45c5f403619029a363cf089e0a4b1bb44425dd84Tinderbox User# Copyright (C) 2009-2017 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# file, You can obtain one at http://mozilla.org/MPL/2.0/.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan HuntDIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt# convert private-type records to readable form
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt while read record; do
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt die "invalid record" unless length($rdata) == 5;
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt my $action = "signing";
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt $action = "removing" if $remove;
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt my $state = " (incomplete)";
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt $state = " (complete)" if $complete;
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt print ("$action: alg: $alg, key: $key$state\n");' $record
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Hunt# check that signing records are marked as complete
d1e22676de16e6dee54c58b27cca11c5fb8f1ff5Mark Andrews echo $x | grep incomplete > /dev/null && _ret=1
d1e22676de16e6dee54c58b27cca11c5fb8f1ff5Mark Andrews if [ $_ret = $expected ]; then
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews# The NSEC record at the apex of the zone and its RRSIG records are
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews# added as part of the last step in signing a zone. We wait for the
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews# NSEC records to appear before proceeding with a counter to prevent
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews# infinite loops if there is a error.
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrewsecho "I:waiting for autosign changes to take effect"
ba88bcf08b965f65c07735efa2f675b8cbeb735aMark Andrews # Wait for the root DNSKEY RRset to be fully signed.
ba88bcf08b965f65c07735efa2f675b8cbeb735aMark Andrews $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
ba88bcf08b965f65c07735efa2f675b8cbeb735aMark Andrews grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
ba88bcf08b965f65c07735efa2f675b8cbeb735aMark Andrews $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
ba88bcf08b965f65c07735efa2f675b8cbeb735aMark Andrews grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
ba88bcf08b965f65c07735efa2f675b8cbeb735aMark Andrews $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews for z in bar. example. inacksk2.example. inacksk3.example \
ba88bcf08b965f65c07735efa2f675b8cbeb735aMark Andrews $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews echo "I:waiting ... ($i)"
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; else echo "I:done"; fi
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews# Check that DNSKEY is initially signed with a KSK and not a ZSK.
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsecho "I:check that zone with active and inactive KSK and active ZSK is properly"
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsecho "I: resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsecho "I: is initially signed with a KSK and not a ZSK. ($n)"
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewszskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsgrep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewspattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsgrep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews $4 == "DNSKEY" { count++ }
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsawk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id}
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys inacksk3.example
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews# Check that zone is initially signed with a ZSK and not a KSK.
e5f0db473410df1b5508e74984ee5ecf573683e3Curtis Blackburnecho "I:check that zone with active and inactive ZSK and active KSK is properly"
e5f0db473410df1b5508e74984ee5ecf573683e3Curtis Blackburnecho "I: resigned after the active ZSK is deleted - stage 1: Verify that zone"
e5f0db473410df1b5508e74984ee5ecf573683e3Curtis Blackburnecho "I: is initially signed with a ZSK and not a KSK. ($n)"
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrewskskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrewsgrep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrewsgrep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews $4 == "RRSIG" && $5 == "CNAME" { count++ }
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews $4 == "DNSKEY" { count++ }
15057131d5f815e8b6b2b9a58961d6707e317440Mark Andrewsid=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n`
15057131d5f815e8b6b2b9a58961d6707e317440Mark Andrews$SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id}
15057131d5f815e8b6b2b9a58961d6707e317440Mark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys inaczsk3.example
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt# these commands should result in an empty file:
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntgrep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntgrep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking NSEC3->NSEC conversion prerequisites ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:converting zones from nsec to nsec3"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntserver 10.53.0.3 5300
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntzone nsec3.nsec3.example.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntupdate add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntzone optout.nsec3.example.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntupdate add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntzone nsec3.example.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntupdate add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntzone autonsec3.example.
