDATE << EOF || ret=1 +zone retransfer +server 10.53.0.2 ${PORT} +update add added.retransfer 0 A 1.2.3.4 +send + +EOF + +$DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the change has not been transferred due to notify ($n)" +ret=0 +for i in 0 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc retransfer of a inline secondary zone works ($n)" +ret=0 +$RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +[ $ans = 1 ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)" +ret=0 +# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2, +# which means it should not yet be available on ns3. +$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1 +# Switch the zone to NSEC3. An "NSEC3 -> NSEC -> NSEC3" sequence is used purely +# to test that multiple queued "rndc signing -nsec3param" requests are handled +# properly. +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 +# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone. +sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new +mv ns2/named.conf.new ns2/named.conf +$RNDCCMD 10.53.0.2 reconfig || ret=1 +# Request ns3 to retransfer the "retransfer3" zone. +$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1 +# Check whether "retransfer3" uses NSEC3 as requested. +for i in 0 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 + grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 + test $ret -eq 0 && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1 + grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1 + grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +[ $ans = 1 ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# NOTE: The test below should be considered fragile. More details can be found +# in the comment inside ns7/named.conf. +n=$((n + 1)) +echo_i "check rndc retransfer of a inline nsec3 secondary does not trigger an infinite loop ($n)" +ret=0 +zone=nsec3-loop +# Add secondary zone using rndc +$RNDCCMD 10.53.0.7 addzone $zone \ + '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1 +# Wait until secondary zone is fully signed using NSEC +for i in 1 2 3 4 5 6 7 8 9 0 +do + ret=1 + $RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys -eq 3 ] && ret=0 && break + sleep 1 +done +# Switch secondary zone to NSEC3 +$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 || ret=1 +# Wait until secondary zone is fully signed using NSEC3 +for i in 1 2 3 4 5 6 7 8 9 0 +do + ret=1 + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1 + test "$nsec3param" = "1 0 2 12345678" && ret=0 && break + sleep 1 +done +# Attempt to retransfer the secondary zone from primary +$RNDCCMD 10.53.0.7 retransfer $zone || ret=1 +# Check whether the signer managed to fully sign the retransferred zone by +# waiting for a specific SOA serial number to appear in the logs; if this +# specific SOA serial number does not appear in the logs, it means the signer +# has either ran into an infinite loop or crashed; note that we check the logs +# instead of sending SOA queries to the signer as these may influence its +# behavior in a way which may prevent the desired scenario from being +# reproduced (see comment in ns7/named.conf) +for i in 1 2 3 4 5 6 7 8 9 0 +do + ret=1 + { grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1; rc=$?; } || true + [ $rc -eq 0 ] && ret=0 && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "stop bump in the wire signer server ($n)" +ret=0 +stop_server ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "update SOA record while stopped" +cp ns3/primary4.db.in ns3/primary.db +rm -f ns3/primary.db.jnl + +n=$((n + 1)) +echo_i "restart bump in the wire signer server ($n)" +ret=0 +start_server --noclean --restart --port ${PORT} ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 primary SOA > dig.out.ns3.test$n || ret=1 + grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that reloading all zones does not cause zone maintenance to cease for inline-signed zones ($n)" +ret=1 +# Ensure "rndc reload" attempts to load ns3/primary.db by waiting 1 second so +# that the file modification time has no possibility of being equal to +# the one stored during server startup. +sleep 1 +nextpart ns3/named.run > /dev/null +cp ns3/primary5.db.in ns3/primary.db +rndc_reload ns3 10.53.0.3 +for i in 1 2 3 4 5 6 7 8 9 10 +do + if nextpart ns3/named.run | grep "zone primary.*sending notifies" > /dev/null; then + ret=0 + break + fi + sleep 1 +done +# Sanity check: file updates should be reflected in the signed zone, +# i.e. SOA RNAME should no longer be set to "hostmaster". +$DIG $DIGOPTS @10.53.0.3 primary SOA > dig.out.ns3.test$n || ret=1 +grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that reloading errors prevent synchronization ($n)" +ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1 +sleep 1 +nextpart ns3/named.run > /dev/null +cp ns3/primary6.db.in ns3/primary.db +rndc_reload ns3 10.53.0.3 +for i in 1 2 3 4 5 6 7 8 9 10 +do + if nextpart ns3/named.run | grep "not loaded due to errors" > /dev/null + then + ret=0 + break + fi + sleep 1 +done +# Sanity check: the SOA record should be unchanged +$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' > dig.out.ns3.test$n.2 +diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check inline-signing with an include file ($n)" +ret=0 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +sleep 1 +nextpart ns3/named.run > /dev/null +cp ns3/primary7.db.in ns3/primary.db +rndc_reload ns3 10.53.0.3 +_includefile_loaded() { + $DIG $DIGOPTS @10.53.0.3 