Annotation of src/external/mpl/bind/dist/bin/tests/system/autosign/tests.sh, Revision 1.1.1.1.2.2
1.1.1.1.2.2! pgoyette 1: #!/bin/sh
! 2: #
! 3: # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
! 4: #
! 5: # This Source Code Form is subject to the terms of the Mozilla Public
! 6: # License, v. 2.0. If a copy of the MPL was not distributed with this
! 7: # file, You can obtain one at http://mozilla.org/MPL/2.0/.
! 8: #
! 9: # See the COPYRIGHT file distributed with this work for additional
! 10: # information regarding copyright ownership.
! 11:
! 12: SYSTEMTESTTOP=..
! 13: . $SYSTEMTESTTOP/conf.sh
! 14:
! 15: status=0
! 16: n=0
! 17:
! 18: DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
! 19: RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
! 20:
! 21: # convert private-type records to readable form
! 22: showprivate () {
! 23: echo "-- $@ --"
! 24: $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
! 25: while read record; do
! 26: $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
! 27: die "invalid record" unless length($rdata) == 5;
! 28: my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
! 29: my $action = "signing";
! 30: $action = "removing" if $remove;
! 31: my $state = " (incomplete)";
! 32: $state = " (complete)" if $complete;
! 33: print ("$action: alg: $alg, key: $key$state\n");' $record
! 34: done
! 35: }
! 36:
! 37: # check that signing records are marked as complete
! 38: checkprivate () {
! 39: _ret=0
! 40: expected="${3:-0}"
! 41: x=`showprivate "$@"`
! 42: echo $x | grep incomplete > /dev/null && _ret=1
! 43:
! 44: if [ $_ret = $expected ]; then
! 45: return 0
! 46: fi
! 47:
! 48: echo "$x"
! 49: echo_i "failed"
! 50: return 1
! 51: }
! 52:
! 53: #
! 54: # The NSEC record at the apex of the zone and its RRSIG records are
! 55: # added as part of the last step in signing a zone. We wait for the
! 56: # NSEC records to appear before proceeding with a counter to prevent
! 57: # infinite loops if there is a error.
! 58: #
! 59: echo_i "waiting for autosign changes to take effect"
! 60: i=0
! 61: while [ $i -lt 30 ]
! 62: do
! 63: ret=0
! 64: #
! 65: # Wait for the root DNSKEY RRset to be fully signed.
! 66: #
! 67: $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
! 68: grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
! 69: for z in .
! 70: do
! 71: $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
! 72: grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
! 73: done
! 74: for z in bar. example. private.secure.example.
! 75: do
! 76: $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
! 77: grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
! 78: done
! 79: for z in bar. example. inacksk2.example. inacksk3.example \
! 80: inaczsk2.example. inaczsk3.example
! 81: do
! 82: $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
! 83: grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
! 84: done
! 85: i=`expr $i + 1`
! 86: if [ $ret = 0 ]; then break; fi
! 87: echo_i "waiting ... ($i)"
! 88: sleep 2
! 89: done
! 90: n=`expr $n + 1`
! 91: if [ $ret != 0 ]; then echo_i "done"; fi
! 92: status=`expr $status + $ret`
! 93:
! 94: #
! 95: # Check that DNSKEY is initially signed with a KSK and not a ZSK.
! 96: #
! 97: echo_i "check that zone with active and inactive KSK and active ZSK is properly"
! 98: echo_i " resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
! 99: echo_i " is initially signed with a KSK and not a ZSK. ($n)"
! 100: ret=0
! 101:
! 102: $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
! 103:
! 104: zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
! 105: $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'`
! 106: grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1
! 107:
! 108: pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
! 109: grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
! 110:
! 111: count=`awk 'BEGIN { count = 0 }
! 112: $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
! 113: END {print count}' dig.out.ns3.test$n`
! 114: test $count -eq 1 || ret=1
! 115:
! 116: count=`awk 'BEGIN { count = 0 }
! 117: $4 == "DNSKEY" { count++ }
! 118: END {print count}' dig.out.ns3.test$n`
! 119: test $count -eq 3 || ret=1
! 120:
! 121: awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
! 122: id=`awk "${awk}" dig.out.ns3.test$n`
! 123:
! 124: $SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > /dev/null 2>&1
! 125: $RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i
! 126:
! 127: n=`expr $n + 1`
! 128: if [ $ret != 0 ]; then echo_i "failed"; fi
! 129: status=`expr $status + $ret`
! 130:
! 131: #
! 132: # Check that zone is initially signed with a ZSK and not a KSK.