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntupdate add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntzone nsec3.optout.example.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntupdate add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntzone optout.optout.example.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntupdate add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntzone optout.example.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntupdate add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt# try to convert nsec.example; this should fail due to non-NSEC key
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntecho "I:preset nsec3param in unsigned zone via nsupdate ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntserver 10.53.0.3 5300
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntzone nsec.example.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntupdate add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntecho "I:checking for nsec3param in unsigned zone ($n)"
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntgrep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntecho "I:checking for nsec3param signing record ($n)"
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list autonsec3.example. > signing.out.test$n 2>&1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntgrep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntecho "I:resetting nsec3param via rndc signing ($n)"
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all autonsec3.example. > /dev/null 2>&1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
7829fad4093f2c1985b1efb7cea00287ff015d2bckb $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list autonsec3.example. > signing.out.test$n 2>&1
7829fad4093f2c1985b1efb7cea00287ff015d2bckb grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
7829fad4093f2c1985b1efb7cea00287ff015d2bckb echo "I:waiting ... ($i)"
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntecho "I:signing preset nsec3 zone"
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$SETTIME -K ns3 -P now -A now $zsk > /dev/null 2>&1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$SETTIME -K ns3 -P now -A now $ksk > /dev/null 2>&1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys autonsec3.example. 2>&1 | sed 's/^/I:ns3 /'
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:waiting for changes to take effect"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:converting zone from nsec3 to nsec"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntserver 10.53.0.3 5300
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntzone nsec3-to-nsec.example.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntupdate delete nsec3-to-nsec.example. NSEC3PARAM
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:waiting for change to take effect"
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntecho "I:checking that expired RRSIGs from missing key are not deleted ($n)"
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntmissing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntecho "I:checking that expired RRSIGs from inactive key are not deleted ($n)"
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntinactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
d1e22676de16e6dee54c58b27cca11c5fb8f1ff5Mark Andrewsecho "I:checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)"
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntloglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
d1e22676de16e6dee54c58b27cca11c5fb8f1ff5Mark Andrewsecho "I:checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)"
d1e22676de16e6dee54c58b27cca11c5fb8f1ff5Mark Andrewsloglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
36b2d5f93c22b096c0417495f27ae0bdebf06ae1Evan Hunt# Send rndc sync command to ns1, ns2 and ns3, to force the dynamically
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# signed zones to be dumped to their zone files
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:dumping zone files"
36b2d5f93c22b096c0417495f27ae0bdebf06ae1Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sync 2>&1 | sed 's/^/I:ns1 /'
36b2d5f93c22b096c0417495f27ae0bdebf06ae1Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 sync 2>&1 | sed 's/^/I:ns2 /'
36b2d5f93c22b096c0417495f27ae0bdebf06ae1Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sync 2>&1 | sed 's/^/I:ns3 /'
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking expired signatures were updated ($n)"
3ff483ed84344e81ad2fc79faf6f036c18fbab05Mark Andrews $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
3ff483ed84344e81ad2fc79faf6f036c18fbab05Mark Andrews $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
3ff483ed84344e81ad2fc79faf6f036c18fbab05Mark Andrews $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n > digcomp.out.test$n || ret=1
3ff483ed84344e81ad2fc79faf6f036c18fbab05Mark Andrews grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
3ff483ed84344e81ad2fc79faf6f036c18fbab05Mark Andrewsif [ $ret != 0 ]; then cat digcomp.out.test$n; echo "I:failed"; fi
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking NSEC->NSEC3 conversion succeeded ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntecho "I:checking direct NSEC3 autosigning succeeded ($n)"
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntgrep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking NSEC3->NSEC conversion succeeded ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt# this command should result in an empty file:
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntecho "I:checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt# this command should result in an empty file:
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntgrep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntecho "I:checking TTLs of imported DNSKEYs (no default) ($n)"
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntawk 'BEGIN {r=0} $2 != 300 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntecho "I:checking TTLs of imported DNSKEYs (with default) ($n)"
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntawk 'BEGIN {r=0} $2 != 60 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntecho "I:checking TTLs of imported DNSKEYs (mismatched) ($n)"
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntawk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntecho "I:checking TTLs of imported DNSKEYs (existing RRset) ($n)"
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntawk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking positive validation NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking positive validation NSEC3 ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking positive validation OPTOUT ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking negative validation NXDOMAIN NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking negative validation NXDOMAIN NSEC3 ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking negative validation NXDOMAIN OPTOUT ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Note - this is looking for failure, hence the &&
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking negative validation NODATA NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking negative validation NODATA NSEC3 ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking negative validation NODATA OPTOUT ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Check the insecure.example domain
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking 1-server insecurity proof NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Note - this is looking for failure, hence the &&
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking 1-server negative insecurity proof NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Note - this is looking for failure, hence the &&
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Check the secure.example domain
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation NSEC/NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation NSEC/NSEC3 ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation NSEC/OPTOUT ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation NSEC3/NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation OPTOUT/NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking empty NODATA OPTOUT ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Check the insecure.secure.example domain (insecurity proof)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking 2-server insecurity proof ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Note - this is looking for failure, hence the &&
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Check a negative response in insecure.secure.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking 2-server insecurity proof with a negative answer ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Note - this is looking for failure, hence the &&
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking security root query ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking positive validation RSASHA256 NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking positive validation RSASHA512 NSEC ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking that positive validation in a privately secure zone works ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Note - this is looking for failure, hence the &&
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking that negative validation in a privately secure zone works ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Note - this is looking for failure, hence the &&
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking privately secure to nxdomain works ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Note - this is looking for failure, hence the &&
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Try validating with a revoked trusted key.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# This should fail.