f.primary A > dig.out.ns3.test$n || return 1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || return 1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || return 1 + grep "10\.0\.0\.7" dig.out.ns3.test$n > /dev/null || return 1 + return 0 +} +retry_quiet 10 _includefile_loaded +# Sanity check: the SOA record should be changed +$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' > dig.out.ns3.test$n.2 +diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "test add/del zone combinations ($n)" +ret=0 +for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z +do +$RNDCCMD 10.53.0.2 addzone test-$zone \ + '{ type primary; file "bits.db.in"; allow-transfer { any; }; };' || ret=1 +$DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n || ret=1 +grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; } +$RNDCCMD 10.53.0.3 addzone test-$zone \ + '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1 +$RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 || ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing adding external keys to a inline zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n || ret=1 +for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER} +do + [ $alg = 13 -a ! -f checkecdsa ] && continue; + + case $alg in + 7) echo_i "checking NSEC3RSASHA1";; + 8) echo_i "checking RSASHA256";; + 13) echo_i "checking ECDSAP256SHA256";; + *) echo_i "checking $alg";; + esac + + dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) + rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) + test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } + test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing imported key won't overwrite a private key ($n)" +ret=0 +key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example) +cp ${key}.key import.key +# import should fail +$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1 +rm -f ${key}.private +# private key removed; import should now succeed +$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 +# now that it's an external key, re-import should succeed +$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)" +ret=0 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 +retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)" +ret=0 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 +sleep 1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n || ret=1 +serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) +[ ${oldserial:-0} -eq ${serial:-1} ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# Freezing only operates on the raw zone. +# +n=$((n + 1)) +echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)" +ret=0 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1 || ret=1 +retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)" +ret=0 +$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 || ret=1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)" +ret=0 +$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 || ret=1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)" +ret=0 +$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1 || ret=1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1 +soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n) + +$NSUPDATE << EOF || ret=1 +server 10.53.0.2 ${PORT} +update add added.inactivezsk 0 IN TXT added record +send +EOF + +for i in 1 2 3 4 5 6 7 8 9 10 +do + $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1 + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) + test ${soa1:-0} -ne ${soa2:-0} && break + sleep 1 +done +test ${soa1:-0} -ne ${soa2:-0} || ret=1 + +$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n || ret=1 + +# +# check that DNSKEY is signed with ZSK for default algorithm +# +awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' +zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 +awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' +kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 + +# +# check that DNSKEY is signed with KSK for alternative algorithm +# +awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' +zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 +awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' +kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Wait until an update to the raw part of a given inline signed zone is fully +# processed. As waiting for a fixed amount of time is suboptimal and there is +# no single message that would signify both a successful modification and an +# error in a race-free manner, instead wait until either notifies are sent +# (which means the secure zone was modified) or a receive_secure_serial() error +# is logged (which means the zone was not modified and will not be modified any +# further in response to the relevant raw zone update). +wait_until_raw_zone_update_is_processed() { + zone="$1" + for i in 1 2 3 4 5 6 7 8 9 10 + do + if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" > /dev/null; then + return + fi + sleep 1 + done +} + +n=$((n + 1)) +echo_i "checking that changes to raw zone are applied to a previously unsigned secure zone ($n)" +ret=0 +# Query for bar.nokeys/A and ensure the response is negative. As this zone +# does not have any signing keys set up, the response must be unsigned. +$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Add a record to the raw zone on the primary. +$NSUPDATE << EOF || ret=1 +zone nokeys. +server 10.53.0.2 ${PORT} +update add bar.nokeys. 