! 133: #
! 134: echo_i "check that zone with active and inactive ZSK and active KSK is properly"
! 135: echo_i " resigned after the active ZSK is deleted - stage 1: Verify that zone"
! 136: echo_i " is initially signed with a ZSK and not a KSK. ($n)"
! 137: ret=0
! 138: $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
! 139: kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
! 140: $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
! 141: grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1
! 142: grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
! 143: count=`awk 'BEGIN { count = 0 }
! 144: $4 == "RRSIG" && $5 == "CNAME" { count++ }
! 145: END {print count}' dig.out.ns3.test$n`
! 146: test $count -eq 1 || ret=1
! 147: count=`awk 'BEGIN { count = 0 }
! 148: $4 == "DNSKEY" { count++ }
! 149: END {print count}' dig.out.ns3.test$n`
! 150: test $count -eq 3 || ret=1
! 151: id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n`
! 152: $SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > /dev/null 2>&1
! 153: $RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i
! 154: n=`expr $n + 1`
! 155: if [ $ret != 0 ]; then echo_i "failed"; fi
! 156: status=`expr $status + $ret`
! 157:
! 158: echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)"
! 159: ret=0
! 160: # these commands should result in an empty file:
! 161: $DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
! 162: grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
! 163: $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
! 164: grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
! 165: n=`expr $n + 1`
! 166: if [ $ret != 0 ]; then echo_i "failed"; fi
! 167: status=`expr $status + $ret`
! 168:
! 169: echo_i "checking NSEC3->NSEC conversion prerequisites ($n)"
! 170: ret=0
! 171: $DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 172: grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
! 173: n=`expr $n + 1`
! 174: if [ $ret != 0 ]; then echo_i "failed"; fi
! 175: status=`expr $status + $ret`
! 176:
! 177: echo_i "converting zones from nsec to nsec3"
! 178: $NSUPDATE > /dev/null 2>&1 <<END || status=1
! 179: server 10.53.0.3 ${PORT}
! 180: zone nsec3.nsec3.example.
! 181: update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
! 182: send
! 183: zone optout.nsec3.example.
! 184: update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
! 185: send
! 186: zone nsec3.example.
! 187: update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
! 188: send
! 189: zone autonsec3.example.
! 190: update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF
! 191: send
! 192: zone nsec3.optout.example.
! 193: update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
! 194: send
! 195: zone optout.optout.example.
! 196: update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
! 197: send
! 198: zone optout.example.
! 199: update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
! 200: send
! 201: END
! 202:
! 203: # try to convert nsec.example; this should fail due to non-NSEC key
! 204: echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
! 205: $NSUPDATE > nsupdate.out 2>&1 <<END
! 206: server 10.53.0.3 ${PORT}
! 207: zone nsec.example.
! 208: update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
! 209: send
! 210: END
! 211:
! 212: echo_i "checking for nsec3param in unsigned zone ($n)"
! 213: ret=0
! 214: $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 215: grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
! 216: n=`expr $n + 1`
! 217: if [ $ret != 0 ]; then echo_i "failed"; fi
! 218: status=`expr $status + $ret`
! 219:
! 220: echo_i "checking for nsec3param signing record ($n)"
! 221: ret=0
! 222: $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 | sed 's/^/ns3 /' | cat_i
! 223: grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1
! 224: n=`expr $n + 1`
! 225: if [ $ret != 0 ]; then echo_i "failed"; fi
! 226: status=`expr $status + $ret`
! 227:
! 228: echo_i "resetting nsec3param via rndc signing ($n)"
! 229: ret=0
! 230: $RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1
! 231: $RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
! 232: for i in 0 1 2 3 4 5 6 7 8 9; do
! 233: ret=0
! 234: $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
! 235: grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
! 236: num=`grep "Pending " signing.out.test$n | wc -l`
! 237: [ $num -eq 1 ] || ret=1
! 238: [ $ret -eq 0 ] && break
! 239: echo_i "waiting ... ($i)"
! 240: sleep 2
! 241: done
! 242: n=`expr $n + 1`
! 243: if [ $ret != 0 ]; then echo_i "failed"; fi
! 244: status=`expr $status + $ret`
! 245:
! 246: echo_i "signing preset nsec3 zone"
! 247: zsk=`cat autozsk.key`
! 248: ksk=`cat autoksk.key`
! 249: $SETTIME -K ns3 -P now -A now $zsk > /dev/null 2>&1
! 250: $SETTIME -K ns3 -P now -A now $ksk > /dev/null 2>&1
! 251: $RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
! 252:
! 253: echo_i "waiting for changes to take effect"
! 254: sleep 3
! 255:
! 256: echo_i "converting zone from nsec3 to nsec"
! 257: $NSUPDATE > /dev/null 2>&1 << END || status=1
! 258: server 10.53.0.3 ${PORT}
! 259: zone nsec3-to-nsec.example.