44f175a90a855326725439b2f1178f0dcca8f67dMark Andrewsecho "I:checking that validation returns insecure due to revoked trusted key ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
44f175a90a855326725439b2f1178f0dcca8f67dMark Andrewsgrep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
44f175a90a855326725439b2f1178f0dcca8f67dMark Andrewsgrep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking that revoked key is present ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking that revoked key self-signs ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking for unpublished key ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
79d27f505a67ee1fb5cf104cbe7b1ead67d252b4Mukund Sivaramanecho "I:checking for activated but unpublished key ($n)"
79d27f505a67ee1fb5cf104cbe7b1ead67d252b4Mukund Sivaramanid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key`
79d27f505a67ee1fb5cf104cbe7b1ead67d252b4Mukund Sivaraman$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
79d27f505a67ee1fb5cf104cbe7b1ead67d252b4Mukund Sivaramangrep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking that standby key does not sign records ($n)"
acf34e66a8e82975a6cd64ef680fbc9d83944023Mark Andrewsid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking that deactivated key does not sign records ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking insertion of public-only key ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntserver 10.53.0.1 5300
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntupdate add $keydata
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntecho "I:checking key deletion ($n)"
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntgrep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrewsecho "I:checking secure-to-insecure transition, nsupdate ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntserver 10.53.0.3 5300
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntzone secure-to-insecure.example
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntupdate delete secure-to-insecure.example dnskey
7829fad4093f2c1985b1efb7cea00287ff015d2bckb $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
7829fad4093f2c1985b1efb7cea00287ff015d2bckb egrep '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
7829fad4093f2c1985b1efb7cea00287ff015d2bckb echo "I:waiting ... ($i)"
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrewsecho "I:checking secure-to-insecure transition, scheduled ($n)"
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign secure-to-insecure2.example. 2>&1 | sed 's/^/I:ns3 /'
7829fad4093f2c1985b1efb7cea00287ff015d2bckb $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
7829fad4093f2c1985b1efb7cea00287ff015d2bckb egrep '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
7829fad4093f2c1985b1efb7cea00287ff015d2bckb echo "I:waiting ... ($i)"
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Huntecho "I:checking that serial number and RRSIGs are both updated (rt21045) ($n)"
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Huntoldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Huntoldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt$KEYGEN -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign prepub.example 2>&1 | sed 's/^/I:ns1 /'
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt newserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 |
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Huntnewinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt#echo "$oldserial : $newserial"
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt#echo "$oldinception : $newinception"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:preparing to test key change corner cases"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:removing a private key file"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:preparing ZSK roll"
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntoldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key`
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntnewid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
fe8572e1165ff5383dab9758b7507dab8d8095f3Mark Andrews$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews$SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt# note previous zone serial number
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Huntoldserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'`
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . 2>&1 | sed 's/^/I:ns1 /'
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:revoking key to duplicated key ID"
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews$SETTIME -R now -K ns2 Kbar.+005+30676.key > /dev/null
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 loadkeys bar. 2>&1 | sed 's/^/I:ns2 /'
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:waiting for changes to take effect"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking former standby key is now active ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsecho "I:checking former standby key has only signed incrementally ($n)"
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsgrep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsgrep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntecho "I:checking that signing records have been marked as complete ($n)"
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate private.secure.example 10.53.0.3 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate nsec3.nsec3.example 10.53.0.3 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate nsec3.optout.example 10.53.0.3 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate nsec3-to-nsec.example 10.53.0.3 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate optout.nsec3.example 10.53.0.3 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate optout.optout.example 10.53.0.3 || ret=1
