#
# Copyright (C) 2015-2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
msg=$1
file=$2
for i in 1 2 3 4 5 6 7 8 9 10; do
sleep 1
done
ret=1
}
nsidx=$1
}
nsidx=$1
}
nsidx=$1
}
nsidx=$1
$RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 managed-keys refresh | sed "s/^/I: ns${nsidx} /"
}
# No race with mkeys_refresh_on() is possible as even if the latter
# returns immediately after the expected log message is written, the
# managed-keys zone is already locked and the command below calls
# dns_zone_flush(), which also attempts to take that zone's lock
nsidx=$1
$RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 managed-keys sync | sed "s/^/I: ns${nsidx} /"
}
# No race with mkeys_refresh_on() is possible as even if the latter
# returns immediately after the expected log message is written, the
# managed-keys zone is already locked and the command below calls
# mkey_status(), which in turn calls dns_zone_getrefreshkeytime(),
# which also attempts to take that zone's lock
nsidx=$1
}
nsidx=$1
}
nsidx=$1
}
status=0
n=1
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
DELVOPTS="-a ns1/trusted.conf -p 5300"
echo "I: check for signed record ($n)"
ret=0
grep "^example\.[ ]*[0-9].*[ ]*IN[ ]*TXT[ ]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I: check positive validation with valid trust anchor ($n)"
ret=0
n=`expr $n + 1`
ret=0
echo "I: check positive validation using delv ($n)"
n=`expr $n + 1`
echo "I: check for failed validation due to wrong key in managed-keys ($n)"
ret=0
n=`expr $n + 1`
echo "I: check new trust anchor can be added ($n)"
ret=0
# there should be two keys listed now
# two lines indicating trust status
# one indicates current trust
# one indicates pending trust
n=`expr $n + 1`
echo "I: check new trust anchor can't be added with bad initial key ($n)"
ret=0
# there should be one key listed now
# one line indicating trust status
# ... and the key is not trusted
n=`expr $n + 1`
echo "I: remove untrusted standby key, check timer restarts ($n)"
ret=0
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
# reset to the same timestamp.
sleep 1
# trust pending date must be different
n=`expr $n + 1`
ret=0
echo "I: restore untrusted standby key, revoke original key ($n)"
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
# reset to the same timestamp.
sleep 1
# two keys listed
# two lines indicating trust status
# trust is revoked
# removal scheduled
# trust is still pending on the standby key
# pending date moved forward for the standby key
n=`expr $n + 1`
ret=0
echo "I: refresh managed-keys, ensure same result ($n)"
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
# reset to the same timestamp.
sleep 1
# two keys listed
# two lines indicating trust status
# trust is revoked
# removal scheduled
# trust is still pending on the standby key
# pending date moved forward for the standby key
n=`expr $n + 1`
ret=0
echo "I: restore revoked key, ensure same result ($n)"
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
# reset to the same timestamp.
sleep 1
# two keys listed
# two lines indicating trust status
# trust is revoked
# removal scheduled
# trust is still pending on the standby key
# pending date moved forward for the standby key
echo "I: reinitialize trust anchors"
n=`expr $n + 1`
echo "I: check that standby key is now trusted ($n)"
ret=0
# two keys listed
# two lines indicating trust status
# both indicate current trust
n=`expr $n + 1`
echo "I: revoke original key, add new standby ($n)"
ret=0
# three keys listed
# one is revoked
# three lines indicating trust status
# one indicates current trust
# one indicates revoked trust
# one indicates trust pending
# removal scheduled
n=`expr $n + 1`
echo "I: revoke standby before it is trusted ($n)"
ret=0
# four keys listed
# one revoked
# two pending
# now three keys listed
# one revoked
# one pending
n=`expr $n + 1`
ret=0
sleep 20
# two keys listed
# none revoked
# two lines indicating trust status
# both indicate current trust
n=`expr $n + 1`
echo "I: revoke all keys, confirm roll to insecure ($n)"
ret=0
# two keys listed
# both revoked
# two lines indicating trust status
# both indicate trust revoked
# both have removal scheduled
n=`expr $n + 1`
echo "I: check for insecure response ($n)"
ret=0
echo "I: reset the root server"
echo "I: reinitialize trust anchors"
n=`expr $n + 1`
echo "I: check positive validation ($n)"
ret=0
n=`expr $n + 1`
echo "I: revoke key with bad signature, check revocation is ignored ($n)"
ret=0
# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from
# failing. Alternatively, we could use -P to disable post-sign verification,
# but we actually do want post-sign verification to happen to ensure the zone
# is correct before we break it on purpose.
$SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>&-
BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
# Less than a second may have passed since ns1 was started. If we call
# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
# subsequent "rndc reload ." call on platforms which do not set the
# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
# equal to master file modification time.
sleep 1
# one key listed
# it's the original key id
# not revoked
# trust is still current
n=`expr $n + 1`
echo "I: check validation fails with bad DNSKEY rrset ($n)"
ret=0
n=`expr $n + 1`
echo "I: restore DNSKEY rrset, check validation succeeds again ($n)"
ret=0
# Less than a second may have passed since ns1 was started. If we call
# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
# subsequent "rndc reload ." call on platforms which do not set the
# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
# equal to master file modification time.
sleep 1
n=`expr $n + 1`
echo "I: reset the root server with no keys, check for minimal update ($n)"
ret=0
# Refresh keys first to prevent previous checks from influencing this one.
# Note that we might still get occasional false negatives on some really slow
# machines, when $t1 equals $t2 due to the time elapsed between "rndc
# managed-keys status" calls being equal to the normal active refresh period
# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as
# set using -T mkeytimers).
# one key listed
# it's the original key id
# not revoked
# trust is still current
n=`expr $n + 1`
echo "I: reset the root server with no signatures, check for minimal update ($n)"
ret=0
# Refresh keys first to prevent previous checks from influencing this one
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent minimal update from resetting it to the same timestamp.
sleep 1
# one key listed
# it's the original key id
# not revoked
# trust is still current
n=`expr $n + 1`
echo "I: restore root server, check validation succeeds again ($n)"
ret=0
n=`expr $n + 1`
echo "I: check that trust-anchor-telemetry queries are logged ($n)"
ret=0
n=`expr $n + 1`
echo "I: check that trust-anchor-telemetry queries are received ($n)"
ret=0
n=`expr $n + 1`
echo "I: check that trust-anchor-telemetry queries contain the correct key ($n)"
ret=0
# convert the hexadecimal key from the TAT query into decimal and
# compare against the known key.
tathex=`grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/'`
realkey=`$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots - | sed -n 's#.*SHA1/\([0-9][0-9]*\) ; .*managed.*#\1#p'`
n=`expr $n + 1`
echo "I: check failure to contact root servers does not prevent key refreshes after restart ($n)"
ret=0
# By the time we get here, ns5 should have attempted refreshing its managed
# keys. These attempts should fail as ns1 is configured to REFUSE all queries
# from ns5. Note that named1.args does not contain "-T mkeytimers"; this is to
# ensure key refresh retry will be scheduled to one actual hour after the first
# key refresh failure instead of just a few seconds, in order to prevent races
# between the next scheduled key refresh time and startup time of restarted ns5.
# instance. In order for the test to pass, both must attempt a fetch.
n=`expr $n + 1`
echo "I: check key refreshes are resumed after root servers become available ($n)"
ret=0
# Prevent previous check from affecting this one
# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for
# an "hour" until keys are refreshed again after initial failure
# ns1 should still REFUSE queries from ns5, so resolving should be impossible
# Allow queries from ns5 to ns1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
# correctly refreshed and resolving should succeed
echo "I:exit status: $status"