! 260: update delete nsec3-to-nsec.example. NSEC3PARAM
! 261: send
! 262: END
! 263:
! 264: echo_i "waiting for change to take effect"
! 265: sleep 3
! 266:
! 267: echo_i "checking that expired RRSIGs from missing key are not deleted ($n)"
! 268: ret=0
! 269: missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
! 270: $JOURNALPRINT ns3/nozsk.example.db.jnl | \
! 271: awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
! 272: n=`expr $n + 1`
! 273: if [ $ret != 0 ]; then echo_i "failed"; fi
! 274: status=`expr $status + $ret`
! 275:
! 276: echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)"
! 277: ret=0
! 278: inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
! 279: $JOURNALPRINT ns3/inaczsk.example.db.jnl | \
! 280: awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
! 281: n=`expr $n + 1`
! 282: if [ $ret != 0 ]; then echo_i "failed"; fi
! 283: status=`expr $status + $ret`
! 284:
! 285: echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)"
! 286: ret=0
! 287: loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
! 288: [ "$loglines" -eq 1 ] || ret=1
! 289: n=`expr $n + 1`
! 290: if [ $ret != 0 ]; then echo_i "failed"; fi
! 291: status=`expr $status + $ret`
! 292:
! 293: echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)"
! 294: ret=0
! 295: loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
! 296: [ "$loglines" -eq 1 ] || ret=1
! 297: n=`expr $n + 1`
! 298: if [ $ret != 0 ]; then echo_i "failed"; fi
! 299: status=`expr $status + $ret`
! 300:
! 301: # Send rndc sync command to ns1, ns2 and ns3, to force the dynamically
! 302: # signed zones to be dumped to their zone files
! 303: echo_i "dumping zone files"
! 304: $RNDCCMD 10.53.0.1 sync 2>&1 | sed 's/^/ns1 /' | cat_i
! 305: $RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i
! 306: $RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i
! 307:
! 308: echo_i "checking expired signatures were updated ($n)"
! 309: for i in 1 2 3 4 5 6 7 8 9
! 310: do
! 311: ret=0
! 312: $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 313: $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 314: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 315: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 316: [ $ret = 0 ] && break
! 317: sleep 1
! 318: done
! 319: n=`expr $n + 1`
! 320: status=`expr $status + $ret`
! 321:
! 322: echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
! 323: ret=0
! 324: $DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
! 325: grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
! 326: $DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 327: $DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 328: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 329: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 330: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 331: n=`expr $n + 1`
! 332: if [ $ret != 0 ]; then echo_i "failed"; fi
! 333: status=`expr $status + $ret`
! 334:
! 335: echo_i "checking direct NSEC3 autosigning succeeded ($n)"
! 336: ret=0
! 337: $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
! 338: [ -s dig.out.ns3.ok.test$n ] || ret=1
! 339: grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
! 340: $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 341: $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 342: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 343: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 344: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 345: n=`expr $n + 1`
! 346: if [ $ret != 0 ]; then echo_i "failed"; fi
! 347: status=`expr $status + $ret`
! 348:
! 349: echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
! 350: ret=0
! 351: grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
! 352: n=`expr $n + 1`
! 353: if [ $ret != 0 ]; then echo_i "failed"; fi
! 354: status=`expr $status + $ret`
! 355:
! 356: echo_i "checking NSEC3->NSEC conversion succeeded ($n)"
! 357: ret=0
! 358: # this command should result in an empty file:
! 359: $DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
! 360: grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
! 361: $DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 362: $DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 363: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 364: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 365: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 366: n=`expr $n + 1`
! 367: if [ $ret != 0 ]; then echo_i "failed"; fi
! 368: status=`expr $status + $ret`
! 369:
! 370: echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
! 371: ret=0
! 372: $RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
! 373: sleep 2
! 374: # this command should result in an empty file:
! 375: $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
! 376: grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
! 377: $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 378: $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 379: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 380: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 381: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 382: n=`expr $n + 1`
! 383: if [ $ret != 0 ]; then echo_i "failed"; fi
! 384: status=`expr $status + $ret`
! 385:
! 386: echo_i "checking TTLs of imported DNSKEYs (no default) ($n)"
! 387: ret=0
! 388: $DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 389: [ -s dig.out.ns3.test$n ] || ret=1
! 390: awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
! 391: n=`expr $n + 1`
! 392: if [ $ret != 0 ]; then echo_i "failed"; fi
! 393: status=`expr $status + $ret`
! 394:
! 395: echo_i "checking TTLs of imported DNSKEYs (with default) ($n)"
! 396: ret=0
! 397: $DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 398: [ -s dig.out.ns3.test$n ] || ret=1
! 399: awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
! 400: n=`expr $n + 1`
! 401: if [ $ret != 0 ]; then echo_i "failed"; fi
! 402: status=`expr $status + $ret`
! 403:
! 404: echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)"
! 405: ret=0
! 406: $DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 407: [ -s dig.out.ns3.test$n ] || ret=1
! 408: awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
! 409: n=`expr $n + 1`
! 410: if [ $ret != 0 ]; then echo_i "failed"; fi
! 411: status=`expr $status + $ret`
! 412:
! 413: echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)"
! 414: ret=0
! 415: $DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 416: [ -s dig.out.ns3.test$n ] || ret=1
! 417: awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
! 418: n=`expr $n + 1`
! 419: if [ $ret != 0 ]; then echo_i "failed"; fi
! 420: status=`expr $status + $ret`
! 421:
! 422: echo_i "checking positive validation NSEC ($n)"
! 423: ret=0
! 424: $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
! 425: $DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 426: digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
! 427: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 428: n=`expr $n + 1`
! 429: if [ $ret != 0 ]; then echo_i "failed"; fi
! 430: status=`expr $status + $ret`
! 431:
! 432: echo_i "checking positive validation NSEC3 ($n)"
! 433: ret=0
! 434: $DIG $DIGOPTS +noauth a.nsec3.example. \
! 435: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 436: $DIG $DIGOPTS +noauth a.nsec3.example. \
! 437: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 438: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 439: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 440: n=`expr $n + 1`
! 441: if [ $ret != 0 ]; then echo_i "failed"; fi
! 442: status=`expr $status + $ret`
! 443:
! 444: echo_i "checking positive validation OPTOUT ($n)"
! 445: ret=0
