From e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 8 Apr 2024 18:41:29 +0200 Subject: Merging upstream version 1:9.18.24. Signed-off-by: Daniel Baumann --- bin/tests/system/dnssec/ns1/sign.sh | 20 +- bin/tests/system/dnssec/ns2/named.conf.in | 2 +- bin/tests/system/dnssec/ns2/sign.sh | 144 +- bin/tests/system/dnssec/ns3/named.conf.in | 2 +- bin/tests/system/dnssec/ns3/secure.example.db.in | 5 + bin/tests/system/dnssec/ns3/sign.sh | 325 +- bin/tests/system/dnssec/ns4/named1.conf.in | 2 +- bin/tests/system/dnssec/ns4/named2.conf.in | 2 +- bin/tests/system/dnssec/ns4/named3.conf.in | 2 +- bin/tests/system/dnssec/ns4/named4.conf.in | 2 +- bin/tests/system/dnssec/ns5/named1.conf.in | 2 +- bin/tests/system/dnssec/ns5/sign.sh | 12 +- bin/tests/system/dnssec/ns6/named.conf.in | 2 +- bin/tests/system/dnssec/ns6/sign.sh | 4 +- bin/tests/system/dnssec/ns7/named.conf.in | 2 +- bin/tests/system/dnssec/ns7/sign.sh | 6 +- bin/tests/system/dnssec/ns8/named.conf.in | 2 +- bin/tests/system/dnssec/prereq.sh | 26 + bin/tests/system/dnssec/setup.sh | 22 +- bin/tests/system/dnssec/tests.sh | 4306 +++++++++++----------- 20 files changed, 2467 insertions(+), 2423 deletions(-) create mode 100644 bin/tests/system/dnssec/prereq.sh (limited to 'bin/tests/system/dnssec') diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 21c6d71..32a1736 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -20,9 +20,9 @@ zone=. infile=root.db.in zonefile=root.db -(cd ../ns2 && $SHELL sign.sh ) -(cd ../ns6 && $SHELL sign.sh ) -(cd ../ns7 && $SHELL sign.sh ) +(cd ../ns2 && $SHELL sign.sh) +(cd ../ns6 && $SHELL sign.sh) +(cd ../ns7 && $SHELL sign.sh) echo_i "ns1/sign.sh" @@ -30,18 +30,18 @@ cp "../ns2/dsset-example." . cp "../ns2/dsset-in-addr.arpa." . cp "../ns2/dsset-too-many-iterations." . -grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." > "dsset-algroll." +grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll." cp "../ns6/dsset-optout-tld." . ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 # Configure the resolving server with a staitc key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf @@ -49,14 +49,14 @@ cp trusted.conf ../ns6/trusted.conf cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf -keyfile_to_trusted_keys "$ksk" > trusted.keys +keyfile_to_trusted_keys "$ksk" >trusted.keys # ...or with an initializing key. -keyfile_to_initial_ds "$ksk" > managed.conf +keyfile_to_initial_ds "$ksk" >managed.conf cp managed.conf ../ns4/managed.conf # # Save keyid for managed key id test. # -keyfile_to_key_id "$ksk" > managed.key.id +keyfile_to_key_id "$ksk" >managed.key.id diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 94928c1..a854a08 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "trusted" { diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 47248a4..05e8293 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -17,15 +17,14 @@ set -e # Sign child zones (served by ns3). -( cd ../ns3 && $SHELL sign.sh ) +(cd ../ns3 && $SHELL sign.sh) echo_i "ns2/sign.sh" # Get the DS records for the "trusted." and "managed." zones. -for subdomain in secure unsupported disabled enabled -do - cp "../ns3/dsset-$subdomain.managed." . - cp "../ns3/dsset-$subdomain.trusted." . +for subdomain in secure unsupported disabled enabled; do + cp "../ns3/dsset-$subdomain.managed." . + cp "../ns3/dsset-$subdomain.trusted." . done # Sign the "trusted." and "managed." zones. @@ -36,9 +35,9 @@ zonefile=managed.db keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 zone=trusted. infile=key.db.in @@ -47,9 +46,9 @@ zonefile=trusted.db keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # The "example." zone. zone=example. @@ -58,23 +57,22 @@ zonefile=example.db # Get the DS records for the "example." zone. for subdomain in secure badds bogus dynamic keyless nsec3 optout \ - nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ - kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ - ttlpatch split-dnssec split-smart expired expiring upper lower \ - dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ - dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded -do - cp "../ns3/dsset-$subdomain.example." . + nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ + kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ + dnskey-nsec3-unknown managed-future revkey \ + dname-at-apex-nsec3 occluded; do + cp "../ns3/dsset-$subdomain.example." . done # Sign the "example." zone. keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # lower/uppercase the signature bits with the exception of the last characters @@ -82,8 +80,8 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" # zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 -"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | -awk ' +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | awk ' tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { for (i = 1; i <= NF; i++ ) { if (i <= 12) { @@ -122,7 +120,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { next; } -{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" +{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" # # signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. @@ -134,8 +132,8 @@ zonefile=in-addr.arpa.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # Sign the badparam secure file @@ -146,11 +144,11 @@ zonefile=badparam.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 -sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" +sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad" # Sign the single-nsec3 secure zone with optout @@ -161,9 +159,9 @@ zonefile=single-nsec3.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # algroll has just has the old DNSKEY records removed and is waiting @@ -179,9 +177,9 @@ keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zon keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" +cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile" -"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 +"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1 # # Make a zone big enough that it takes several seconds to generate a new @@ -189,7 +187,7 @@ cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" # zone=nsec3chain-test zonefile=nsec3chain-test.db -cat > "$zonefile" << EOF +cat >"$zonefile" <> "$zonefile" + echo "host$i 10 IN NS ns.elsewhere" + i=$((i + 1)) +done >>"$zonefile" key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$key1.key" "$key2.key" >> "$zonefile" -"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 +cat "$key1.key" "$key2.key" >>"$zonefile" +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1 zone=cds.secure infile=cds.secure.db.in zonefile=cds.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-x.secure infile=cds.secure.db.in @@ -222,43 +220,43 @@ zonefile=cds-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key2.key" > "$key2.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" -"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$DSFROMKEY" -C "$key2.key" >"$key2.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile" +"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-update.secure infile=cds-update.secure.db.in zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-kskonly.secure infile=cds-kskonly.secure.db.in zonefile=cds-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cds-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cds-kskonly.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in zonefile=cds-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=cdnskey.secure infile=cdnskey.secure.db.in zonefile=cdnskey.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-x.secure infile=cdnskey.secure.db.in @@ -266,34 +264,34 @@ zonefile=cdnskey-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" -"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile" +"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-update.secure infile=cdnskey-update.secure.db.in zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-kskonly.secure infile=cdnskey-kskonly.secure.db.in zonefile=cdnskey-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in zonefile=cdnskey-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=updatecheck-kskonly.secure infile=template.secure.db.in @@ -301,14 +299,14 @@ zonefile=${zone}.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") # Save key id's for checking active key usage -keyfile_to_key_id "$key1" > $zone.ksk.id -keyfile_to_key_id "$key2" > $zone.zsk.id -echo "${key1}" > $zone.ksk.key -echo "${key2}" > $zone.zsk.key +keyfile_to_key_id "$key1" >$zone.ksk.id +keyfile_to_key_id "$key2" >$zone.zsk.id +echo "${key1}" >$zone.ksk.key +echo "${key2}" >$zone.zsk.key # Add CDS and CDNSKEY records -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile" # Don't sign, let auto-dnssec maintain do it. mv $zonefile "$zonefile.signed" @@ -317,8 +315,8 @@ infile=hours-vs-days.db.in zonefile=hours-vs-days.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" # # Negative result from this zone should come back as insecure. @@ -328,5 +326,5 @@ infile=too-many-iterations.db.in zonefile=too-many-iterations.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index cdc6e02..680cff5 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index ec39308..883e067 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -47,3 +47,8 @@ rrsigonly A 10.0.0.29 cnameandkey CNAME @ cnamenokey CNAME @ dnameandkey DNAME @ + +mixedcase A 10.0.0.30 +mixedCASE TXT "mixed case" +MIXEDcase AAAA 2002:: +mIxEdCaSe LOC 37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index f56edb2..14fc709 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -19,61 +19,60 @@ set -e echo_i "ns3/sign.sh" infile=key.db.in -for tld in managed trusted -do - # A secure zone to test. - zone=secure.${tld} - zonefile=${zone}.db - - keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname1.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor that matches disabled algorithm. - zone=disabled.${tld} - zonefile=${zone}.db - - keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") - cat "$infile" "$keyname2.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor that has disabled algorithm for other domain. - zone=enabled.${tld} - zonefile=${zone}.db - - keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") - cat "$infile" "$keyname3.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor with unsupported algorithm. - zone=unsupported.${tld} - zonefile=${zone}.db - - keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname4.key" > "$zonefile" - "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null - awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed - - # Make trusted-keys and managed keys conf sections for ns8. - mv ${keyname4}.key ${keyname4}.tmp - awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key - - # Zone to test trust anchor that is revoked. - zone=revoked.${tld} - zonefile=${zone}.db - - keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname5.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - case $tld in - "managed") - keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf - ;; - "trusted") - keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf - ;; - esac +for tld in managed trusted; do + # A secure zone to test. + zone=secure.${tld} + zonefile=${zone}.db + + keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname1.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor that matches disabled algorithm. + zone=disabled.${tld} + zonefile=${zone}.db + + keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname2.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor that has disabled algorithm for other domain. + zone=enabled.${tld} + zonefile=${zone}.db + + keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname3.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor with unsupported algorithm. + zone=unsupported.${tld} + zonefile=${zone}.db + + keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname4.key" >"$zonefile" + "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null + awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed + + # Make trusted-keys and managed keys conf sections for ns8. + mv ${keyname4}.key ${keyname4}.tmp + awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key + + # Zone to test trust anchor that is revoked. + zone=revoked.${tld} + zonefile=${zone}.db + + keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname5.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + case $tld in + "managed") + keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf + ;; + "trusted") + keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf + ;; + esac done echo_i "ns3/sign.sh: example zones" @@ -86,9 +85,11 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone") keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" +cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null +cat "$zonefile" "$zonefile".signed >"$zonefile".tmp +mv "$zonefile".tmp "$zonefile".signed zone=bogus.example. infile=bogus.example.db.in @@ -96,9 +97,9 @@ zonefile=bogus.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null zone=dynamic.example. infile=dynamic.example.db.in @@ -107,9 +108,9 @@ zonefile=dynamic.example.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -o "$zone" "$zonefile" >/dev/null zone=keyless.example. infile=generic.example.db.in @@ -117,16 +118,16 @@ zonefile=keyless.