0 A 127.0.0.1 +send +EOF +wait_until_raw_zone_update_is_processed "nokeys" +# Query for bar.nokeys/A again and ensure the signer now returns a positive, +# yet still unsigned response. +$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (primary) ($n)" +ret=0 +# Query for bar.removedkeys-primary/A and ensure the response is negative. As +# this zone has signing keys set up, the response must be signed. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +# Remove the signing keys for this zone. +mv -f ns3/Kremovedkeys-primary* ns3/removedkeys +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Add a record to the raw zone on the primary. +$NSUPDATE << EOF || ret=1 +zone removedkeys-primary. +server 10.53.0.3 ${PORT} +update add bar.removedkeys-primary. 0 A 127.0.0.1 +send +EOF +wait_until_raw_zone_update_is_processed "removedkeys-primary" +# Query for bar.removedkeys-primary/A again and ensure the signer still returns +# a negative, signed response. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that backlogged changes to raw zone are applied after keys become available (primary) ($n)" +ret=0 +# Restore the signing keys for this zone. +mv ns3/removedkeys/Kremovedkeys-primary* ns3 +$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1 || ret=1 +# Determine what a SOA record with a bumped serial number should look like. +BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}') +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Bump the SOA serial number of the raw zone. +$NSUPDATE << EOF || ret=1 +zone removedkeys-primary. +server 10.53.0.3 ${PORT} +update del removedkeys-primary. SOA +update ${BUMPED_SOA} +send +EOF +wait_until_raw_zone_update_is_processed "removedkeys-primary" +# Query for bar.removedkeys-primary/A again and ensure the signer now returns a +# positive, signed response. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (secondary) ($n)" +ret=0 +# Query for bar.removedkeys-secondary/A and ensure the response is negative. As this +# zone does have signing keys set up, the response must be signed. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +# Remove the signing keys for this zone. +mv -f ns3/Kremovedkeys-secondary* ns3/removedkeys +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Add a record to the raw zone on the primary. +$NSUPDATE << EOF || ret=1 +zone removedkeys-secondary. +server 10.53.0.2 ${PORT} +update add bar.removedkeys-secondary. 0 A 127.0.0.1 +send +EOF +wait_until_raw_zone_update_is_processed "removedkeys-secondary" +# Query for bar.removedkeys-secondary/A again and ensure the signer still returns a +# negative, signed response. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that backlogged changes to raw zone are applied after keys become available (secondary) ($n)" +ret=0 +# Restore the signing keys for this zone. +mv ns3/removedkeys/Kremovedkeys-secondary* ns3 +$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1 || ret=1 +# Determine what a SOA record with a bumped serial number should look like. +BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}') +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Bump the SOA serial number of the raw zone on the primary. +$NSUPDATE << EOF || ret=1 +zone removedkeys-secondary. +server 10.53.0.2 ${PORT} +update del removedkeys-secondary. SOA +update ${BUMPED_SOA} +send +EOF +wait_until_raw_zone_update_is_processed "removedkeys-secondary" +# Query for bar.removedkeys-secondary/A again and ensure the signer now returns +# a positive, signed response. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check that the file $2 for zone $1 does not contain RRSIG records +# while the journal file for that zone does contain them. +ensure_sigs_only_in_journal() { + origin="$1" + masterfile="$2" + $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1 + $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1 +} + +n=$((n + 1)) +echo_i "checking that records added from a journal are scheduled to be resigned ($n)" +ret=0 +# Signing keys for the "delayedkeys" zone are not yet accessible. Thus, the +# zone file for the signed version of the zone will contain no DNSSEC records. +# Move keys into place now and load them, which will cause DNSSEC records to +# only be present in the journal for the signed version of the zone. +mv Kdelayedkeys* ns3/ +$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 +# Wait until the zone is signed. +check_done_signing () ( + $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 || true + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num -eq 2 ] +) +retry_quiet 10 check_done_signing || ret=1 +# Halt rather than stopping the server to prevent the file from being +# flushed upon shutdown since we specifically want to avoid it. +stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 || ret=1 +ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed +start_server --noclean --restart --port ${PORT} ns3 || ret=1 +# At this point, the raw zone journal will not have a source serial set. Upon +# server startup, receive_secure_serial() will rectify that, update SOA, resign +# it, and schedule its future resign. This will cause "rndc zonestatus" to +# return delayedkeys/SOA as the next node to resign, so we restart the server +# once again; with the raw zone journal now having a source serial set, +# receive_secure_serial() should refrain from introducing any zone changes. +stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 || ret=1 +ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed +nextpart