! 446: $DIG $DIGOPTS +noauth a.optout.example. \
! 447: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 448: $DIG $DIGOPTS +noauth a.optout.example. \
! 449: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 450: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 451: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 452: n=`expr $n + 1`
! 453: if [ $ret != 0 ]; then echo_i "failed"; fi
! 454: status=`expr $status + $ret`
! 455:
! 456: echo_i "checking negative validation NXDOMAIN NSEC ($n)"
! 457: ret=0
! 458: $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
! 459: $DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 460: digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
! 461: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 462: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 463: n=`expr $n + 1`
! 464: if [ $ret != 0 ]; then echo_i "failed"; fi
! 465: status=`expr $status + $ret`
! 466:
! 467: echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
! 468: ret=0
! 469: $DIG $DIGOPTS +noauth q.nsec3.example. \
! 470: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 471: $DIG $DIGOPTS +noauth q.nsec3.example. \
! 472: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 473: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 474: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 475: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 476: n=`expr $n + 1`
! 477: if [ $ret != 0 ]; then echo_i "failed"; fi
! 478: status=`expr $status + $ret`
! 479:
! 480: echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
! 481: ret=0
! 482: $DIG $DIGOPTS +noauth q.optout.example. \
! 483: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 484: $DIG $DIGOPTS +noauth q.optout.example. \
! 485: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 486: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 487: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 488: # Note - this is looking for failure, hence the &&
! 489: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
! 490: n=`expr $n + 1`
! 491: if [ $ret != 0 ]; then echo_i "failed"; fi
! 492: status=`expr $status + $ret`
! 493:
! 494: echo_i "checking negative validation NODATA NSEC ($n)"
! 495: ret=0
! 496: $DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
! 497: $DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
! 498: digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
! 499: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 500: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 501: grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
! 502: n=`expr $n + 1`
! 503: if [ $ret != 0 ]; then echo_i "failed"; fi
! 504: status=`expr $status + $ret`
! 505:
! 506: echo_i "checking negative validation NODATA NSEC3 ($n)"
! 507: ret=0
! 508: $DIG $DIGOPTS +noauth a.nsec3.example. \
! 509: @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
! 510: $DIG $DIGOPTS +noauth a.nsec3.example. \
! 511: @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
! 512: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 513: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 514: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 515: grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
! 516: n=`expr $n + 1`
! 517: if [ $ret != 0 ]; then echo_i "failed"; fi
! 518: status=`expr $status + $ret`
! 519:
! 520: echo_i "checking negative validation NODATA OPTOUT ($n)"
! 521: ret=0
! 522: $DIG $DIGOPTS +noauth a.optout.example. \
! 523: @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
! 524: $DIG $DIGOPTS +noauth a.optout.example. \
! 525: @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
! 526: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 527: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 528: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 529: grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
! 530: n=`expr $n + 1`
! 531: if [ $ret != 0 ]; then echo_i "failed"; fi
! 532: status=`expr $status + $ret`
! 533:
! 534: # Check the insecure.example domain
! 535:
! 536: echo_i "checking 1-server insecurity proof NSEC ($n)"
! 537: ret=0
! 538: $DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 539: $DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 540: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 541: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 542: # Note - this is looking for failure, hence the &&
! 543: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
! 544: n=`expr $n + 1`
! 545: if [ $ret != 0 ]; then echo_i "failed"; fi
! 546: status=`expr $status + $ret`
! 547:
! 548: echo_i "checking 1-server negative insecurity proof NSEC ($n)"
! 549: ret=0
! 550: $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
! 551: > dig.out.ns3.test$n || ret=1
! 552: $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
! 553: > dig.out.ns4.test$n || ret=1
! 554: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 555: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 556: # Note - this is looking for failure, hence the &&
! 557: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
! 558: n=`expr $n + 1`
! 559: if [ $ret != 0 ]; then echo_i "failed"; fi
! 560: status=`expr $status + $ret`
! 561:
! 562: # Check the secure.example domain
! 563:
! 564: echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
! 565: ret=0
! 566: $DIG $DIGOPTS +noauth a.secure.example. \
! 567: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 568: $DIG $DIGOPTS +noauth a.secure.example. \
! 569: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 570: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 571: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 572: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 573: n=`expr $n + 1`
! 574: if [ $ret != 0 ]; then echo_i "failed"; fi
! 575: status=`expr $status + $ret`
! 576:
! 577: echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
! 578: ret=0
! 579: $DIG $DIGOPTS +noauth a.nsec3.example. \
! 580: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 581: $DIG $DIGOPTS +noauth a.nsec3.example. \
! 582: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 583: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 584: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 585: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 586: n=`expr $n + 1`
! 587: if [ $ret != 0 ]; then echo_i "failed"; fi
! 588: status=`expr $status + $ret`
! 589:
! 590: echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
! 591: ret=0
! 592: $DIG $DIGOPTS +noauth a.optout.example. \
! 593: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 594: $DIG $DIGOPTS +noauth a.optout.example. \
! 595: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 596: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 597: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 598: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 599: n=`expr $n + 1`
! 600: if [ $ret != 0 ]; then echo_i "failed"; fi
! 601: status=`expr $status + $ret`
! 602:
! 603: echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)"
! 604: ret=0
! 605: $DIG $DIGOPTS +noauth a.secure.nsec3.example. \
! 606: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 607: $DIG $DIGOPTS +noauth a.secure.nsec3.example. \
! 608: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 609: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 610: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 611: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 612: n=`expr $n + 1`
! 613: if [ $ret != 0 ]; then echo_i "failed"; fi
! 614: status=`expr $status + $ret`
! 615:
! 616: echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)"
! 617: ret=0
! 618: $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
