tests.sh revision 9478de25bb86e8942e35cf50462cf108154958e9
#
# Copyright (C) 2009-2015 Internet Systems Consortium, Inc. ("ISC")
#
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
status=0
n=0
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
# convert private-type records to readable form
echo "-- $@ --"
while read record; do
$PERL -e 'my $rdata = pack("H*", @ARGV[0]);
die "invalid record" unless length($rdata) == 5;
my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
my $action = "signing";
$action = "removing" if $remove;
my $state = " (incomplete)";
$state = " (complete)" if $complete;
print ("$action: alg: $alg, key: $key$state\n");' $record
done
}
# check that signing records are marked as complete
_ret=0
expected="${3:-0}"
echo $x | grep incomplete > /dev/null && _ret=1
return 0
fi
echo "$x"
echo "I:failed"
return 1
}
#
# The NSEC record at the apex of the zone and its RRSIG records are
# added as part of the last step in signing a zone. We wait for the
# NSEC records to appear before proceeding with a counter to prevent
# infinite loops if there is a error.
#
echo "I:waiting for autosign changes to take effect"
i=0
while [ $i -lt 30 ]
do
ret=0
#
# Wait for the root DNSKEY RRset to be fully signed.
#
for z in .
do
done
do
done
do
done
i=`expr $i + 1`
if [ $ret = 0 ]; then break; fi
echo "I:waiting ... ($i)"
sleep 2
done
n=`expr $n + 1`
echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
ret=0
# these commands should result in an empty file:
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
n=`expr $n + 1`
echo "I:checking NSEC3->NSEC conversion prerequisites ($n)"
ret=0
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
echo "I:converting zones from nsec to nsec3"
server 10.53.0.3 5300
zone nsec3.nsec3.example.
update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
zone optout.nsec3.example.
update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
zone nsec3.example.
update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
zone autonsec3.example.
update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF
send
zone nsec3.optout.example.
update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
zone optout.optout.example.
update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
zone optout.example.
update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
END
# try to convert nsec.example; this should fail due to non-NSEC key
echo "I:preset nsec3param in unsigned zone via nsupdate ($n)"
server 10.53.0.3 5300
zone nsec.example.
update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END
echo "I:checking for nsec3param in unsigned zone ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking for nsec3param signing record ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list autonsec3.example. > signing.out.test$n 2>&1
n=`expr $n + 1`
echo "I:resetting nsec3param via rndc signing ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all autonsec3.example. > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list autonsec3.example. > signing.out.test$n 2>&1
echo "I:waiting ... ($i)"
sleep 2
done
n=`expr $n + 1`
echo "I:signing preset nsec3 zone"
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys autonsec3.example. 2>&1 | sed 's/^/I:ns3 /'
echo "I:waiting for changes to take effect"
sleep 3
echo "I:converting zone from nsec3 to nsec"
server 10.53.0.3 5300
zone nsec3-to-nsec.example.
update delete nsec3-to-nsec.example. NSEC3PARAM
send
END
echo "I:waiting for change to take effect"
sleep 3
echo "I:checking that expired RRSIGs from missing key are not deleted ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that expired RRSIGs from inactive key are not deleted ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)"
ret=0
loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
n=`expr $n + 1`
echo "I:checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)"
ret=0
loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
n=`expr $n + 1`
# Send rndc sync command to ns1, ns2 and ns3, to force the dynamically
# signed zones to be dumped to their zone files
echo "I:dumping zone files"
echo "I:checking expired signatures were updated ($n)"
do
ret=0
[ $ret = 0 ] && break
sleep 1
done
n=`expr $n + 1`
echo "I:checking NSEC->NSEC3 conversion succeeded ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking direct NSEC3 autosigning succeeded ($n)"
ret=0
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
n=`expr $n + 1`
echo "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking NSEC3->NSEC conversion succeeded ($n)"
ret=0
# this command should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
n=`expr $n + 1`
echo "I:checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
sleep 2
# this command should result in an empty file:
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
n=`expr $n + 1`
echo "I:checking TTLs of imported DNSKEYs (no default) ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking TTLs of imported DNSKEYs (with default) ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking TTLs of imported DNSKEYs (mismatched) ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking TTLs of imported DNSKEYs (existing RRset) ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation OPTOUT ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NXDOMAIN NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NXDOMAIN NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NXDOMAIN OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking negative validation NODATA NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NODATA NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NODATA OPTOUT ($n)"
ret=0
n=`expr $n + 1`
# Check the insecure.example domain
echo "I:checking 1-server insecurity proof NSEC ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof NSEC ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check the secure.example domain
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
echo "I:checking empty NODATA OPTOUT ($n)"
ret=0
#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
# Check the insecure.secure.example domain (insecurity proof)
echo "I:checking 2-server insecurity proof ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check a negative response in insecure.secure.example
echo "I:checking 2-server insecurity proof with a negative answer ($n)"
ret=0
|| ret=1
|| ret=1
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking security root query ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation RSASHA256 NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation RSASHA512 NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that positive validation in a privately secure zone works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking that negative validation in a privately secure zone works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Try validating with a revoked trusted key.