ns3/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns3 || ret=1 +# We can now test whether the secure zone journal was correctly processed: +# unless the records contained in it were scheduled for resigning, no resigning +# event will be scheduled at all since the secure zone file contains no +# DNSSEC records. +wait_for_log 20 "all zones loaded" ns3/named.run || ret=1 +$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1 +grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)" +ret=0 +$RNDCCMD 10.53.0.3 zonestatus primary > rndc.out.ns3.test$n || ret=1 +grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)" +ret=0 +$RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n || ret=1 +grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking reload of touched inline zones ($n)" +ret=0 +echo_ic "pre-reload 'next key event'" +nextpart ns8/named.run > nextpart.pre$n.out +count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l) +echo_ic "found: $count/16" +[ $count -eq 16 ] || ret=1 +echo_ic "touch and reload" +touch ns8/example??.com.db +$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 5 +echo_ic "post-reload 'next key event'" +nextpart ns8/named.run > nextpart.post$n.out +count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l) +echo_ic "found: $count/16" +[ $count -eq 16 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking second reload of touched inline zones ($n)" +ret=0 +nextpart ns8/named.run > nextpart.pre$n.out +$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 5 +nextpart ns8/named.run > nextpart.post$n.out +grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" +ret=0 +dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1 +cp ns8/example2.db.in ns8/example.db || ret=1 +nextpart ns8/named.run > /dev/null +rndccmd 10.53.0.8 reload || ret=1 +wait_for_log 3 "all zones loaded" ns8/named.run +sleep 1 +dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1 +soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1) +soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2) +ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1) +ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa2) +test ${soa1:-1000} -lt ${soa2:-0} || ret=1 +test ${ttl1:-0} -eq 300 || ret=1 +test ${ttl2:-0} -eq 300 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "Check that restart with zone changes and deleted journal works ($n)" +TSIG= +ret=0 +dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1 +stop_server --use-rndc --port ${CONTROLPORT} ns8 || ret=1 +# TTL of all records change from 300 to 400 +cp ns8/example3.db.in ns8/example.db || ret=1 +rm -f ns8/example.db.jnl +nextpart ns8/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns8 || ret=1 +wait_for_log 3 "all zones loaded" ns8/named.run +sleep 1 +dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1 +soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1) +soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2) +ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1) +ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa2) +test ${soa1:-1000} -lt ${soa2:-0} || ret=1 +test ${ttl1:-0} -eq 300 || ret=1 +test ${ttl2:-0} -eq 400 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/inline/tests_sh_inline.py b/bin/tests/system/inline/tests_sh_inline.py new file mode 100644 index 0000000..f7520b8 --- /dev/null +++ b/bin/tests/system/inline/tests_sh_inline.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_inline(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/inline/tests_signed_zone_files.py b/bin/tests/system/inline/tests_signed_zone_files.py new file mode 100755 index 0000000..596b756 --- /dev/null +++ b/bin/tests/system/inline/tests_signed_zone_files.py @@ -0,0 +1,67 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import glob +import struct + + +class RawFormatHeader(dict): + """ + A dictionary of raw-format header fields read from a zone file. + """ + + fields = [ + "format", + "version", + "dumptime", + "flags", + "sourceserial", + "lastxfrin", + ] + + def __init__(self, file_name): + header = struct.Struct(">IIIIII") + with open(file_name, "rb") as data: + header_data = data.read(header.size) + super().__init__(zip(self.fields, header.unpack_from(header_data))) + + +def test_unsigned_serial_number(): + """ + Check whether all signed zone files in the "ns8" subdirectory contain the + serial number of the unsigned version of the zone in the raw-format header. + The test assumes that all "*.signed" files in the "ns8" subdirectory are in + raw format. + + Notes: + + - The actual zone signing and dumping happens while the tests.sh phase of + the "inline" system test is set up and run. This check only verifies + the outcome of those events; it does not initiate any signing or + dumping itself. + + - example[0-9][0-9].com.db.signed files are initially signed by + dnssec-signzone while the others - by named. + """ + + zones_with_unsigned_serial_missing = [] + + for signed_zone in sorted(glob.glob("ns8/*.signed")): + raw_header = RawFormatHeader(signed_zone) + # Ensure the unsigned serial number is placed where it is expected. + assert raw_header["format"] == 2 + assert raw_header["version"] == 1 + # Check whether the header flags indicate that the unsigned serial + # number is set and that the latter is indeed set. + if raw_header["flags"] & 0x02 == 0 or raw_header["sourceserial"] == 0: + zones_with_unsigned_serial_missing.append(signed_zone) + + assert not zones_with_unsigned_serial_missing |