! 619: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 620: $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
! 621: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 622: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 623: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 624: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 625: n=`expr $n + 1`
! 626: if [ $ret != 0 ]; then echo_i "failed"; fi
! 627: status=`expr $status + $ret`
! 628:
! 629: echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)"
! 630: ret=0
! 631: $DIG $DIGOPTS +noauth a.optout.nsec3.example. \
! 632: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 633: $DIG $DIGOPTS +noauth a.optout.nsec3.example. \
! 634: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 635: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 636: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 637: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 638: n=`expr $n + 1`
! 639: if [ $ret != 0 ]; then echo_i "failed"; fi
! 640: status=`expr $status + $ret`
! 641:
! 642: echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)"
! 643: ret=0
! 644: $DIG $DIGOPTS +noauth a.secure.optout.example. \
! 645: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 646: $DIG $DIGOPTS +noauth a.secure.optout.example. \
! 647: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 648: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 649: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 650: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 651: n=`expr $n + 1`
! 652: if [ $ret != 0 ]; then echo_i "failed"; fi
! 653: status=`expr $status + $ret`
! 654:
! 655: echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
! 656: ret=0
! 657: $DIG $DIGOPTS +noauth a.nsec3.optout.example. \
! 658: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 659: $DIG $DIGOPTS +noauth a.nsec3.optout.example. \
! 660: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 661: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 662: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 663: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 664: n=`expr $n + 1`
! 665: if [ $ret != 0 ]; then echo_i "failed"; fi
! 666: status=`expr $status + $ret`
! 667:
! 668: echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
! 669: ret=0
! 670: $DIG $DIGOPTS +noauth a.optout.optout.example. \
! 671: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 672: $DIG $DIGOPTS +noauth a.optout.optout.example. \
! 673: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 674: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 675: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 676: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 677: n=`expr $n + 1`
! 678: if [ $ret != 0 ]; then echo_i "failed"; fi
! 679: status=`expr $status + $ret`
! 680:
! 681: echo_i "checking empty NODATA OPTOUT ($n)"
! 682: ret=0
! 683: $DIG $DIGOPTS +noauth empty.optout.example. \
! 684: @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 685: $DIG $DIGOPTS +noauth empty.optout.example. \
! 686: @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 687: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 688: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 689: #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 690: n=`expr $n + 1`
! 691: if [ $ret != 0 ]; then echo_i "failed"; fi
! 692: status=`expr $status + $ret`
! 693:
! 694: # Check the insecure.secure.example domain (insecurity proof)
! 695:
! 696: echo_i "checking 2-server insecurity proof ($n)"
! 697: ret=0
! 698: $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
! 699: > dig.out.ns2.test$n || ret=1
! 700: $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
! 701: > dig.out.ns4.test$n || ret=1
! 702: digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
! 703: grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 704: # Note - this is looking for failure, hence the &&
! 705: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
! 706: n=`expr $n + 1`
! 707: if [ $ret != 0 ]; then echo_i "failed"; fi
! 708: status=`expr $status + $ret`
! 709:
! 710: # Check a negative response in insecure.secure.example
! 711:
! 712: echo_i "checking 2-server insecurity proof with a negative answer ($n)"
! 713: ret=0
! 714: $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
! 715: || ret=1
! 716: $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
! 717: || ret=1
! 718: digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
! 719: grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 720: # Note - this is looking for failure, hence the &&
! 721: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
! 722: n=`expr $n + 1`
! 723: if [ $ret != 0 ]; then echo_i "failed"; fi
! 724: status=`expr $status + $ret`
! 725:
! 726: echo_i "checking security root query ($n)"
! 727: ret=0
! 728: $DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
! 729: grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 730: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 731: n=`expr $n + 1`
! 732: if [ $ret != 0 ]; then echo_i "failed"; fi
! 733: status=`expr $status + $ret`
! 734:
! 735: echo_i "checking positive validation RSASHA256 NSEC ($n)"
! 736: ret=0
! 737: $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 738: $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 739: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 740: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 741: n=`expr $n + 1`
! 742: if [ $ret != 0 ]; then echo_i "failed"; fi
! 743: status=`expr $status + $ret`
! 744:
! 745: echo_i "checking positive validation RSASHA512 NSEC ($n)"
! 746: ret=0
! 747: $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
! 748: $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
! 749: digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
! 750: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 751: n=`expr $n + 1`
! 752: if [ $ret != 0 ]; then echo_i "failed"; fi
! 753: status=`expr $status + $ret`
! 754:
! 755: echo_i "checking that positive validation in a privately secure zone works ($n)"
! 756: ret=0
! 757: $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
! 758: > dig.out.ns2.test$n || ret=1
! 759: $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
! 760: > dig.out.ns4.test$n || ret=1
! 761: digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
! 762: grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
! 763: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 764: n=`expr $n + 1`
! 765: if [ $ret != 0 ]; then echo_i "failed"; fi
! 766: status=`expr $status + $ret`
! 767:
! 768: echo_i "checking that negative validation in a privately secure zone works ($n)"
! 769: ret=0
! 770: $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
! 771: > dig.out.ns2.test$n || ret=1
! 772: $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
! 773: > dig.out.ns4.test$n || ret=1
! 774: digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
! 775: grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 776: # Note - this is looking for failure, hence the &&
! 777: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
! 778: n=`expr $n + 1`
! 779: if [ $ret != 0 ]; then echo_i "failed"; fi
! 780: status=`expr $status + $ret`
! 781:
! 782: echo_i "checking privately secure to nxdomain works ($n)"
! 783: ret=0
! 784: $DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
! 785: grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
! 786: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
! 787: n=`expr $n + 1`
! 788: if [ $ret != 0 ]; then echo_i "failed"; fi
! 789: status=`expr $status + $ret`
! 790:
! 791: # Try validating with a revoked trusted key.
