4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt# Copyright (C) 2011-2014, 2016-2018 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# License, v. 2.0. If a copy of the MPL was not distributed with this
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt# file, You can obtain one at http://mozilla.org/MPL/2.0/.
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param nsec3.`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt# Loop until retransfer3 has been transferred.
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ans=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param retransfer3.`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking that rrsigs are replaced with ksk only ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt#$DIG @10.53.0.3 -p 5300 axfr nsec3. | grep -w NSEC | grep -v "IN.RRSIG.NSEC"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking that the zone is signed on initial transfer ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt keys=`grep '^Done signing' signing.out.test$n | wc -l`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking expired signatures are updated on load ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$DIG $DIGOPTS @10.53.0.3 -p 5300 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntexpiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking removal of private type record via 'rndc signing -clear' ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntkeys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} bits > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt break; # We only want to remove 1 record for now.
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt num=`grep "Done signing with" signing.out.test$n | wc -l`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking private type was properly signed ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all bits > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt grep "No signing records found" signing.out.test$n > /dev/null || ans=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking negative private type response was properly signed ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntserver 10.53.0.2 5300
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsupdate add added.bits 0 A 1.2.3.4
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking that the record is added on the hidden master ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$DIG $DIGOPTS @10.53.0.2 -p 5300 added.bits A > dig.out.ns2.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking that update has been transfered and has been signed ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews $DIG $DIGOPTS @10.53.0.3 -p 5300 added.bits A > dig.out.ns3.test$n
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrews grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsserver 10.53.0.2 5300
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsupdate add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking YYYYMMDDVV (2011072400) serial on hidden master ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntecho "I:checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking that the zone is signed on initial transfer, noixfr ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list noixfr > signing.out.test$n 2>&1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews keys=`grep '^Done signing' signing.out.test$n | wc -l`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsserver 10.53.0.4 5300
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsupdate add added.noixfr 0 A 1.2.3.4
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsecho "I:checking that the record is added on the hidden master, noixfr ($n)"
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews$DIG $DIGOPTS @10.53.0.4 -p 5300 added.noixfr A > dig.out.ns4.test$n
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsgrep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsecho "I:checking that update has been transfered and has been signed, noixfr ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews $DIG $DIGOPTS @10.53.0.3 -p 5300 added.noixfr A > dig.out.ns3.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsserver 10.53.0.4 5300
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsupdate add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsecho "I:checking YYYYMMDDVV (2011072400) serial on hidden master, noixfr ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking that the master zone signed on initial load ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt keys=`grep '^Done signing' signing.out.test$n | wc -l`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking removal of private type record via 'rndc signing -clear' (master) ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewskeys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} master > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews break; # We only want to remove 1 record for now.
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews num=`grep "Done signing with" signing.out.test$n | wc -l`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking private type was properly signed (master) ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$DIG $DIGOPTS @10.53.0.6 -p 5300 master TYPE65534 > dig.out.ns6.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking removal of remaining private type record via 'rndc signing -clear' (master) ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all master > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews grep "No signing records found" signing.out.test$n > /dev/null || ans=1
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
# e.updated should exist and should be signed
# updated.db.signed.jnl should exist, should have the source serial
# of master2.db, and should show a minimal diff: no more than 8 added
n=`expr $n + 1`
$NSUPDATE << EOF
n=`expr $n + 1`
n=`expr $n + 1`
$NSUPDATE << EOF
n=`expr $n + 1`
n=`expr $n + 1`
$NSUPDATE << EOF
n=`expr $n + 1`
n=`expr $n + 1`
$NSUPDATE << EOF
n=`expr $n + 1`
n=`expr $n + 1`
$NSUPDATE << EOF
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || { echo "I: rndc freeze dynamic failed" ; sed 's/^/I:/' < freeze.test$n ; ret=1; }
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || { echo "I: rndc thaw dynamic failed" ; ret=1; }
grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1
n=`expr $n + 1`
n=`expr $n + 1`
echo "I:check added record freeze1.dynamic ($n)"
n=`expr $n + 1`
n=`expr $n + 1`
echo "I:check added record freeze2.dynamic ($n)"
n=`expr $n + 1`
n=`expr $n + 1`
$NSUPDATE << EOF
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
# in the comment inside ns7/named.conf.
n=`expr $n + 1`
'{ type slave; masters { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };'
$RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1
# reproduced (see comment in ns7/named.conf)
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
echo "I:updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)"
n=`expr $n + 1`
'{ type master; file "bits.db.in"; allow-transfer { any; }; };'
grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; }
'{ type slave; masters { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };'
n=`expr $n + 1`
*) echo "I: checking $alg";;
n=`expr $n + 1`
n=`expr $n + 1`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
n=`expr $n + 1`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
n=`expr $n + 1`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
n=`expr $n + 1`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 signing -serial ${newserial:-0} bits > /dev/null 2>&1
n=`expr $n + 1`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 signing -serial ${newserial:-0} bits > /dev/null 2>&1
n=`expr $n + 1`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 signing -serial ${newserial:-0} bits > /dev/null 2>&1
n=`expr $n + 1`
$NSUPDATE << EOF
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
echo "I:exit status: $status"