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # Change the signer field of the a.b.keyless.example RRSIG A # to point to a provably nonexistent DNSKEY record. zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 mv "$zonefile.signed" "$zonefiletmp" -<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/ - if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed" +"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/ + if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed" rm -f "$zonefiletmp" # @@ -138,9 +139,9 @@ zonefile=secure.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # # NSEC3/NSEC3 test zone @@ -151,9 +152,9 @@ zonefile=nsec3.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC3 test zone @@ -164,9 +165,9 @@ zonefile=optout.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null # # A nsec3 zone (non-optout). @@ -177,9 +178,9 @@ zonefile=nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC test zone @@ -190,9 +191,9 @@ zonefile=secure.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC3 test zone @@ -203,9 +204,9 @@ zonefile=nsec3.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/OPTOUT test zone @@ -216,9 +217,9 @@ zonefile=optout.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null # # A optout nsec3 zone. @@ -229,9 +230,9 @@ zonefile=optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" >/dev/null # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -242,9 +243,9 @@ zonefile=nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" >/dev/null # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -255,9 +256,9 @@ zonefile=optout-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" >/dev/null # # A zone that is signed with an unknown DNSKEY algorithm. @@ -269,14 +270,14 @@ zonefile=dnskey-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A zone that is signed with an unsupported DNSKEY algorithm (3). @@ -288,14 +289,14 @@ zonefile=dnskey-unsupported.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A zone with a published unsupported DNSKEY algorithm (Reserved). @@ -308,9 +309,9 @@ zonefile=dnskey-unsupported-2.example.db ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile" -"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null +"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -322,14 +323,14 @@ zonefile=dnskey-nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A multiple parameter nsec3 zone. @@ -340,20 +341,20 @@ zonefile=multiple.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC -"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3 -"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null -cat NSEC NSEC3 >> "$zonefile".signed +"$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC +"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3 +"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null +cat NSEC NSEC3 >>"$zonefile".signed # # A RSASHA256 zone. @@ -364,9 +365,9 @@ zonefile=rsasha256.example.db keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A RSASHA512 zone. @@ -377,9 +378,9 @@ zonefile=rsasha512.example.db keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A zone with the DNSKEY set only signed by the KSK @@ -390,8 +391,8 @@ zonefile=kskonly.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null # # A zone with the expired signatures @@ -402,8 +403,8 @@ zonefile=expired.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null rm -f "$kskname.*" "$zskname.*" # @@ -415,8 +416,8 @@ zonefile=update-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # A NSEC signed zone that will have auto-dnssec enabled and @@ -430,8 +431,8 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A NSEC3 signed zone that will have auto-dnssec enabled and @@ -445,8 +446,8 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone" zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # Secure below cname test zone. @@ -455,8 +456,8 @@ zone=secure.below-cname.example. infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$keyname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # Patched TTL test zone. @@ -468,11 +469,11 @@ signedfile=ttlpatch.example.db.signed patchedfile=ttlpatch.example.db.patched keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null -$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \ - awk '{$2 = "3600"; print}' > $patchedfile +"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null +$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \ + | awk '{$2 = "3600"; print}' >$patchedfile # # Separate DNSSEC records. @@ -483,10 +484,10 @@ zonefile=split-dnssec.example.db signedfile=split-dnssec.example.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" -echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" -: > "$signedfile" -"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$keyname.key" >"$zonefile" +echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" +: >"$signedfile" +"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null # # Separate DNSSEC records smart signing. @@ -499,9 +500,9 @@ signedfile=split-smart.example.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cp "$infile" "$zonefile" # shellcheck disable=SC2016 -echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" -: > "$signedfile" -"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null +echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" +: >"$signedfile" +"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null # # Zone with signatures about to expire, but no private key to replace them @@ -513,7 +514,7 @@ signedfile="expiring.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null mv -f "${zskname}.private" "${zskname}.private.moved" mv -f "${kskname}.private" "${kskname}.private.moved" @@ -528,9 +529,9 @@ signedfile="upper.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null -$CHECKZONE -D upper.example $lower 2>/dev/null | \ - sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile +"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null +$CHECKZONE -D upper.example $lower 2>/dev/null \ + | sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile # # Check that the signer's name is in lower case when zone name is in @@ -543,7 +544,7 @@ signedfile="lower.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null # # Zone with signatures about to expire, and dynamic, but configured @@ -556,11 +557,11 @@ signedfile="nosign.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" >/dev/null # preserve a normalized copy of the NS RRSIG for comparison later -$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ - awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ - sed 's/[ ][ ]*/ /g'> ../nosign.before +$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null \ + | awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' \ + | sed 's/[ ][ ]*/ /g' >../nosign.before # # An inline signing zone @@ -581,7 +582,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -o "$zone" "$zonefile" >/dev/null # # A zone which will change its sig-validity-interval @@ -603,10 +604,10 @@ zonefile=badds.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example. +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null +sed -e 's/bogus/badds/g' dsset-badds.example. # # A zone with future signatures. @@ -616,8 +617,8 @@ infile=future.example.db.in zonefile=future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null cp -f "$kskname.key" trusted-future.key # @@ -628,8 +629,8 @@ infile=managed-future.example.db.in zonefile=managed-future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null # # A zone with a revoked key @@ -643,8 +644,8 @@ ksk1=$("$REVOKE" "$ksk1") ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone") -cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # Check that NSEC3 are correctly signed and returned from below a DNAME @@ -656,7 +657,7 @@ zonefile=dname-at-apex-nsec3.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone") cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # A NSEC zone with occuded data at the delegation @@ -668,7 +669,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone") dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone") keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") -$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}." +$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}." cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ - "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index 280217e..113e3bb 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -50,7 +50,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "corp" { diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index b01979b..56bdfe4 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -38,5 +38,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index 3a64e9d..e160d37 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 5d3bf3f..d192ceb 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -48,7 +48,7 @@ view rec { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone secure.example { diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in index ccb3de9..ef371e1 100644 --- a/bin/tests/system/dnssec/ns5/named1.conf.in +++ b/bin/tests/system/dnssec/ns5/named1.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index df0b208..65105d0 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -25,15 +25,15 @@ zonefile=root.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") # copy the KSK out first, then revoke it -keyfile_to_initial_ds "$keyname" > revoked.conf +keyfile_to_initial_ds "$keyname" >revoked.conf -"$SETTIME" -R now "${keyname}.key" > /dev/null +"$SETTIME" -R now "${keyname}.key" >/dev/null # create a current set of keys, and sign the root zone -"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null -"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null -"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1 +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone >/dev/null +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone >/dev/null +"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" >/dev/null 2>&1 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in index 4bdc79c..2818b79 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.in +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "optout-tld" { diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 6102e52..e3ff2d2 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -24,6 +24,6 @@ zonefile=optout-tld.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in index 55cbec9..b352846 100644 --- a/bin/tests/system/dnssec/ns7/named.conf.in +++ b/bin/tests/system/dnssec/ns7/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "nsec3.example" { diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh index 551b217..5e30050 100644 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -25,7 +25,7 @@ zonefile=split-rrsig.db k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$k1.key" "$k2.key" > "$zonefile" +cat "$infile" "$k1.key" "$k2.key" >"$zonefile" # The awk script below achieves two goals: # @@ -37,8 +37,8 @@ cat "$infile" "$k1.key" "$k2.key" > "$zonefile" # - it places a copy of one of the RRSIG(SOA) records somewhere else than at the # zone apex; the test then checks whether such signatures are automatically # removed from the zone after it is loaded. -"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 awk 'BEGIN { r = ""; } $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } { print } - END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed" + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.in index d0278ca..2590de1 100644 --- a/bin/tests/system/dnssec/ns8/named.conf.in +++ b/bin/tests/system/dnssec/ns8/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "managed.conf"; diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh new file mode 100644 index 0000000..32889aa --- /dev/null +++ b/bin/tests/system/dnssec/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 6aa0cd0..db0913d 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -32,21 +32,21 @@ copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf ( - cd ns1 - $SHELL sign.sh - { - echo "a.bogus.example. A 10.0.0.22" - echo "b.bogus.example. A 10.0.0.23" - echo "c.bogus.example. A 10.0.0.23" - } >>../ns3/bogus.example.db.signed + cd ns1 + $SHELL sign.sh + { + echo "a.bogus.example. A 10.0.0.22" + echo "b.bogus.example. A 10.0.0.23" + echo "c.bogus.example. A 10.0.0.23" + } >>../ns3/bogus.example.db.signed ) ( - cd ns3 - cp -f siginterval1.conf siginterval.conf + cd ns3 + cp -f siginterval1.conf siginterval.conf ) ( - cd ns5 - $SHELL sign.sh + cd ns5 + $SHELL sign.sh ) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 97bffb5..02040b9 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -22,41 +22,41 @@ n=1 rm -f dig.out.* dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } dig_with_additionalopts() { - "$DIG" +noall +additional +dnssec -p "$PORT" "$@" + "$DIG" +noall +additional +dnssec -p "$PORT" "$@" } dig_with_answeropts() { - "$DIG" +noall +answer +dnssec -p "$PORT" "$@" + "$DIG" +noall +answer +dnssec -p "$PORT" "$@" } delv_with_opts() { - "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" + "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" } rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # TODO: Move loadkeys_on to conf.sh.common dnssec_loadkeys_on() { - nsidx=$1 - zone=$2 - nextpart ns${nsidx}/named.run > /dev/null - rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run >/dev/null + rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 } # convert private-type records to readable form -showprivate () { - echo "-- $* --" - dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' | - while read -r record; do - # shellcheck disable=SC2016 - $PERL -e 'my $rdata = pack("H*", @ARGV[0]); +showprivate() { + echo "-- $* --" + dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' \ + | while read -r record; do + # shellcheck disable=SC2016 + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); my $action = "signing"; @@ -64,40 +64,40 @@ showprivate () { my $state = " (incomplete)"; $state = " (complete)" if $complete; print ("$action: alg: $alg, key: $key$state\n");' "$record" - done + done } # check that signing records are marked as complete -checkprivate () { - for i in 1 2 3 4 5 6 7 8 9 10; do - showprivate "$@" | grep -q incomplete || return 0 - sleep 1 - done - echo_d "$1 signing incomplete" - return 1 +checkprivate() { + for i in 1 2 3 4 5 6 7 8 9 10; do + showprivate "$@" | grep -q incomplete || return 0 + sleep 1 + done + echo_d "$1 signing incomplete" + return 1 } # check that a zone file is raw format, version 0 -israw0 () { - # shellcheck disable=SC2016 - < "$1" $PERL -e 'binmode STDIN; +israw0() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); exit 1 if ($style != 2 || $version != 0);' || return $? } # check that a zone file is raw format, version 1 -israw1 () { - # shellcheck disable=SC2016 - < "$1" $PERL -e 'binmode STDIN; +israw1() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); exit 1 if ($style != 2 || $version != 1);' || return $? } # strip NS and RRSIG NS from input -stripns () { - awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" +stripns() { + awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" } # @@ -106,8 +106,8 @@ stripns () { # "Negative trust anchors:". # Ensure there is not a blank line before "Secure roots:". # -check_secroots_layout () { - awk '$0 == "" { if (empty) exit(1); empty=1; next } +check_secroots_layout() { + awk '$0 == "" { if (empty) exit(1); empty=1; next } /Start view/ { if (!empty) exit(1) } /Secure roots:/ { if (empty) exit(1) } /Negative trust anchors:/ { if (!empty) exit(1) } @@ -119,781 +119,803 @@ check_secroots_layout () { # in the additional section echo_i "checking that additional glue is returned for unsigned delegation ($n)" ret=0 -$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Check the example. domain echo_i "checking that zone transfer worked ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 - dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 + dig_with_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done -digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +digcomp dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # test AD bit: # - dig +adflag asks for authentication (ad in response) echo_i "checking AD bit asking for validation ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # test AD bit: # - dig +noadflag echo_i "checking that AD is not set without +adflag or +dnssec ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for AD in authoritative answer ($n)" ret=0 -dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" ret=0 -grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1 -grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1 -grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - ret=0 - echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" - "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example > delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1 +grep "fetch: example/DS" ns4/named.run >/dev/null && ret=1 +grep "validating example/DS: starting" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.example >delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + ret=0 + echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" + "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example >delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive validation NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 - grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 + grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive validation OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) SP="[[:space:]]+" -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.optout.example >delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard validation NSEC ($n)" ret=0 -dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +dig_with_opts a.wild.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 -grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1 - grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 - grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n >/dev/null || ret=1 +grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.example >delv.out$n || ret=1 + grep "a.wild.example..*10.0.0.27" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive wildcard validation NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 - grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.nsec3.example >delv.out$n || ret=1 + grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard validation OPTOUT ($n)" ret=0 dig_with_opts a.wild.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts a.wild.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 - grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.optout.example >delv.out$n || ret=1 + grep "a.wild.optout.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 + grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi +echo_i "checking RRSIG covered type in negative cache entry ($n)" +ret=0 +rndc_dumpdb ns4 +grep -F '; example. RRSIG NSEC ...' ns4/named_dump.db.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 dig_with_opts +noauth q.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth q.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation NSEC ($n)" ret=0 -dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation NSEC3 ($n)" ret=0 -dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation OPTOUT ($n)" ret=0 dig_with_opts b.wild.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts b.wild.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.optout.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi # Check the insecure.example domain echo_i "checking 1-server insecurity proof NSEC ($n)" ret=0 -dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 - grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.example >delv.out$n || ret=1 + grep "a.insecure.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server insecurity proof NSEC3 ($n)" ret=0 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 - grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.nsec3.example >delv.out$n || ret=1 + grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server insecurity proof OPTOUT ($n)" ret=0 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 - grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.optout.example >delv.out$n || ret=1 + grep "a.insecure.optout.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 dig_with_opts q.insecure.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" ret=0 dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" ret=0 dig_with_opts q.insecure.optout.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.optout.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" ret=0 dig_with_opts r.insecure.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" ret=0 dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" ret=0 dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the secure.example domain echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) + +echo_i "checking mixed-case positive validation ($n)" +ret=0 +for type in a txt aaaa loc; do + dig_with_opts +noauth mixedcase.secure.example. \ + @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1 + dig_with_opts +noauth mixedcase.secure.example. \ + @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1 + digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1 + grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1 + grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1 +done +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 dig_with_opts +noauth empty.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth empty.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the bogus domain echo_i "checking failed validation ($n)" ret=0 -dig_with_opts a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.bogus.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking failed validation using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking failed validation using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.bogus.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: RRSIG failed to verify" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi # Try validating with a bad trusted key. @@ -901,69 +923,69 @@ fi echo_i "checking that validation fails with a misconfigured trusted key ($n)" ret=0 -dig_with_opts example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" ret=0 -dig_with_opts example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" ret=0 -dig_with_opts a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation fails when key record is missing ($n)" ret=0 -dig_with_opts a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking that validation fails when key record is missing using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: insecurity proof failed" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking that validation fails when key record is missing using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.b.keyless.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: insecurity proof failed" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking that validation succeeds when a revoked key is encountered ($n)" ret=0 -dig_with_opts revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 - grep "fully validated" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +dig_with_opts revkey.example soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags: .* ad" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 soa revkey.example >delv.out$n 2>&1 || ret=1 + grep "fully validated" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" ret=0 #prime -dig_with_opts +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd bad-cname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="a.example. 10.0.0.1" @@ -971,16 +993,16 @@ ans=$(dig_with_opts +cd +nodnssec +short bad-cname.example. @10.53.0.4) || ret=1 test "$ans" = "$expect" || ret=1 test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" ret=0 #prime -dig_with_opts +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd a.bad-dname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="example. a.example. @@ -989,436 +1011,435 @@ ans=$(dig_with_opts +cd +nodnssec +short a.bad-dname.example. @10.53.0.4) || ret test "$ans" = "$expect" || ret=1 test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the insecure.secure.example domain (insecurity proof) echo_i "checking 2-server insecurity proof ($n)" ret=0 dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check a negative response in insecure.secure.example echo_i "checking 2-server insecurity proof with a negative answer ($n)" ret=0 -dig_with_opts q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ - || ret=1 -dig_with_opts q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ - || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ + || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" ret=0 -dig_with_opts r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ - || ret=1 -dig_with_opts r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ - || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.2 soa >dig.out.ns2.test$n \ + || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.4 soa >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the query for a security root is successful and has ad set echo_i "checking security root query ($n)" ret=0 -dig_with_opts . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the setting the cd bit works echo_i "checking cd bit on a positive answer ($n)" ret=0 dig_with_opts +noauth example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a negative answer ($n)" ret=0 -dig_with_opts q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 +dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking insecurity proof works using negative cache ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_opts +cd @10.53.0.4 insecure.example. ds > dig.out.ns4.test$n.1 || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts @10.53.0.4 nonexistent.insecure.example. > dig.out.ns4.test$n.2 || ret=1 - if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then - break - fi - sleep 1 +dig_with_opts +cd @10.53.0.4 insecure.example. ds >dig.out.ns4.test$n.1 || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + dig_with_opts @10.53.0.4 nonexistent.insecure.example. >dig.out.ns4.test$n.2 || ret=1 + if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then + break + fi + sleep 1 done grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" ret=0 -dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a query that should fail ($n)" ret=0 dig_with_opts a.bogus.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on an insecurity proof ($n)" ret=0 dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a negative insecurity proof ($n)" ret=0 dig_with_opts q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query works ($n)" ret=0 -dig_with_opts +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.4 >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # 2 records in the zone, 1 NXT, 3 SIGs -grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 6" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of a query returning a CNAME works ($n)" ret=0 dig_with_opts +noauth cname1.example. txt @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth cname1.