diff options
Diffstat (limited to 'bin/tests/system/autosign/ns3')
-rw-r--r-- | bin/tests/system/autosign/ns3/keygen.sh | 302 | ||||
-rw-r--r-- | bin/tests/system/autosign/ns3/named.conf.in | 11 | ||||
-rw-r--r-- | bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in | 26 |
3 files changed, 191 insertions, 148 deletions
diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 96158b3..b59cb50 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -15,43 +15,43 @@ SYSTESTDIR=autosign -dumpit () { - echo_d "${debug}: dumping ${1}" - cat "${1}" | cat_d +dumpit() { + echo_d "${debug}: dumping ${1}" + cat "${1}" | cat_d } -setup () { - echo_i "setting up zone: $1" - debug="$1" - zone="$1" - zonefile="${zone}.db" - infile="${zonefile}.in" - n=$((${n:-0} + 1)) +setup() { + echo_i "setting up zone: $1" + debug="$1" + zone="$1" + zonefile="${zone}.db" + infile="${zonefile}.in" + n=$((${n:-0} + 1)) } setup secure.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC3/NSEC test zone # setup secure.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC3/NSEC3 test zone # setup nsec3.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Jitter/NSEC3 test zone @@ -59,10 +59,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}. setup jitter.nsec3.example cp $infile $zonefile count=1 -while [ $count -le 1000 ] -do - echo "label${count} IN TXT label${count}" >> $zonefile - count=$((count + 1)) +while [ $count -le 1000 ]; do + echo "label${count} IN TXT label${count}" >>$zonefile + count=$((count + 1)) done # Don't create keys just yet, because the scenario we want to test # is an unsigned zone that has a NSEC3PARAM record added with @@ -73,98 +72,100 @@ done # setup optout.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A nsec3 zone (non-optout). # setup nsec3.example -cat $infile dsset-*.${zone}. > $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile dsset-*.${zone}. >$zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # An NSEC3 zone, with NSEC3 parameters set prior to signing # setup autonsec3.example -cat $infile > $zonefile -ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../autoksk.key -zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../autozsk.key -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile >$zonefile +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../autoksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../autozsk.key +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/NSEC test zone # setup secure.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/NSEC3 test zone # setup nsec3.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/OPTOUT test zone # setup optout.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A optout nsec3 zone. # setup optout.example -cat $infile dsset-*.${zone}. > $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile dsset-*.${zone}. >$zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A RSASHA256 zone. # setup rsasha256.example cp $infile $zonefile -ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A RSASHA512 zone. # setup rsasha512.example cp $infile $zonefile -ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC-only zone. A zone using NSEC-only DNSSEC algorithms. # None of these algorithms are supported for signing in FIPS mode # as they are MD5 and SHA1 based. # -if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) -then - setup nsec-only.example - cp $infile $zonefile - ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out - $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out - $DSFROMKEY $ksk.key > dsset-${zone}. +if ( + cd .. + $SHELL ../testcrypto.sh -q RSASHA1 +); then + setup nsec-only.example + cp $infile $zonefile + ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out + $KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out + $DSFROMKEY $ksk.key >dsset-${zone}. else - echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" + echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" fi # @@ -174,52 +175,59 @@ fi setup oldsigs.example cp $infile $zonefile count=1 -while [ $count -le 1000 ] -do - echo "label${count} IN TXT label${count}" >> $zonefile - count=$((count + 1)) +while [ $count -le 1000 ]; do + echo "label${count} IN TXT label${count}" >>$zonefile + count=$((count + 1)) done -$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out mv $zonefile.signed $zonefile # # NSEC3->NSEC transition test zone. # setup nsec3-to-nsec.example -$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out + +# +# NSEC3->NSEC3 transition test zone. +# +setup nsec3-to-nsec3.example +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out # # secure-to-insecure transition test zone; used to test removal of # keys via nsupdate # setup secure-to-insecure.example -$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -q $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -o $zone -f $zonefile $infile >s.out || dumpit s.out # # another secure-to-insecure transition test zone; used to test # removal of keys on schedule. # setup secure-to-insecure2.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../del1.key -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../del2.key -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../del1.key +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../del2.key +$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out # # Introducing a pre-published key test. # setup prepub.example infile="secure-to-insecure2.example.db.in" -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out # # Key TTL tests. @@ -227,46 +235,46 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # no default key TTL; DNSKEY should get SOA TTL setup ttl1.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # default key TTL should be used setup ttl2.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # mismatched key TTLs, should use shortest setup ttl3.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # existing DNSKEY RRset, should retain TTL setup ttl4.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out -cat ${infile} K${zone}.+*.key > $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out +cat ${infile} K${zone}.+*.key >$zonefile +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out # # A zone with a DNSKEY RRset that is published before it's activated # setup delay.example -ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../delayksk.key -zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../delayzsk.key +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../delayksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../delayzsk.key # # A zone with signatures that are already expired, and the private KSK # is missing. # setup noksk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../noksk-ksk.key +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../noksk-ksk.key rm -f ${ksk}.private # @@ -274,11 +282,11 @@ rm -f ${ksk}.private # is missing. # setup nozsk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../nozsk-ksk.key -echo $zsk > ../nozsk-zsk.key +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../nozsk-ksk.key +echo $zsk >../nozsk-zsk.key rm -f ${zsk}.private # @@ -286,77 +294,77 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../inaczsk-ksk.key -echo $zsk > ../inaczsk-zsk.key -$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../inaczsk-ksk.key +echo $zsk >../inaczsk-zsk.key +$SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out # # A zone that is set to 'auto-dnssec maintain' during a reconfig # setup reconf.example cp secure.example.db.in $zonefile -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out # # A zone which generates CDS and CDNSEY RRsets automatically # setup sync.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. -echo ns3/$ksk > ../sync.key +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. +echo ns3/$ksk >../sync.key # # A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly # setup kskonly.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that has a published inactive key that is autosigned. # setup inacksk2.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that has a published inactive key that is autosigned. # setup inaczsk2.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inacksk3.example cp $infile $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone >kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inaczsk3.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with an active KSK + ZSK and an inactive ZSK, with the @@ -364,28 +372,28 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup delzsk.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out -echo $zsk > ../delzsk.key +echo $zsk >../delzsk.key # # Check that NSEC3 are correctly signed and returned from below a DNAME # setup dname-at-apex-nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Check that dynamically added CDS (DELETE) is kept in the zone after signing. # setup cds-delete.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Check that dynamically added CDNSKEY (DELETE) is kept in the zone after @@ -393,6 +401,6 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup cdnskey-delete.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 64196a1..cbdf8f7 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -42,7 +42,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { @@ -167,6 +167,7 @@ zone "nsec3-to-nsec.example" { type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; + max-journal-size 10M; auto-dnssec maintain; }; @@ -185,6 +186,14 @@ zone "secure-to-insecure2.example" { dnssec-secure-to-insecure yes; }; +zone "nsec3-to-nsec3.example" { + type primary; + file "nsec3-to-nsec3.example.db"; + allow-update { any; }; + inline-signing no; + max-journal-size 10M; +}; + zone "oldsigs.example" { type primary; file "oldsigs.example.db"; diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a |