tests.sh revision bf8267aa453e5d2a735ed732a043b77a0b355b20
DIGOPTS=
"+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" # convert private-type records to readable form perl -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); $action = "removing" if $remove; my $state = " (incomplete)"; $state = " (complete)" if $complete; print ("$action: alg: $alg, key: $key$state\n");' $record # check that signing records are marked as complete # The NSEC record at the apex of the zone and its RRSIG records are # added as part of the last step in signing a zone. We wait for the # NSEC records to appear before proceeding with a counter to prevent # infinite loops if there is a error. echo "I:waiting for autosign changes to take effect" # Wait for the root DNSKEY RRset to be fully signed. if [
$ret =
0 ];
then break;
fi echo "I:waiting ... ($i)" if [
$ret !=
0 ];
then echo "I:failed";
else echo "I:done";
fi echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)" # these commands should result in an empty file: if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking NSEC3->NSEC conversion prerequisites ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:converting zones from nsec to nsec3" zone nsec3.nsec3.example. update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF zone optout.nsec3.example. update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF zone nsec3.optout.example. update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF zone optout.optout.example. update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF # try to convert nsec.example; this should fail due to non-NSEC key echo "I:preset nsec3param in unsigned zone via nsupdate ($n)" update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF echo "I:checking for nsec3param in unsigned zone ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking for nsec3param signing record ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:resetting nsec3param via rndc signing ($n)" for i
in 0 1 2 3 4 5 6 7 8 9;
do echo "I:waiting ... ($i)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:signing preset nsec3 zone" echo "I:waiting for changes to take effect" echo "I:converting zone from nsec3 to nsec" zone nsec3-to-nsec.example. update delete nsec3-to-nsec.example. NSEC3PARAM echo "I:waiting for change to take effect" echo "I:checking that expired RRSIGs from missing key are not deleted ($n)" awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=
$missing ||
ret=
1 if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that expired RRSIGs from inactive key are not deleted ($n)" awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=
$inactive ||
ret=
1 if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that non-replaceable RRSIGs are logged only once ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking serial is not incremented when signatures are unchanged ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi # Send rndc sync command to ns1, ns2 and ns3, to force the dynamically # signed zones to be dumped to their zone files echo "I:dumping zone files" echo "I:checking expired signatures were updated ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking NSEC->NSEC3 conversion succeeded ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking direct NSEC3 autosigning succeeded ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking NSEC3->NSEC conversion succeeded ($n)" # this command should result in an empty file: if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" # this command should result in an empty file: if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking TTLs of imported DNSKEYs (no default) ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking TTLs of imported DNSKEYs (with default) ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking TTLs of imported DNSKEYs (mismatched) ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking TTLs of imported DNSKEYs (existing RRset) ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking positive validation NSEC ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking positive validation NSEC3 ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking positive validation OPTOUT ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking negative validation NXDOMAIN NSEC ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking negative validation NXDOMAIN NSEC3 ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking negative validation NXDOMAIN OPTOUT ($n)" # Note - this is looking for failure, hence the && if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking negative validation NODATA NSEC ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking negative validation NODATA NSEC3 ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking negative validation NODATA OPTOUT ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking 1-server insecurity proof NSEC ($n)" # Note - this is looking for failure, hence the && if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking 1-server negative insecurity proof NSEC ($n)" # Note - this is looking for failure, hence the && if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation NSEC/NSEC ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation NSEC/NSEC3 ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation NSEC/OPTOUT ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation NSEC3/NSEC ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation OPTOUT/NSEC ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking empty NODATA OPTOUT ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking 2-server insecurity proof ($n)" # Note - this is looking for failure, hence the && if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking 2-server insecurity proof with a negative answer ($n)" # Note - this is looking for failure, hence the && if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking security root query ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking positive validation RSASHA256 NSEC ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking positive validation RSASHA512 NSEC ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that positive validation in a privately secure zone works ($n)" # Note - this is looking for failure, hence the && if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that negative validation in a privately secure zone works ($n)" # Note - this is looking for failure, hence the && if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking privately secure to nxdomain works ($n)" # Note - this is looking for failure, hence the && if [
$ret !=
0 ];
then echo "I:failed";
fi # Try validating with a revoked trusted key. echo "I:checking that validation returns insecure due to revoked trusted key ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that revoked key is present ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that revoked key self-signs ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking for unpublished key ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that standby key does not sign records ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that deactivated key does not sign records ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking insertion of public-only key ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking key deletion ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking secure-to-insecure transition, nsupdate ($n)" zone secure-to-insecure.example update delete secure-to-insecure.example dnskey for i
in 0 1 2 3 4 5 6 7 8 9;
do echo "I:waiting ... ($i)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking secure-to-insecure transition, scheduled ($n)" for i
in 0 1 2 3 4 5 6 7 8 9;
do echo "I:waiting ... ($i)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that serial number and RRSIGs are both updated (rt21045) ($n)" awk '$0 !~ /SOA/ {print $3}'` #echo "$oldserial : $newserial" #echo "$oldinception : $newinception" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:preparing to test key change corner cases" echo "I:removing a private key file" echo "I:preparing ZSK roll" # note previous zone serial number echo "I:revoking key to duplicated key ID" echo "I:waiting for changes to take effect" echo "I:checking former standby key is now active ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking former standby key has only signed incrementally ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking that signing records have been marked as complete ($n)" echo "I:forcing full sign" echo "I:waiting for change to take effect" echo "I:checking former standby key has now signed fully ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking SOA serial number has been incremented ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi # publication and activation times should be unset if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking scheduled key publication, not activation ($n)" echo "I:waiting for changes to take effect" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking scheduled key activation ($n)" echo "I:waiting for changes to take effect" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking former active key was removed ($n)" # Work out how long we need to sleep. Allow 4 seconds for the records *)
echo "I:waiting for timer to have activated";
sleep $sleep;;
if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking private key file removal caused no immediate harm ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking revoked key with duplicate key ID (failure expected) ($n)" if [
$lret !=
0 ];
then echo "I:not yet implemented";
fi echo "I:checking key event timers are always set ($n)" # this is a regression test for a bug in which the next key event could # be scheduled for the present moment, and then never fire. check for # visible evidence of this error in the logs: awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */
named.run ||
ret=
1 if [
$ret !=
0 ];
then echo "I:failed";
fi # this confirms that key events are never scheduled more than # 'dnssec-loadkeys-interval' minutes in the future, and that the # event scheduled is within 10 seconds of expected interval. x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000); # abs(x) < 1000 ms treat as 'now' if (x < 1000 && x > -1000) # handle end of day roll over # handle log timestamp being a few milliseconds later if (int(x) > int(interval)) END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 echo "I:checking automatic key reloading interval ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:checking for key reloading loops ($n)" # every key event should schedule a successor, so these should be equal if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:forcing full sign with unreadable keys ($n)" if [
$ret !=
0 ];
then echo "I:failed";
fi echo "I:test turning on auto-dnssec during reconfig ($n)" # first create a zone that doesn't have auto-dnssec # ...then we add auto-dnssec and reconfigure for i
in 0 1 2 3 4 5 6 7 8 9;
do if [
"$lret" -
eq 0 ];
then break;
fi echo "I:waiting ... ($i)" if [
$ret !=
0 ];
then echo "I:failed";
fi