! 792: # This should fail.
! 793:
! 794: echo_i "checking that validation returns insecure due to revoked trusted key ($n)"
! 795: ret=0
! 796: $DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
! 797: grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
! 798: grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
! 799: n=`expr $n + 1`
! 800: if [ $ret != 0 ]; then echo_i "failed"; fi
! 801: status=`expr $status + $ret`
! 802:
! 803: echo_i "checking that revoked key is present ($n)"
! 804: ret=0
! 805: id=`cat rev.key`
! 806: $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 807: grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
! 808: n=`expr $n + 1`
! 809: if [ $ret != 0 ]; then echo_i "failed"; fi
! 810: status=`expr $status + $ret`
! 811:
! 812: echo_i "checking that revoked key self-signs ($n)"
! 813: ret=0
! 814: id=`cat rev.key`
! 815: $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 816: grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
! 817: n=`expr $n + 1`
! 818: if [ $ret != 0 ]; then echo_i "failed"; fi
! 819: status=`expr $status + $ret`
! 820:
! 821: echo_i "checking for unpublished key ($n)"
! 822: ret=0
! 823: id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key`
! 824: $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 825: grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
! 826: n=`expr $n + 1`
! 827: if [ $ret != 0 ]; then echo_i "failed"; fi
! 828: status=`expr $status + $ret`
! 829:
! 830: echo_i "checking for activated but unpublished key ($n)"
! 831: ret=0
! 832: id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key`
! 833: $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 834: grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
! 835: n=`expr $n + 1`
! 836: if [ $ret != 0 ]; then echo_i "failed"; fi
! 837: status=`expr $status + $ret`
! 838:
! 839: echo_i "checking that standby key does not sign records ($n)"
! 840: ret=0
! 841: id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
! 842: $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 843: grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
! 844: n=`expr $n + 1`
! 845: if [ $ret != 0 ]; then echo_i "failed"; fi
! 846: status=`expr $status + $ret`
! 847:
! 848: echo_i "checking that deactivated key does not sign records ($n)"
! 849: ret=0
! 850: id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key`
! 851: $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 852: grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
! 853: n=`expr $n + 1`
! 854: if [ $ret != 0 ]; then echo_i "failed"; fi
! 855: status=`expr $status + $ret`
! 856:
! 857: echo_i "checking insertion of public-only key ($n)"
! 858: ret=0
! 859: id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key`
! 860: file="ns1/`cat nopriv.key`.key"
! 861: keydata=`grep DNSKEY $file`
! 862: $NSUPDATE > /dev/null 2>&1 <<END || status=1
! 863: server 10.53.0.1 ${PORT}
! 864: zone .