d1e22676de16e6dee54c58b27cca11c5fb8f1ff5Mark Andrewscheckprivate prepub.example 10.53.0.3 1 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate secure.nsec3.example 10.53.0.3 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate secure.optout.example 10.53.0.3 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate secure-to-insecure2.example 10.53.0.3 || ret=1
0245f7725c40fd29637fbc83ee25bd84be25bfd2Evan Huntcheckprivate secure-to-insecure.example 10.53.0.3 || ret=1
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsecho "I:forcing full sign"
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /'
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsecho "I:waiting for change to take effect"
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsecho "I:checking former standby key has now signed fully ($n)"
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsgrep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Huntecho "I:checking SOA serial number has been incremented ($n)"
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Huntnewserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'`
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntecho "I:checking delayed key publication/activation ($n)"
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# publication and activation times should be unset
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$SETTIME -K ns3 -pA -pP $zsk | grep -v UNSET > /dev/null 2>&1 && ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$SETTIME -K ns3 -pA -pP $ksk | grep -v UNSET > /dev/null 2>&1 && ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# DNSKEY not expected:
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntawk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntecho "I:checking scheduled key publication, not activation ($n)"
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$SETTIME -K ns3 -P now+3s -A none $zsk > /dev/null 2>&1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$SETTIME -K ns3 -P now+3s -A none $ksk > /dev/null 2>&1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys delay.example. 2>&1 | sed 's/^/I:ns2 /'
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntecho "I:waiting for changes to take effect"
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# DNSKEY expected:
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntawk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# RRSIG not expected:
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntawk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntecho "I:checking scheduled key activation ($n)"
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys delay.example. 2>&1 | sed 's/^/I:ns2 /'
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntecho "I:waiting for changes to take effect"
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# DNSKEY expected:
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntawk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# RRSIG expected:
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntawk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt$DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# A expected:
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntawk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# RRSIG expected:
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntawk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
ae0691566a4e99ed72cb00ff78fd6418673fbf84Mark Andrewsecho "I:checking former active key was removed ($n)"
fe8572e1165ff5383dab9758b7507dab8d8095f3Mark Andrews# Work out how long we need to sleep. Allow 4 seconds for the records
fe8572e1165ff5383dab9758b7507dab8d8095f3Mark Andrews# to be removed.
ae0691566a4e99ed72cb00ff78fd6418673fbf84Mark Andrews*) echo "I:waiting for timer to have activated"; sleep $sleep;;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
374b677c50f2a053bf23d2a5d40b58d78fbd32ebMark Andrewsgrep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking private key file removal caused no immediate harm ($n)"
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key`
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntecho "I:checking revoked key with duplicate key ID (failure expected) ($n)"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
374b677c50f2a053bf23d2a5d40b58d78fbd32ebMark Andrewsgrep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
624664e50406f63108ddc7bad47dbac87ac74261Francis Dupontif [ $lret != 0 ]; then echo "I:not yet implemented"; fi
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Huntecho "I:checking key event timers are always set ($n)"
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt# this is a regression test for a bug in which the next key event could
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt# be scheduled for the present moment, and then never fire. check for
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt# visible evidence of this error in the logs:
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Huntawk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt# this confirms that key events are never scheduled more than
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt# 'dnssec-loadkeys-interval' minutes in the future, and that the
6c1a7787234dd35d804825dbf9277435788a3271Mark Andrews# event scheduled is within 10 seconds of expected interval.
