Adding upstream version 1:9.18.19.upstream/1%9.18.19

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 233 insertions, 0 deletions

diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh
new file mode 100644
index 0000000..3a91bb7
--- /dev/null
+++ b/bin/tests/system/metadata/tests.sh
@@ -0,0 +1,233 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+. ../conf.sh
+
+pzone=parent.nil pfile=parent.db
+czone=child.parent.nil cfile=child.db
+status=0
+n=1
+
+echo_i "setting key timers"
+$SETTIME -A now+15s $(cat rolling.key) > /dev/null
+
+inact=$(keyfile_to_key_id "$(cat inact.key)")
+ksk=$(keyfile_to_key_id "$(cat ksk.key)")
+pending=$(keyfile_to_key_id "$(cat pending.key)")
+postrev=$(keyfile_to_key_id "$(cat postrev.key)")
+prerev=$(keyfile_to_key_id "$(cat prerev.key)")
+rolling=$(keyfile_to_key_id "$(cat rolling.key)")
+standby=$(keyfile_to_key_id "$(cat standby.key)")
+zsk=$(keyfile_to_key_id "$(cat zsk.key)")
+
+echo_i "signing zones"
+$SIGNER -Sg -o $czone $cfile > /dev/null
+$SIGNER -Sg -o $pzone $pfile > /dev/null
+
+awk '$2 ~ /RRSIG/ {
+        type = $3;
+        getline;
+	id = $3;
+	if ($4 ~ /'${czone}'/) {
+		print type, id
+	}
+}' < ${cfile}.signed > sigs
+
+awk '$2 ~ /DNSKEY/ {
+	flags = $3;
+	while ($0 !~ /key id =/)
+		getline;
+	id = $NF;
+	print flags, id;
+}' < ${cfile}.signed > keys
+
+echo_i "checking that KSK signed DNSKEY only ($n)"
+ret=0
+grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1
+grep "SOA $ksk"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that ZSK signed ($n)"
+ret=0
+grep "SOA $zsk"'$' sigs > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that standby ZSK did not sign ($n)"
+ret=0
+grep " $standby"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that inactive key did not sign ($n)"
+ret=0
+grep " $inact"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that pending key was not published ($n)"
+ret=0
+grep " $pending"'$' keys > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that standby KSK did not sign but is delegated ($n)"
+ret=0
+grep " $rolling"'$' sigs > /dev/null && ret=1
+grep " $rolling"'$' keys > /dev/null || ret=1
+grep -E "DS[ 	]*$rolling[ 	]" ${pfile}.signed > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that key was revoked ($n)"
+ret=0
+grep " $prerev"'$' keys > /dev/null && ret=1
+grep " $postrev"'$' keys > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that revoked key self-signed ($n)"
+ret=0
+grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1
+grep "SOA $postrev"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "waiting 20 seconds for key changes to occur"
+sleep 20
+
+echo_i "re-signing zone"
+$SIGNER  -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null
+
+echo_i "checking that standby KSK is now active ($n)"
+ret=0
+grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking update of an old-style key ($n)"
+ret=0
+# printing metadata should not work with an old-style key
+$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 && ret=1
+$SETTIME -f $(cat oldstyle.key) > /dev/null 2>&1 || ret=1
+# but now it should
+$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking warning about permissions change on key with dnssec-settime ($n)"
+ret=0
+# settime should print a warning about changing the permissions
+chmod 644 $(cat oldstyle.key).private
+$SETTIME -P none $(cat oldstyle.key) > settime1.test$n 2>&1 || ret=1
+grep "warning: Permissions on the file.*have changed" settime1.test$n > /dev/null 2>&1 || ret=1
+$SETTIME -P none $(cat oldstyle.key) > settime2.test$n 2>&1 || ret=1
+grep "warning: Permissions on the file.*have changed" settime2.test$n > /dev/null 2>&1 && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking warning about delete date < inactive date with dnssec-settime ($n)"
+ret=0
+# settime should print a warning about delete < inactive
+$SETTIME -I now+15s -D now $(cat oldstyle.key) > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking no warning about delete date < inactive date with dnssec-settime when delete date is unset ($n)"
+ret=0
+$SETTIME -D none $(cat oldstyle.key) > tmp.out 2>&1 || ret=1
+$SETTIME -p all $(cat oldstyle.key) > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)"
+ret=0
+# keygen should print a warning about delete < inactive
+$KEYGEN -q -a ${DEFAULT_ALGORITHM} -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking correct behavior setting activation without publication date ($n)"
+ret=0
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w $czone)
+pub=$($SETTIME -upP $key | awk '{print $2}')
+act=$($SETTIME -upA $key | awk '{print $2}')
+[ $pub -eq $act ] || ret=1
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w -i 1d $czone)
+pub=$($SETTIME -upP $key | awk '{print $2}')
+act=$($SETTIME -upA $key | awk '{print $2}')
+[ $pub -lt $act ] || ret=1
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w -P never $czone)
+pub=$($SETTIME -upP $key | awk '{print $2}')
+[ $pub = "UNSET" ] || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking calculation of dates for a successor key ($n)"
+ret=0
+oldkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone)
+newkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone)
+$SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1
+$SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1
+$SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $czone)
+
+echo_i "checking -p output time is accepted ($n)"
+t=$($SETTIME -pA $key | sed 's/.*: //')
+$SETTIME -Psync "$t" $key > settime2.test$n 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking -up output time is accepted ($n)"
+t=$($SETTIME -upA $key | sed 's/.*: //')
+$SETTIME -Dsync "$t" $key > settime2.test$n 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking -p unset time is accepted ($n)"
+# The Delete timing metadata is unset.
+t=$($SETTIME -pD $key | sed 's/.*: //')
+$SETTIME -Psync "$t" $key > settime2.test$n 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1