! 865: ttl 3600
! 866: update add $keydata
! 867: send
! 868: END
! 869: sleep 1
! 870: $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 871: grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
! 872: n=`expr $n + 1`
! 873: if [ $ret != 0 ]; then echo_i "failed"; fi
! 874: status=`expr $status + $ret`
! 875:
! 876: echo_i "checking key deletion ($n)"
! 877: ret=0
! 878: id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < del.key`
! 879: $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 880: grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
! 881: n=`expr $n + 1`
! 882: if [ $ret != 0 ]; then echo_i "failed"; fi
! 883: status=`expr $status + $ret`
! 884:
! 885: echo_i "checking secure-to-insecure transition, nsupdate ($n)"
! 886: ret=0
! 887: $NSUPDATE > /dev/null 2>&1 <<END || status=1
! 888: server 10.53.0.3 ${PORT}
! 889: zone secure-to-insecure.example
! 890: update delete secure-to-insecure.example dnskey
! 891: send
! 892: END
! 893: for i in 0 1 2 3 4 5 6 7 8 9; do
! 894: ret=0
! 895: $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 896: egrep '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
! 897: [ $ret -eq 0 ] && break
! 898: echo_i "waiting ... ($i)"
! 899: sleep 2
! 900: done
! 901: n=`expr $n + 1`
! 902: if [ $ret != 0 ]; then echo_i "failed"; fi
! 903: status=`expr $status + $ret`
! 904:
! 905: echo_i "checking secure-to-insecure transition, scheduled ($n)"
! 906: ret=0
! 907: file="ns3/`cat del1.key`.key"
! 908: $SETTIME -I now -D now $file > /dev/null
! 909: file="ns3/`cat del2.key`.key"
! 910: $SETTIME -I now -D now $file > /dev/null
! 911: $RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i
! 912: for i in 0 1 2 3 4 5 6 7 8 9; do
! 913: ret=0
! 914: $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 915: egrep '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
! 916: [ $ret -eq 0 ] && break
! 917: echo_i "waiting ... ($i)"
! 918: sleep 2
! 919: done
! 920: n=`expr $n + 1`
! 921: if [ $ret != 0 ]; then echo_i "failed"; fi
! 922: status=`expr $status + $ret`
! 923:
! 924: echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)"
! 925: ret=0
! 926: oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
! 927: oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
! 928:
! 929: $KEYGEN -a rsasha1 -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
! 930:
! 931: $RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i
! 932: newserial=$oldserial
! 933: try=0
! 934: while [ $oldserial -eq $newserial -a $try -lt 42 ]
! 935: do
! 936: newserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 |
! 937: awk '$0 !~ /SOA/ {print $3}'`
! 938: sleep 1
! 939: try=`expr $try + 1`
! 940: done
! 941: newinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
! 942: #echo "$oldserial : $newserial"
! 943: #echo "$oldinception : $newinception"
! 944:
! 945: [ "$oldserial" = "$newserial" ] && ret=1
! 946: [ "$oldinception" = "$newinception" ] && ret=1
! 947: n=`expr $n + 1`
! 948: if [ $ret != 0 ]; then echo_i "failed"; fi
! 949: status=`expr $status + $ret`
! 950:
! 951: echo_i "preparing to test key change corner cases"
! 952: echo_i "removing a private key file"
! 953: file="ns1/`cat vanishing.key`.private"
! 954: rm -f $file
! 955:
! 956: echo_i "preparing ZSK roll"
! 957: starttime=`$PERL -e 'print time(), "\n";'`
! 958: oldfile=`cat active.key`
! 959: oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key`
! 960: newfile=`cat standby.key`
! 961: newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
! 962: $SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null
! 963: $SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null
! 964:
! 965: # note previous zone serial number
! 966: oldserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'`
! 967:
! 968: $RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i
! 969: sleep 4
! 970:
! 971: echo_i "revoking key to duplicated key ID"
! 972: $SETTIME -R now -K ns2 Kbar.+005+30676.key > /dev/null 2>&1
! 973:
! 974: $RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i
! 975:
! 976: echo_i "waiting for changes to take effect"
! 977: sleep 5
! 978:
! 979: echo_i "checking former standby key is now active ($n)"
! 980: ret=0
! 981: $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 982: grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
! 983: n=`expr $n + 1`
! 984: if [ $ret != 0 ]; then echo_i "failed"; fi
! 985: status=`expr $status + $ret`
! 986:
! 987: echo_i "checking former standby key has only signed incrementally ($n)"
! 988: ret=0
! 989: $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 990: grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
! 991: grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
! 992: n=`expr $n + 1`
! 993: if [ $ret != 0 ]; then echo_i "failed"; fi
! 994: status=`expr $status + $ret`
! 995:
! 996: echo_i "checking that signing records have been marked as complete ($n)"
! 997: ret=0
! 998: checkprivate . 10.53.0.1 || ret=1
! 999: checkprivate bar 10.53.0.2 || ret=1
! 1000: checkprivate example 10.53.0.2 || ret=1
! 1001: checkprivate private.secure.example 10.53.0.3 || ret=1
! 1002: checkprivate nsec3.example 10.53.0.3 || ret=1
! 1003: checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1
! 1004: checkprivate nsec3.optout.example 10.53.0.3 || ret=1
! 1005: checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1
! 1006: checkprivate nsec.example 10.53.0.3 || ret=1
! 1007: checkprivate oldsigs.example 10.53.0.3 || ret=1
! 1008: checkprivate optout.example 10.53.0.3 || ret=1
! 1009: checkprivate optout.nsec3.example 10.53.0.3 || ret=1
! 1010: checkprivate optout.optout.example 10.53.0.3 || ret=1
! 1011: checkprivate prepub.example 10.53.0.3 1 || ret=1
! 1012: checkprivate rsasha256.example 10.53.0.3 || ret=1
! 1013: checkprivate rsasha512.example 10.53.0.3 || ret=1