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt awk '/next key event/ {print $2 ":" $9}' $1/named.run |
bbf46f1aa21fb07e6a0aa0bc2cb1102e022c0ebfMark Andrews x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000);
281a31ad37c2cbe20be2d5c2c718a2d40d197221Mark Andrews if (x < 1000 && x > -1000)
f1d4986b832124b63905e2d5ca401d1d0498c9b8Mark Andrews # convert to seconds
f1d4986b832124b63905e2d5ca401d1d0498c9b8Mark Andrews # handle end of day roll over
07907fa31a15480e918df1b93c0bca0e3ad8b5b5Mark Andrews x = x + 24*3600;
f1d4986b832124b63905e2d5ca401d1d0498c9b8Mark Andrews # handle log timestamp being a few milliseconds later
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt if (x != int(x))
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt x = int(x + 1);
65043f48f26fcf8359a6b83250c476fb99eea299Mark Andrews if (int(x) > int(interval))
91013b0e1955471a02654ff3d0eebca00c77cc4bMark Andrews END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Huntecho "I:checking automatic key reloading interval ($n)"
5e3affc6a0b155ee1cadac735c1a71f4d418ad69Evan Huntecho "I:checking for key reloading loops ($n)"
5e3affc6a0b155ee1cadac735c1a71f4d418ad69Evan Hunt# every key event should schedule a successor, so these should be equal
5e3affc6a0b155ee1cadac735c1a71f4d418ad69Evan Huntrekey_calls=`grep "reconfiguring zone keys" ns*/named.run | wc -l`
5e3affc6a0b155ee1cadac735c1a71f4d418ad69Evan Huntrekey_events=`grep "next key event" ns*/named.run | wc -l`
9892bae7b760071b37881d4dc888ea4b4320a851Mark Andrewsecho "I:forcing full sign with unreadable keys ($n)"
92a83eeb2dfbc57e7664211105dba513f13b630bMark Andrewschmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1
9892bae7b760071b37881d4dc888ea4b4320a851Mark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /'
9892bae7b760071b37881d4dc888ea4b4320a851Mark Andrews$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
9892bae7b760071b37881d4dc888ea4b4320a851Mark Andrewsgrep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Huntecho "I:test turning on auto-dnssec during reconfig ($n)"
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt# first create a zone that doesn't have auto-dnssec
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/I:ns3 /'
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Huntrekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt# ...then we add auto-dnssec and reconfigure
801707fe19600313a0b1f7845a518100f69e58b6Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 modzone reconf.example '{ type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/I:ns3 /'
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /'
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
7829fad4093f2c1985b1efb7cea00287ff015d2bckb echo "I:waiting ... ($i)"
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsecho "I:test CDS and CDNSKEY auto generation ($n)"
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsgrep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsgrep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsecho "I:setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys sync.example
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsecho "I:waiting for deletion to occur"
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsecho "I:checking that the CDS and CDNSKEY are deleted ($n)"
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsgrep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null && ret=1
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsgrep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null && ret=1
9478de25bb86e8942e35cf50462cf108154958e9Mark Andrewsecho "I:check that dnssec-settime -p Dsync works ($n)"
9478de25bb86e8942e35cf50462cf108154958e9Mark Andrews$SETTIME -p Dsync `cat sync.key` > settime.out.$n|| ret=0
9478de25bb86e8942e35cf50462cf108154958e9Mark Andrewsgrep "SYNC Delete:" settime.out.$n >/dev/null || ret=0
9478de25bb86e8942e35cf50462cf108154958e9Mark Andrewsecho "I:check that dnssec-settime -p Psync works ($n)"
9478de25bb86e8942e35cf50462cf108154958e9Mark Andrews$SETTIME -p Psync `cat sync.key` > settime.out.$n|| ret=0
9478de25bb86e8942e35cf50462cf108154958e9Mark Andrewsgrep "SYNC Publish:" settime.out.$n >/dev/null || ret=0
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsecho "I:check that zone with inactive KSK and active ZSK is properly autosigned ($n)"
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewszskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' `
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewspattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsgrep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewskskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' `
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewspattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} "
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsgrep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
95d40c1e9d1438f4636d6501c8d0b7736cb90d70Evan Huntecho "I:check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsgrep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews# Check that DNSKEY is now signed with the ZSK.
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsecho "I:check that zone with active and inactive KSK and active ZSK is properly"
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsecho "I: resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsecho "I: is now signed with the ZSK. ($n)"
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewszskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewspattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsgrep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews $4 == "DNSKEY" { count++ }
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews# Check that zone is now signed with the KSK.
e5f0db473410df1b5508e74984ee5ecf573683e3Curtis Blackburnecho "I:check that zone with active and inactive ZSK and active KSK is properly"
e5f0db473410df1b5508e74984ee5ecf573683e3Curtis Blackburnecho "I: resigned after the active ZSK is deleted - stage 2: Verify that zone"
e5f0db473410df1b5508e74984ee5ecf573683e3Curtis Blackburnecho "I: is now signed with the KSK. ($n)"
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrewskskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrewsgrep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews $4 == "RRSIG" && $5 == "CNAME" { count++ }
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews $4 == "DNSKEY" { count++ }
5e3affc6a0b155ee1cadac735c1a71f4d418ad69Evan Huntecho "I:exit status: $status"