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # the CNAME & its sig, the TXT and its SIG -grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of a query returning a DNAME works ($n)" ret=0 dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. # It would be nice to test that the CNAME is being synthesized by the # recursive server and not cached, but I don't know how. -grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 5" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query returning a CNAME works ($n)" ret=0 dig_with_opts +noauth cname2.example. any @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth cname2.example. any @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # The CNAME, NXT, and their SIGs -grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query returning a DNAME works ($n)" ret=0 dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that lookups succeed after disabling an algorithm ($n)" ret=0 dig_with_opts +noauth example. SOA @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth example. SOA @10.53.0.6 \ - > dig.out.ns6.test$n || ret=1 + >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns6.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking a non-cachable NODATA works ($n)" ret=0 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ - > dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 + >dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking a non-cachable NXDOMAIN works ($n)" ret=0 dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \ - > dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 + >dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can load a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can transfer a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "basic dnssec-signzone checks:" echo_ic "two DNSKEYs ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "one non-KSK DNSKEY ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "one KSK DNSKEY ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "three DNSKEY ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "three DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "four DNSKEY ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "two DNSKEY, both private keys missing ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "two DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) get_default_algorithm_key_ids_from_sigs() { - zone=$1 + zone=$1 - awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' NF < 8 { next } $(NF-5) != "RRSIG" { next } $(NF-3) != alg { next } @@ -1441,64 +1462,64 @@ zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone") zskid1=$(keyfile_to_key_id "$zsk1") zskid2=$(keyfile_to_key_id "$zsk2") ( -cd signer || exit 1 -# Set times such that the current set of keys are introduced 60 days ago and -# start signing now. The successor key is prepublished now and will be active -# next day. -$SETTIME -P now-60d -A now $ksk > /dev/null -$SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 > /dev/null -$SETTIME -S $zsk1 -i 1h $zsk2.key > /dev/null -$SETTIME -P now -A now+1d $zsk2.key > /dev/null -# Sign the zone with initial keys and prepublish successor. The zone signatures -# are valid for 30 days and the DNSKEY signature is valid for 60 days. -cp -f $zone.db.in $zone.db -$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null -echo "\$INCLUDE \"$zone.db.signed\"" >> $zone.db + cd signer || exit 1 + # Set times such that the current set of keys are introduced 60 days ago and + # start signing now. The successor key is prepublished now and will be active + # next day. + $SETTIME -P now-60d -A now $ksk >/dev/null + $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null + $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null + $SETTIME -P now -A now+1d $zsk2.key >/dev/null + # Sign the zone with initial keys and prepublish successor. The zone signatures + # are valid for 30 days and the DNSKEY signature is valid for 60 days. + cp -f $zone.db.in $zone.db + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null + echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" ret=0 zone=prepub ( -cd signer || exit 1 -# Roll the ZSK. The predecessor is inactive from now on and the successor is -# activated. The zone signatures are valid for 30 days and the DNSKEY -# signature is valid for 60 days. Because of the predecessor/successor -# relationship, the signatures of the predecessor are retained and no new -# signatures with the successor should be generated. -$SETTIME -A now-30d -I now -D now+30d $zsk1 > /dev/null -$SETTIME -A now $zsk2 > /dev/null -$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null + cd signer || exit 1 + # Roll the ZSK. The predecessor is inactive from now on and the successor is + # activated. The zone signatures are valid for 30 days and the DNSKEY + # signature is valid for 60 days. Because of the predecessor/successor + # relationship, the signatures of the predecessor are retained and no new + # signatures with the successor should be generated. + $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null + $SETTIME -A now $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" ret=0 zone=prepub ( -cd signer || exit 1 -# After some time the signatures should be replaced. When signing, set the -# interval to 30 days plus one second, meaning all predecessor signatures -# are within the refresh interval and should be replaced with successor -# signatures. -$SETTIME -A now-50d -I now-20d -D now+10d $zsk1 > /dev/null -$SETTIME -A now-20d $zsk2 > /dev/null -$SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db > /dev/null + cd signer || exit 1 + # After some time the signatures should be replaced. When signing, set the + # interval to 30 days plus one second, meaning all predecessor signatures + # are within the refresh interval and should be replaced with successor + # signatures. + $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null + $SETTIME -A now-20d $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" ret=0 @@ -1506,40 +1527,40 @@ zone=example # If dnssec-keygen fails, the test script will exit immediately. Prevent that # from happening, and also trigger a test failure if dnssec-keygen unexpectedly # succeeds, by using "&& ret=1". -$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1 +$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" ret=0 zone=example # Fake an unsupported algorithm key unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key # If dnssec-dsfromkey fails, the test script will exit immediately. Prevent # that from happening, and also trigger a test failure if dnssec-dsfromkey # unexpectedly succeeds, by using "&& ret=1". -$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" ret=0 ret=0 -cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db +cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db # If dnssec-signzone fails, the test script will exit immediately. Prevent that # from happening, and also trigger a test failure if dnssec-signzone # unexpectedly succeeds, by using "&& ret=1". -$SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can sign a zone with out-of-zone records ($n)" ret=0 @@ -1547,13 +1568,13 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db example.db > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db example.db >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" ret=0 @@ -1561,10 +1582,10 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null -awk '/^IQF9LQTLK/ { + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null + awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { if (getline <= 0) @@ -1572,13 +1593,13 @@ awk '/^IQF9LQTLK/ { printf (" %s", $0); } printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out -grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" ret=0 @@ -1586,11 +1607,11 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example3.db -echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db -$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null -awk '/^IQF9LQTLK/ { + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example3.db + echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db + $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null + awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { if (getline <= 0) @@ -1598,13 +1619,13 @@ awk '/^IQF9LQTLK/ { printf (" %s", $0); } printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out -grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" ret=0 @@ -1612,16 +1633,16 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db.before example.db > /dev/null -sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed -$SIGNER -o example -f example.db.after example.db.changed > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db.before example.db >/dev/null + sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed + $SIGNER -o example -f example.db.after example.db.changed >/dev/null ) -grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after > /dev/null || ret=1 -n=$((n+1)) +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" ret=0 @@ -1632,160 +1653,160 @@ keyid2=$(keyfile_to_key_id "$key2") key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) keyid3=$(keyfile_to_key_id "$key3") ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -D -o example example.db > /dev/null - -# now switch out key2 for key3 and resign the zone -cat example.db.in "$key1.key" "$key3.key" > example.db -echo "\$INCLUDE \"example.db.signed\"" >> example.db -$SIGNER -D -o example example.db > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -D -o example example.db >/dev/null + + # now switch out key2 for key3 and resign the zone + cat example.db.in "$key1.key" "$key3.key" >example.db + echo "\$INCLUDE \"example.db.signed\"" >>example.db + $SIGNER -D -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -RD -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -RD -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" ret=0 zone=example ( -cd signer || exit 1 -cp -f example.db.in example.db -$SIGNER -SD -o example example.db > /dev/null -echo "\$INCLUDE \"example.db.signed\"" >> example.db -# now retire key2 and resign the zone -$SETTIME -I now "$key2" > /dev/null 2>&1 -$SIGNER -SD -o example example.db > /dev/null + cd signer || exit 1 + cp -f example.db.in example.db + $SIGNER -SD -o example example.db >/dev/null + echo "\$INCLUDE \"example.db.signed\"" >>example.db + # now retire key2 and resign the zone + $SETTIME -I now "$key2" >/dev/null 2>&1 + $SIGNER -SD -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -SDQ -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -SDQ -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone retains unexpired signatures ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -Sxt -o example example.db > signer.out.1 -$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 + cd signer || exit 1 + $SIGNER -Sxt -o example example.db >signer.out.1 + $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 ) || ret=1 gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) -[ "$retain2" -eq $((gen1+retain1)) ] || ret=1 +[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 [ "$gen2" -eq 0 ] || ret=1 [ "$drop2" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" ret=0 ( -cd signer || exit 1 -# remove NSEC-only keys -rm -f Kexample.+005* -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + # remove NSEC-only keys + rm -f Kexample.+005* + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -touch example2.db.signed -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 ( -cd signer || exit 1 -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN NS sub1.example. sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=$((n+1)) +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" ret=0 ( -cd signer || exit 1 -rm -f example2.db.signed -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + rm -f example2.db.signed + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -touch example2.db.signed -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 ( -cd signer || exit 1 -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN NS sub1.example. sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=$((n+1)) +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone output format ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null -$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null -$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null -$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null -$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null + cd signer || exit 1 + $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null + $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null + $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null + $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null + $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null ) || ret=1 awk 'BEGIN { found = 0; } $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } @@ -1796,46 +1817,46 @@ awk 'BEGIN { found = 0; } israw1 signer/signer.out.5 || ret=1 israw0 signer/signer.out.6 || ret=1 israw1 signer/signer.out.7 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null ) || ret=1 awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -N date ($n)" ret=0 ( -cd signer || exit 1 -TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null + cd signer || exit 1 + TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null ) || ret=1 # shellcheck disable=SC2016 now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) [ "$now" -eq "$serial" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validated data are not cached longer than originalttl ($n)" ret=0 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 -grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "3600.IN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "300.IN" dig.out.ns3.test$n >/dev/null && ret=1 +grep "300.IN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "3600.IN" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Test that "rndc secroots" is able to dump trusted keys echo_i "checking rndc secroots ($n)" @@ -1846,27 +1867,27 @@ cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) [ "$linecount" -eq 1 ] || ret=1 -linecount=$(< named.secroots.test$n wc -l) +linecount=$(wc /dev/null || ret=1 +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a >/dev/null || ret=1 ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1 -expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ) || ret=1 +expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A') || ret=1 test "$ans" = "$expect" || ret=1 # also check that RA is set -dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check direct query for RRSIG: If it's not cached with other records, # it should result in an empty response. @@ -1875,70 +1896,70 @@ ret=0 ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1 test -z "$ans" || ret=1 # also check that RA is cleared -dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # RT21868 regression test. # echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" ret=0 -dig_with_opts non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts non-exist.badparam. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # RT22007 regression test. # echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" ret=0 -dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" ret=0 -dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" ret=0 -dig_with_opts +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)" ret=0 -dig_with_opts ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts ns algroll. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validate-except in an insecure local domain ($n)" ret=0 -dig_with_opts ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts ns www.corp @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive and negative validation with negative trust anchors ($n)" ret=0 @@ -1946,16 +1967,16 @@ ret=0 # # check correct initial behavior # -dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -1965,48 +1986,48 @@ rndccmd 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i # reconfig should maintain NTAs rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 +lines=$(wc -l &1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i # reload should maintain NTAs rndc_reload ns4 10.53.0.4 -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 -lines=$(wc -l < rndc.out.ns4.test$n.2) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 +lines=$(wc -l dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1 -dig_with_opts a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 >/dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.6 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.6 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 >/dev/null && ret=1 +dig_with_opts a.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.7 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 >/dev/null && ret=1 echo_i "dumping secroots" rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -grep "bogus.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "badds.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "fakenode.secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 +grep "bogus.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "badds.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "fakenode.secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "waiting for NTA rechecks/expirations" @@ -2020,18 +2041,18 @@ echo_i "waiting for NTA rechecks/expirations" # # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -dig_with_opts b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1 -dig_with_opts b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1 +dig_with_opts b.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.8 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.8 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 >/dev/null || ret=1 +dig_with_opts b.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.9 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n.9 >/dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.10 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.10 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 >/dev/null && ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -2042,22 +2063,22 @@ ret=0 # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check nta table -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n._11 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n._11 lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true) [ "$lines" -le 2 ] || ret=1 -grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1 -dig_with_opts c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null || ret=1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null && ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.11 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.11 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.12 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.12 >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 >/dev/null && ret=1 +dig_with_opts c.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.13 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.13 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -2066,87 +2087,87 @@ ret=0 # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check correct behavior after bogus.example expiry -dig_with_opts d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1 -dig_with_opts c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1 +dig_with_opts d.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.14 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.14 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 >/dev/null || ret=1 +dig_with_opts c.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.15 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.15 >/dev/null || ret=1 # check nta table has been cleaned up now -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true) [ "$lines" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "testing NTA removals ($n)" rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1 -grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1 -rndccmd 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2 -grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1 -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 >/dev/null || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null && ret=1 +grep "^a.badds.example." dig.out.ns4.test$n.1 >/dev/null || ret=1 +rndccmd 10.53.0.4 nta -remove badds.example >rndc.out.ns4.test$n.2 +grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 >/dev/null || ret=1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "remove non-existent NTA three times" -rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1 -rndccmd 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1 -rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1 -grep "not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.4 2>&1 +rndccmd 10.53.0.4 nta -remove foo >rndc.out.ns4.test$n.5 2>&1 +rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.6 2>&1 +grep "not found" rndc.out.ns4.test$n.6 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing NTA with bogus lifetimes ($n)" echo_i "check with no nta lifetime specified" -rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l "" foo >rndc.out.ns4.test$n.1 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "check with bad nta lifetime" -rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l garbage foo >rndc.out.ns4.test$n.2 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "check with too long nta lifetime" -rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 || true -grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l 7d1h foo >rndc.out.ns4.test$n.3 2>&1 || true +grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check NTA persistence across restarts # -n=$((n+1)) +n=$((n + 1)) echo_i "testing NTA persistence across restarts ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true) [ "$lines" -eq 0 ] || ret=1 rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true) [ "$lines" -eq 2 ] || ret=1 # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "killing ns4 with SIGTERM" @@ -2162,12 +2183,12 @@ echo_i "waiting till 14s have passed since NTAs were added before restarting ns4 $PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2179,37 +2200,37 @@ sleep 4 # startup (as it had already expired), the fact that it's ignored should # be logged. # -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -lines=$(wc -l < rndc.out.ns4.test$n.3) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 +lines=$(wc -l /dev/null || ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1 -grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null || ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null || ret=1 +grep "ignoring expired NTA at badds.example" ns4/named.run >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6 +rndccmd 10.53.0.4 nta -remove bogus.example >rndc.out.ns4.test$n.6 if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check "regular" attribute in NTA file works as expected at named # startup. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading regular attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 echo_i "killing ns4 with SIGTERM" kill -TERM "$(cat ns4/named.pid)" @@ -2222,18 +2243,18 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the regular attribute and some future timestamp. # -future="$(($(date +%Y)+20))0101010000" -echo "secure.example. regular $future" > ns4/_default.nta +future="$(($(date +%Y) + 20))0101010000" +echo "secure.example. regular $future" >ns4/_default.nta # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 9s, so at t=12 the NTAs for @@ -2244,30 +2265,30 @@ $PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $del # secure.example. should now return an AD=1 answer (still validates) as # the NTA has been lifted. -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check "forced" attribute in NTA file works as expected at named # startup. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading forced attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 echo_i "killing ns4 with SIGTERM" kill -TERM "$(cat ns4/named.pid)" @@ -2280,16 +2301,16 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the forced attribute and some future timestamp. # -echo "secure.example. forced $future" > ns4/_default.nta +echo "secure.example. forced $future" >ns4/_default.nta start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 9s, but even at t=12 the NTAs for @@ -2300,21 +2321,21 @@ $PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $del # secure.example. should now return an AD=0 answer (non-authenticated) # as the NTA is still there. -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null && ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check that NTA lifetime read from file is clamped to 1 week. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading out of bounds lifetime from NTA file ($n)" echo_i "killing ns4 with SIGTERM" @@ -2328,16 +2349,16 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with a lifetime well into the future. # -echo "secure.example. forced $future" > ns4/_default.nta +echo "secure.example. forced $future" >ns4/_default.nta added=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2345,101 +2366,102 @@ sleep 4 # dump the NTA to a file (omit validate-except entries) echo_i "testing 'rndc nta -d' with NTA" -rndccmd 10.53.0.4 nta -d | grep -v ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null +rndccmd 10.53.0.4 nta -d | grep -v ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be # removed by the grep -v above. only "secure.example" should appear in # the dump. -lines=$(wc -l < rndc.out.ns4.test$n.1) +lines=$(wc -l /dev/null || ret=1 -ts=$(awk '{print $3" "$4}' < rndc.out.ns4.test$n.1) +grep 'secure.example' rndc.out.ns4.test$n.1 >/dev/null || ret=1 +ts=$(awk '{print $3" "$4}' rndc.out.ns4.test$n.2 -echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2 -echo "added=$added" >> rndc.out.ns4.test$n.2 -if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null -then - # ntadiff.pl computes $ts_with_zone - ($added + 1week) - d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") - echo "d=$d" >> rndc.out.ns4.test$n.2 - # diff from $added(now) + 1week to the clamped NTA lifetime should be - # less than a few seconds (handle daylight saving changes by adding 3600). - [ "$d" -lt 3610 ] || ret=1 +echo "ts=$ts" >rndc.out.ns4.test$n.2 +echo "ts_with_zone=$ts_with_zone" >>rndc.out.ns4.test$n.2 +echo "added=$added" >>rndc.out.ns4.test$n.2 +if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null; then + # ntadiff.pl computes $ts_with_zone - ($added + 1week) + d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") + echo "d=$d" >>rndc.out.ns4.test$n.2 + # diff from $added(now) + 1week to the clamped NTA lifetime should be + # less than a few seconds (handle daylight saving changes by adding 3600). + [ "$d" -lt 3610 ] || ret=1 else - echo_i "skipped ntadiff test; install PERL module Time::Piece" + echo_i "skipped ntadiff test; install PERL module Time::Piece" fi echo_i "testing 'rndc nta' lifetime clamping" -rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null +rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be # the only entry in the dump. -lines=$(wc -l < rndc.out.ns4.test$n.1) +lines=$(wc -l /dev/null || ret=1 +grep 'corp/_default' rndc.out.ns4.test$n.1 >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.3 2>/dev/null -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing 'rndc nta -d' displays validate-except entries" -rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l /dev/null || ret=1 -n=$((n+1)) +grep 'corp/_default' rndc.out.ns4.test$n.1 >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" ret=0 # Sanity check behavior without an NTA in place. -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.1 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.1 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.1 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 > /dev/null && ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.1 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.1 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.1 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 >/dev/null && ret=1 # Add an NTA, expecting that to cause resolution to succeed. -rndccmd 10.53.0.9 nta badds.example > rndc.out.ns9.test$n.1 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.2 || ret=1 -grep "NOERROR" dig.out.ns9.test$n.2 > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns9.test$n.2 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 > /dev/null && ret=1 +rndccmd 10.53.0.9 nta badds.example >rndc.out.ns9.test$n.1 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.2 || ret=1 +grep "NOERROR" dig.out.ns9.test$n.2 >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns9.test$n.2 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 >/dev/null && ret=1 # Remove the NTA, expecting that to cause resolution to fail again. -rndccmd 10.53.0.9 nta -remove badds.example > rndc.out.ns9.test$n.2 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.3 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.3 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.3 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 > /dev/null && ret=1 +rndccmd 10.53.0.9 nta -remove badds.example >rndc.out.ns9.test$n.2 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.3 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.3 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.3 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 >/dev/null && ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "completed NTA tests" # Run a minimal update test if possible. This is really just # a regression test for RT #2399; more tests should be added. -if $PERL -e 'use Net::DNS;' 2>/dev/null -then - echo_i "running DNSSEC update test" - ret=0 - { output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.); rc=$?; } || true - test "$rc" -eq 0 || ret=1 - echo "$output" | cat_i - [ $ret -eq 1 ] && status=1 +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + echo_i "running DNSSEC update test" + ret=0 + { + output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) + rc=$? + } || true + test "$rc" -eq 0 || ret=1 + echo "$output" | cat_i + [ $ret -eq 1 ] && status=1 else - echo_i "The DNSSEC update test requires the Net::DNS library." >&2 + echo_i "The DNSSEC update test requires the Net::DNS library." >&2 fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking managed key maintenance has not started yet ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Reconfigure caching server to use "dnssec-validation auto", and repeat # some of the DNSSEC validation tests to ensure that it works correctly. @@ -2454,133 +2476,133 @@ sleep 5 echo_i "checking managed key maintenance timer has now started ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking negative validation ($n)" ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that root DS queries validate ($n)" ret=0 -dig_with_opts +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 -dig_with_opts +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.1 ds >dig.out.ns1.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.4 ds >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" ret=0 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 -grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 -grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 +grep "RRSIG.SOA" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking expired signatures do not validate ($n)" ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( -cd ns3 || exit 1 -kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) -( -echo zone update-nsec3.example -echo server 10.53.0.3 "$PORT" -grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' -echo send -) | $NSUPDATE + cd ns3 || exit 1 + kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) + ( + echo zone update-nsec3.example + echo server 10.53.0.3 "$PORT" + grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' + echo send + ) | $NSUPDATE ) -dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 @@ -2589,177 +2611,177 @@ checkprivate update-nsec3.example 10.53.0.3 || ret=1 checkprivate auto-nsec3.example 10.53.0.3 || ret=1 checkprivate expiring.example 10.53.0.3 || ret=1 checkprivate auto-nsec.example 10.53.0.3 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing' without arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -list' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -list >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -clear >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -clear all >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param none >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "FFFF" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "FFFF" ]; then + break + fi + echo_i "sleeping ...." + sleep 1 +done [ "$salt" = "FFFF" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "-" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "-" ]; then + break + fi + echo_i "sleeping ...." + sleep 1 +done [ "$salt" = "-" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "-" ] && break - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ "$salt" != "-" ] && [ "${#salt}" -eq 16 ] && break + echo_i "sleeping ...." + sleep 1 +done [ "$salt" != "-" ] || ret=1 [ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" ret=0 oldsalt=$salt -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ "$salt" != "$oldsalt" ] && [ "${#salt}" -eq 16 ] && break + echo_i "sleeping ...." + sleep 1 +done [ "$salt" != "$oldsalt" ] || ret=1 [ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check rndc signing -list output ($n)" ret=0 -{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out; } 2>&1 +{ rndccmd 10.53.0.3 signing -list dynamic.example >signing.out; } 2>&1 grep -q "No signing records found" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i + ret=1 + sed 's/^/ns3 /' signing.out | cat_i } -{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 +{ rndccmd 10.53.0.3 signing -list update-nsec3.example >signing.out; } 2>&1 grep -q "Done signing with key .*/$DEFAULT_ALGORITHM" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i + ret=1 + sed 's/^/ns3 /' signing.out | cat_i } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "clear signing records ($n)" -{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example > /dev/null; } 2>&1 || ret=1 +{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example >/dev/null; } 2>&1 || ret=1 check_no_signing_record_found() { - { rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 + { rndccmd 10.53.0.3 signing -list update-nsec3.example >signing.out; } 2>&1 grep -q "No signing records found" signing.out || { sed 's/^/ns3 /' signing.out | cat_i return 1 @@ -2767,110 +2789,105 @@ check_no_signing_record_found() { return 0 } retry_quiet 5 check_no_signing_record_found || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a insecure zone beneath a cname resolves ($n)" ret=0 -dig_with_opts soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa insecure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a secure zone beneath a cname resolves ($n)" ret=0 -dig_with_opts soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa secure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) my_dig() { - "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" + "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" } echo_i "checking DNSKEY query with no data still gets put in cache ($n)" ret=0 -firstVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') +firstVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') sleep 1 -secondVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') -if [ "${firstVal:-0}" -eq "${secondVal:-0}" ] -then - sleep 1 - thirdVal=$(my_dig insecure.example. dnskey|awk '$1 != ";;" { print $2 }') - if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ] - then - echo_i "cannot confirm query answer still in cache" - ret=1 - fi +secondVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') +if [ "${firstVal:-0}" -eq "${secondVal:-0}" ]; then + sleep 1 + thirdVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') + if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ]; then + echo_i "cannot confirm query answer still in cache" + ret=1 + fi fi -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a split dnssec dnssec-signzone work ($n)" ret=0 -dig_with_opts soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa split-dnssec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a smart split dnssec dnssec-signzone work ($n)" ret=0 -dig_with_opts soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa split-smart.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" ret=0 ( -echo zone nsec3chain-test -echo server 10.53.0.2 "$PORT" -echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 -echo send + echo zone nsec3chain-test + echo server 10.53.0.2 "$PORT" + echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 + echo send ) | $NSUPDATE -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 - if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null - then - break; - fi - echo_i "sleeping ...." - sleep 3 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + dig_with_opts nsec3param nsec3chain-test @10.53.0.2 >dig.out.ns2.test$n || ret=1 + if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null; then + break + fi + echo_i "sleeping ...." + sleep 3 done -grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "nsec3 chain generation not complete"; fi -dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 >dig.out.ns2.test$n || ret=1 s2=$(awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n) -for i in 1 2 3 4 5 6 7 8 9 10 -do - dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 - s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) - test "$s2" = "$s3" && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 >dig.out.ns3.test$n || ret=1 + s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) + test "$s2" = "$s3" && break + sleep 1 done digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-dsfromkey from stdin ($n)" ret=0 -dig_with_opts dnskey algroll. @10.53.0.2 | \ - $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 +dig_with_opts dnskey algroll. @10.53.0.2 \ + | $DSFROMKEY -f - algroll. >dig.out.ns2.test$n || ret=1 NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) [ "${NF}" = 7 ] || ret=1 # make canonical @@ -2878,16 +2895,16 @@ awk '{ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < dig.out.ns2.test$n > canonical1.$n || ret=1 +}' canonical1.$n || ret=1 awk '{ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < ns1/dsset-algroll. > canonical2.$n || ret=1 -diff -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) +}' canonical2.$n || ret=1 +diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Intentionally strip ".key" from keyfile name to ensure the error message # includes it anyway to avoid confusion (RT #21731) @@ -2895,157 +2912,157 @@ echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" ret=0 key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1 mv "$key.key" "$key" -$DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1 -grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1 -n=$((n+1)) +$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-dsfromkey with revoked key ($n)" ret=0 -dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK -grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK -grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK +dig_with_opts revkey.example dnskey @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "DNSKEY.256 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # ZSK +grep "DNSKEY.385 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # revoked KSK +grep "DNSKEY.257 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # KSK test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 -$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1 -test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1 -n=$((n+1)) +$DSFROMKEY -f dig.out.ns4.test$n revkey.example. >dsfromkey.out.test$n || ret=1 +test $(wc -l dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG >dig.out.ns3.test$n 2>&1 # there must be a signature here [ -s dig.out.ns3.test$n ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing new records are signed with 'no-resign' ($n)" ret=0 ( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add new.nosign.example 300 in txt "hi there" -echo send + echo zone nosign.example + echo server 10.53.0.3 "$PORT" + echo update add new.nosign.example 300 in txt "hi there" + echo send ) | $NSUPDATE sleep 1 dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 -grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) + >dig.out.ns3.test$n 2>&1 +grep RRSIG dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" ret=0 -dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \ - grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 \ + | grep RRSIG | sed 's/[ ][ ]*/ /g' >dig.out.ns3.test$n 2>&1 # the NS RRSIG should not be changed -diff nosign.before dig.out.ns3.test$n > /dev/null|| ret=1 -n=$((n+1)) +diff nosign.before dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates fail with no private key ($n)" ret=0 rm -f ns3/Knosign.example.