# This should fail.
echo "I:checking that validation returns insecure due to revoked trusted key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that revoked key is present ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that revoked key self-signs ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking for unpublished key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking for activated but unpublished key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that standby key does not sign records ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that deactivated key does not sign records ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking insertion of public-only key ($n)"
ret=0
server 10.53.0.1 5300
zone .
ttl 3600
update add $keydata
send
END
sleep 1
n=`expr $n + 1`
echo "I:checking key deletion ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking secure-to-insecure transition, nsupdate ($n)"
ret=0
server 10.53.0.3 5300
zone secure-to-insecure.example
update delete secure-to-insecure.example dnskey
send
END
ret=0
echo "I:waiting ... ($i)"
sleep 2
done
n=`expr $n + 1`
echo "I:checking secure-to-insecure transition, scheduled ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign secure-to-insecure2.example. 2>&1 | sed 's/^/I:ns3 /'
ret=0
echo "I:waiting ... ($i)"
sleep 2
done
n=`expr $n + 1`
echo "I:checking that serial number and RRSIGs are both updated (rt21045) ($n)"
ret=0
oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
try=0
do
sleep 1
done
newinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
#echo "$oldserial : $newserial"
#echo "$oldinception : $newinception"
echo "I:preparing to test key change corner cases"
echo "I:removing a private key file"
echo "I:preparing ZSK roll"
# note previous zone serial number
sleep 4
echo "I:revoking key to duplicated key ID"
echo "I:waiting for changes to take effect"
sleep 5
echo "I:checking former standby key is now active ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking former standby key has only signed incrementally ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that signing records have been marked as complete ($n)"
ret=0
n=`expr $n + 1`
echo "I:forcing full sign"
echo "I:waiting for change to take effect"
sleep 5
echo "I:checking former standby key has now signed fully ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking SOA serial number has been incremented ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking delayed key publication/activation ($n)"
ret=0
# publication and activation times should be unset
# DNSKEY not expected:
n=`expr $n + 1`
echo "I:checking scheduled key publication, not activation ($n)"
ret=0
echo "I:waiting for changes to take effect"
sleep 5
# DNSKEY expected:
# RRSIG not expected:
n=`expr $n + 1`
echo "I:checking scheduled key activation ($n)"
ret=0
echo "I:waiting for changes to take effect"
sleep 5
# DNSKEY expected:
# RRSIG expected:
# A expected:
# RRSIG expected:
n=`expr $n + 1`
echo "I:checking former active key was removed ($n)"
#
# Work out how long we need to sleep. Allow 4 seconds for the records
# to be removed.
#
sleep=`expr $starttime + 29 - $now`
-*|0);;
esac
ret=0
n=`expr $n + 1`
echo "I:checking private key file removal caused no immediate harm ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking revoked key with duplicate key ID (failure expected) ($n)"
lret=0
id=30676
n=`expr $n + 1`
echo "I:checking key event timers are always set ($n)"
# this is a regression test for a bug in which the next key event could
# be scheduled for the present moment, and then never fire. check for
# visible evidence of this error in the logs:
n=`expr $n + 1`
# this confirms that key events are never scheduled more than
# 'dnssec-loadkeys-interval' minutes in the future, and that the
# event scheduled is within 10 seconds of expected interval.
awk -F: '
{
x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000);
if (x < 1000 && x > -1000)
x = 0;
# convert to seconds
x = x/1000;
# handle end of day roll over
if (x < 0)
x = x + 24*3600;
# handle log timestamp being a few milliseconds later
if (x != int(x))
x = int(x + 1);
if (int(x) > int(interval))
exit (1);
}
END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2
return $?
}
echo "I:checking automatic key reloading interval ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking for key reloading loops ($n)"
ret=0
# every key event should schedule a successor, so these should be equal
n=`expr $n + 1`
echo "I:forcing full sign with unreadable keys ($n)"
ret=0
n=`expr $n + 1`
echo "I:test turning on auto-dnssec during reconfig ($n)"
ret=0
# first create a zone that doesn't have auto-dnssec
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/I:ns3 /'
# ...then we add auto-dnssec and reconfigure
echo 'zone reconf.example { type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' > $nzf
lret=0
echo "I:waiting ... ($i)"
sleep 1
done
n=`expr $n + 1`
echo "I:test CDS and CDNSKEY auto generation ($n)"
ret=0
n=`expr $n + 1`
echo "I:setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
echo "I:waiting for deletion to occur"
sleep 3
echo "I:checking that the CDS and CDNSKEY are deleted ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that dnssec-settime -p Dsync works ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that dnssec-settime -p Psync works ($n)"
ret=0
n=`expr $n + 1`
echo "I:exit status: $status"
exit $status