*.private ( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add fail.nosign.example 300 in txt "reject me" -echo send -) | $NSUPDATE > /dev/null 2>&1 && ret=1 + echo zone nosign.example + echo server 10.53.0.3 "$PORT" + echo update add fail.nosign.example 300 in txt "reject me" + echo send +) | $NSUPDATE >/dev/null 2>&1 && ret=1 dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 + >dig.out.ns3.test$n 2>&1 [ -s dig.out.ns3.test$n ] && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing legacy upper case signer name validation ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 -grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n 2>&1 || ret=1 +grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing that we lower case signer name ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 -grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n 2>&1 || ret=1 +grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time ($n)" ret=0 rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i ( -cd ns3 || exit 1 -for file in K*.moved; do - mv "$file" "$(basename "$file" .moved)" -done -$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null + cd ns3 || exit 1 + for file in K*.moved; do + mv "$file" "$(basename "$file" .moved)" + done + $SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db >/dev/null ) || ret=1 rndc_reload ns3 10.53.0.3 expiring.example rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "${ttl}" -eq 300 ] || ret=1 + [ "${ttl}" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "${ttl}" -le 60 ] || ret=1 + [ "${ttl}" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -dig_with_additionalopts +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example ns @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example ns @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) copy_setports ns4/named3.conf.in ns4/named.conf rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i @@ -3054,205 +3071,202 @@ sleep 3 echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" ret=0 -dig_with_answeropts +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expired.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expired.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expired.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 + [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing DNSKEY lookup via CNAME ($n)" ret=0 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 + @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 + @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup at CNAME (present) ($n)" ret=0 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup at CNAME (not present) ($n)" ret=0 dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing DNSKEY lookup via DNAME ($n)" ret=0 dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 + @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 + @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup via DNAME ($n)" ret=0 dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that named doesn't loop when all private keys are not available ($n)" ret=0 lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true) test "${lines:-1000}" -lt 15 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check against against missing nearest provable proof ($n)" dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1 + @10.53.0.6 ds >dig.out.ds.ns6.test$n || ret=1 nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true) [ "$nsec3" -eq 2 ] || ret=1 dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 A > dig.out.ns6.test$n || ret=1 + @10.53.0.6 A >dig.out.ns6.test$n || ret=1 nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true) [ "$nsec3" -eq 1 ] || ret=1 dig_with_opts optout-tld. \ - @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1 + @10.53.0.4 SOA >dig.out.soa.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n >/dev/null || ret=1 dig_with_opts b.c.d.optout-tld. \ - @10.53.0.4 A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) + @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that key id are logged when dumping the cache ($n)" ret=0 rndc_dumpdb ns4 -grep "; key id = " ns4/named_dump.db.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "; key id = " ns4/named_dump.db.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" # force the managed-keys zone to be written out rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - if test -f ns4/managed-keys.bind - then - grep KEYDATA ns4/managed-keys.bind > /dev/null && - grep "next refresh:" ns4/managed-keys.bind > /dev/null && - break - fi - ret=1 - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + if test -f ns4/managed-keys.bind; then + grep KEYDATA ns4/managed-keys.bind >/dev/null \ + && grep "next refresh:" ns4/managed-keys.bind >/dev/null \ + && break + fi + ret=1 + sleep 1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dig's +nocrypto flag ($n)" ret=0 dig_with_opts +norec +nocrypto DNSKEY . \ - @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 -grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 -grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + @10.53.0.1 >dig.out.dnskey.ns1.test$n || ret=1 +grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 +grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 dig_with_opts +norec +nocrypto DS example \ - @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 -grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n > /dev/null || ret=1 -n=$((n+1)) + @10.53.0.1 >dig.out.ds.ns1.test$n || ret=1 +grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" ret=0 cnt=0 -while : -do -dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n -keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) -test "$keys" -gt 2 && break -cnt=$((cnt+1)) -test "$cnt" -gt 120 && break -sleep 1 +while :; do + dig_with_opts publish-inactive.example @10.53.0.3 dnskey >dig.out.ns3.test$n + keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) + test "$keys" -gt 2 && break + cnt=$((cnt + 1)) + test "$cnt" -gt 120 && break + sleep 1 done test "$keys" -gt 2 || ret=1 sigs=$(grep -c RRSIG dig.out.ns3.test$n || true) -n=$((n+1)) +n=$((n + 1)) test "$sigs" -eq 2 || ret=1 -if test "$ret" -ne 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test "$ret" -ne 0; then echo_i "failed"; fi +status=$((status + ret)) echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" ret=0 @@ -3261,41 +3275,44 @@ cp ns3/siginterval2.conf ns3/siginterval.conf rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i i=10 while [ "$i" -ge 0 ]; do -after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) -test "$before" != "$after" && break -sleep 1 -i=$((i-1)) + after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) + test "$before" != "$after" && break + sleep 1 + i=$((i - 1)) done -n=$((n+1)) -if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi -status=$((status+ret)) +n=$((n + 1)) +if test "$before" = "$after"; then + echo_i "failed" + ret=1 +fi +status=$((status + ret)) if [ -x "$PYTHON" ]; then - echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" - ret=0 - rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i - # convert expiry date to a comma-separated list of integers python can - # use as input to date(). strip leading 0s in months and days so - # python3 will recognize them as integers. - $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n || ret=1 - soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n | - sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g') - $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n || ret=1 - dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n | - sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g') - $PYTHON > python.out.$n <&1 | sed 's/^/ns3 /' | cat_i + # convert expiry date to a comma-separated list of integers python can + # use as input to date(). strip leading 0s in months and days so + # python3 will recognize them as integers. + $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example >dig.out.soa.test$n || ret=1 + soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n \ + | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ + | sed 's/ 0/ /g') + $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example >dig.out.dnskey.test$n || ret=1 + dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n \ + | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ + | sed 's/ 0/ /g') + $PYTHON >python.out.$n < dig.out.ns4.1.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1 + @10.53.0.4 >dig.out.ns4.1.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.1.test$n >/dev/null && ret=1 dig_with_opts ns secure.example \ - @10.53.0.4 > dig.out.ns4.2.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1 -n=$((n+1)) + @10.53.0.4 >dig.out.ns4.2.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.2.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check the acceptance of seconds as inception and expiration times ($n)" ret=0 @@ -3322,14 +3339,14 @@ exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPO out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') [ "$out" = "$exp" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check the correct resigning time is reported in zonestatus ($n)" ret=0 rndccmd 10.53.0.3 \ - zonestatus secure.example > rndc.out.ns3.test$n + zonestatus secure.example >rndc.out.ns3.test$n # next resign node: secure.example/DNSKEY qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,') qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,') @@ -3339,194 +3356,194 @@ time=$(awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g') -dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 > dig.out.test$n +dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 >dig.out.test$n expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n) inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n) $PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that split rrsigs are handled ($n)" ret=0 -dig_with_opts split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig soa @10.53.0.7 >dig.out.test$n || ret=1 awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)" ret=0 -dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig AXFR @10.53.0.7 >dig.out.test$n || ret=1 grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" ret=0 alg=1 -until test $alg -eq 256 -do - zone="keygen-$alg." - case $alg in - 2) # Diffie Helman - alg=$((alg+1)) - continue;; - 157|160|161|162|163|164|165) # private - non standard - alg=$((alg+1)) - continue;; - 1|5|7|8|10) # RSA algorithms - key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2> "keygen-$alg.err" || true) - ;; - 15|16) - key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - ;; - *) - key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - esac - if grep "unsupported algorithm" "keygen-$alg.err" > /dev/null - then - alg=$((alg+1)) - continue - fi - if test -z "$key1" - then - echo_i "'$KEYGEN -a $alg': failed" - cat "keygen-$alg.err" - ret=1 - alg=$((alg+1)) - continue - fi - $SETTIME -I now+4d "$key1.private" > /dev/null - key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2> /dev/null) - test -f "$key2.key" -a -f "$key2.private" || { - ret=1 - echo_i "'dnssec-keygen -S' failed for algorithm: $alg" - } - alg=$((alg+1)) +until test $alg -eq 256; do + zone="keygen-$alg." + case $alg in + 2) # Diffie Helman + alg=$((alg + 1)) + continue + ;; + 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard + alg=$((alg + 1)) + continue + ;; + 1 | 5 | 7 | 8 | 10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + 15 | 16) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + *) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + esac + if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if test -z "$key1"; then + echo_i "'$KEYGEN -a $alg': failed" + cat "keygen-$alg.err" + ret=1 + alg=$((alg + 1)) + continue + fi + $SETTIME -I now+4d "$key1.private" >/dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg + 1)) done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a CDS deletion record is accepted ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo update add cds-update.secure 0 CDS 0 0 0 00 -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo update add cds-update.secure 0 CDS 0 0 0 00 + echo send +) | $NSUPDATE >nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cds-kskonly.secure.id) ( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure | -sed "s/^/update add /" -echo send + echo zone cds-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-kskonly.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS deletion records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cds-kskonly.secure.id) ( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo update add cds-kskonly.secure 0 CDS 0 0 0 00 -echo send + echo zone cds-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-kskonly.secure CDS + echo update add cds-kskonly.secure 0 CDS 0 0 0 00 + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) @@ -3535,125 +3552,125 @@ lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | -sed "s/^/update add /" -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | -$DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' \ + | $DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 4 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY >dig.out.test$n +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # TODO: test case for GL #1689. # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) @@ -3665,86 +3682,86 @@ status=$((status+ret)) echo_i "check that a CDNSKEY deletion record is accepted ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== + echo send +) | $NSUPDATE >nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send + echo zone cdnskey-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-kskonly.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY deletion records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== -echo send + echo zone cdnskey-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-kskonly.secure CDNSKEY + echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) @@ -3753,184 +3770,188 @@ lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking initialization with a revoked managed key ($n)" ret=0 copy_setports ns5/named2.conf.in ns5/named.conf rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i sleep 3 -dig_with_opts +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n -grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n +grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' -echo send + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer || exit 1 -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove > /dev/null -$KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove > /dev/null -echo > remove.db.signed -$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n + cd signer || exit 1 + $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null + $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null + echo >remove.db.signed + $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null || { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer || exit 1 -$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n + cd signer || exit 1 + $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null && { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer || exit 1 -echo > remove.db.signed -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n + cd signer || exit 1 + echo >remove.db.signed + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null || { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer || exit 1 -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n + cd signer || exit 1 + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null && { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" ret=0 -dig_with_opts managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1 -n=$((n+1)) +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run >/dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run >/dev/null && ret=1 stop_server ns1 || ret=1 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns1 || ret=1 -n=$(($n+1)) +n=$(($n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "waiting for root server to finish reloading ($n)" ret=0 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -n=$(($n+1)) +n=$(($n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 -grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "view rec: *validat" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" ret=0 -dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)" ret=0 -dig_with_opts axfr occluded.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts axfr occluded.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)" ret=0 -dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1 -dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1 +dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1 +dig_with_opts any zz.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1 # DNSKEY+RRSIG, NSEC+RRSIG -grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # DNSSEC tests related to unsupported, disabled and revoked trust anchors. @@ -3950,9 +3971,9 @@ grep -q "ignoring static-key for 'revoked\.trusted\.': bad key type" ns8/named.r grep -q "ignoring initial-key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1 grep -q "ignoring initial-key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1 grep -q "ignoring initial-key for 'revoked\.managed\.': bad key type" ns8/named.run || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two tests are fairly normal DNSSEC queries to signed zones with a # default algorithm. First, a query is made against the server that is @@ -3961,25 +3982,25 @@ status=$((status+ret)) # return an authentic data positive response. echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.secure.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using a supported algorithm validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.secure.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY with an unsupported # algorithm will yield insecure positive responses. These trust anchors in ns8 are @@ -3987,25 +4008,25 @@ status=$((status+ret)) # in the response. echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.unsupported.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.unsupported.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY that the nameserver # has a disabled algorithm match for will yield insecure positive responses. @@ -4013,25 +4034,25 @@ status=$((status+ret)) # The AD bit should not be set in the response. echo_i "checking that a trusted key using a disabled algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.disabled.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.disabled.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using a disabled algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.disabled.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.disabled.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY that the # nameserver has a disabled algorithm for, but for a different domain, will @@ -4041,50 +4062,50 @@ status=$((status+ret)) # bit set. echo_i "checking that a trusted key using an algorithm disabled for another domain validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.enabled.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.enabled.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using an algorithm disabled for another domain validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.enabled.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.enabled.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # A configured revoked trust anchor is ignored and thus the two queries below # should result in insecure responses, since no trust points for the # "revoked.trusted." and "revoked.managed." zones are created. echo_i "checking that a trusted key that is revoked validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.revoked.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.revoked.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key that is revoked validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.revoked.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.revoked.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ### ### Additional checks for when the KSK is offline. @@ -4102,59 +4123,58 @@ echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" # Print IDs of keys used for generating RRSIG records for RRsets of type $1 # found in dig output file $2. get_keys_which_signed() { - qtype=$1 - output=$2 - # The key ID is the 11th column of the RRSIG record line. - awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$output" + qtype=$1 + output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$output" } # Basic checks to make sure everything is fine before the KSK is made offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 -dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n +dig_with_opts $SECTIONS @10.53.0.2 soa $zone >dig.out.test$n lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1 -n=$((n+1)) +get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 +get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Roll the ZSK. zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 +keyfile_to_key_id "$zsk2" >ns2/$zone.zsk.id2 ZSK_ID2=$(cat ns2/$zone.zsk.id2) echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" ret=0 dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Make new ZSK active. echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" ret=0 -$SETTIME -I now -K ns2 $ZSK > /dev/null -$SETTIME -A now -K ns2 $zsk2 > /dev/null +$SETTIME -I now -K ns2 $ZSK >/dev/null +$SETTIME -A now -K ns2 $zsk2 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" @@ -4164,41 +4184,39 @@ mv ns2/$KSK.private ns2/$KSK.private.bak # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me" + echo send ) | $NSUPDATE # Redo the tests now that the zone is updated and the KSK is offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done # Put back the KSK. @@ -4208,18 +4226,18 @@ mv ns2/$KSK.private.bak ns2/$KSK.private # Roll the ZSK again. zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3 +keyfile_to_key_id "$zsk3" >ns2/$zone.zsk.id3 ZSK_ID3=$(cat ns2/$zone.zsk.id3) # Schedule the new ZSK (ZSK3) to become active. echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -D now -K ns2 $ZSK > /dev/null -$SETTIME -I +3600 -K ns2 $zsk2 > /dev/null -$SETTIME -A +3600 -K ns2 $zsk3 > /dev/null +$SETTIME -D now -K ns2 $ZSK >/dev/null +$SETTIME -I +3600 -K ns2 $zsk2 >/dev/null +$SETTIME -A +3600 -K ns2 $zsk3 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" @@ -4229,110 +4247,106 @@ mv ns2/$KSK.private ns2/$KSK.private.bak # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me again" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me again" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me again" + echo send ) | $NSUPDATE # Redo the tests now that the ZSK roll has deleted the old key. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -I +1 -K ns2 $zsk2 > /dev/null -$SETTIME -A +1 -K ns2 $zsk3 > /dev/null +$SETTIME -I +1 -K ns2 $zsk2 >/dev/null +$SETTIME -A +1 -K ns2 $zsk3 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Wait for newest ZSK to become active. echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive" for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run > /dev/null || ret=1 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run > /dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me one more time" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me one more time" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me one more time" + echo send ) | $NSUPDATE -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Redo the tests one more time. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null || ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null || ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done echo_i "checking secroots output with multiple views ($n)" @@ -4340,89 +4354,89 @@ ret=0 rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking sig-validity-interval second field hours vs days ($n)" ret=0 # zone configured with 'sig-validity-interval 500 499;' # 499 days in the future w/ a 20 minute runtime to now allowance min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') -dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n +dig_with_opts @10.53.0.2 hours-vs-days AXFR >dig.out.ns2.test$n awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validation succeeds during transition to signed ($n)" ret=0 -dig_with_opts @10.53.0.4 inprogress A > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.4 inprogress A >dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)" ret=0 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the validating resolver will fallback to insecure if the answer # contains NSEC3 records with high iteration count. echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)" ret=0 -dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)" ret=0 -dig_with_opts @10.53.0.2 a.too-many-iterations txt > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 a.too-many-iterations txt > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 a.too-many-iterations txt >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 a.too-many-iterations txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)" ret=0 -dig_with_opts @10.53.0.2 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)" ret=0 -dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that a query against a validating resolver succeeds when there is # a negative cache entry with trust level "pending" for the DS. Prime @@ -4430,17 +4444,17 @@ status=$((status+ret)) # query that uses that entry as part of the validation process. [GL #3279] echo_i "check that pending negative DS cache entry validates ($n)" ret=0 -dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds >dig.out.prime.ns4.test$n || ret=1 grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1 -dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n >/dev/null || ret=1 +dig_with_opts @10.53.0.4 a.insecure2.example. a >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n >/dev/null || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 -- cgit v1.2.3