! 1014: checkprivate secure.example 10.53.0.3 || ret=1
! 1015: checkprivate secure.nsec3.example 10.53.0.3 || ret=1
! 1016: checkprivate secure.optout.example 10.53.0.3 || ret=1
! 1017: checkprivate secure-to-insecure2.example 10.53.0.3 || ret=1
! 1018: checkprivate secure-to-insecure.example 10.53.0.3 || ret=1
! 1019: checkprivate ttl1.example 10.53.0.3 || ret=1
! 1020: checkprivate ttl2.example 10.53.0.3 || ret=1
! 1021: checkprivate ttl3.example 10.53.0.3 || ret=1
! 1022: checkprivate ttl4.example 10.53.0.3 || ret=1
! 1023: n=`expr $n + 1`
! 1024: status=`expr $status + $ret`
! 1025:
! 1026: echo_i "forcing full sign"
! 1027: $RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i
! 1028:
! 1029: echo_i "waiting for change to take effect"
! 1030: sleep 5
! 1031:
! 1032: echo_i "checking former standby key has now signed fully ($n)"
! 1033: ret=0
! 1034: $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 1035: grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
! 1036: n=`expr $n + 1`
! 1037: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1038: status=`expr $status + $ret`
! 1039:
! 1040: echo_i "checking SOA serial number has been incremented ($n)"
! 1041: ret=0
! 1042: newserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'`
! 1043: [ "$newserial" != "$oldserial" ] || ret=1
! 1044: n=`expr $n + 1`
! 1045: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1046: status=`expr $status + $ret`
! 1047:
! 1048: echo_i "checking delayed key publication/activation ($n)"
! 1049: ret=0
! 1050: zsk=`cat delayzsk.key`
! 1051: ksk=`cat delayksk.key`
! 1052: # publication and activation times should be unset
! 1053: $SETTIME -K ns3 -pA -pP $zsk | grep -v UNSET > /dev/null 2>&1 && ret=1
! 1054: $SETTIME -K ns3 -pA -pP $ksk | grep -v UNSET > /dev/null 2>&1 && ret=1
! 1055: $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 1056: # DNSKEY not expected:
! 1057: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
! 1058: n=`expr $n + 1`
! 1059: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1060: status=`expr $status + $ret`
! 1061:
! 1062: echo_i "checking scheduled key publication, not activation ($n)"
! 1063: ret=0
! 1064: $SETTIME -K ns3 -P now+3s -A none $zsk > /dev/null 2>&1
! 1065: $SETTIME -K ns3 -P now+3s -A none $ksk > /dev/null 2>&1
! 1066: $RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i
! 1067:
! 1068: echo_i "waiting for changes to take effect"
! 1069: sleep 5
! 1070:
! 1071: $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
! 1072: # DNSKEY expected:
! 1073: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1
! 1074: # RRSIG not expected:
! 1075: awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
! 1076: n=`expr $n + 1`
! 1077: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1078: status=`expr $status + $ret`
! 1079:
! 1080: echo_i "checking scheduled key activation ($n)"
! 1081: ret=0
! 1082: $SETTIME -K ns3 -A now+3s $zsk > /dev/null 2>&1
! 1083: $SETTIME -K ns3 -A now+3s $ksk > /dev/null 2>&1
! 1084: $RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i
! 1085:
! 1086: echo_i "waiting for changes to take effect"
! 1087: sleep 5
! 1088:
! 1089: $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
! 1090: # DNSKEY expected:
! 1091: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
! 1092: # RRSIG expected:
! 1093: awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
! 1094: $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
! 1095: # A expected:
! 1096: awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
! 1097: # RRSIG expected:
! 1098: awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
! 1099: n=`expr $n + 1`
! 1100: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1101: status=`expr $status + $ret`
! 1102:
! 1103: echo_i "checking former active key was removed ($n)"
! 1104: #
! 1105: # Work out how long we need to sleep. Allow 4 seconds for the records
! 1106: # to be removed.
! 1107: #
! 1108: now=`$PERL -e 'print time(), "\n";'`
! 1109: sleep=`expr $starttime + 29 - $now`
! 1110: case $sleep in
! 1111: -*|0);;
! 1112: *) echo_i "waiting for timer to have activated"; sleep $sleep;;
! 1113: esac
! 1114: ret=0
! 1115: $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 1116: grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
! 1117: n=`expr $n + 1`
! 1118: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1119: status=`expr $status + $ret`
! 1120:
! 1121: echo_i "checking private key file removal caused no immediate harm ($n)"
! 1122: ret=0
! 1123: id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key`
! 1124: $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
! 1125: grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
! 1126: n=`expr $n + 1`
! 1127: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1128: status=`expr $status + $ret`
! 1129:
! 1130: echo_i "checking revoked key with duplicate key ID (failure expected) ($n)"
! 1131: lret=0
! 1132: id=30676
! 1133: $DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
! 1134: grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1
! 1135: $DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
! 1136: grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
! 1137: n=`expr $n + 1`
! 1138: if [ $lret != 0 ]; then echo_i "not yet implemented"; fi
! 1139:
! 1140: echo_i "checking key event timers are always set ($n)"
! 1141: # this is a regression test for a bug in which the next key event could
! 1142: # be scheduled for the present moment, and then never fire. check for
! 1143: # visible evidence of this error in the logs:
! 1144: awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1
! 1145: n=`expr $n + 1`
! 1146: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1147: status=`expr $status + $ret`
! 1148:
! 1149: # this confirms that key events are never scheduled more than
! 1150: # 'dnssec-loadkeys-interval' minutes in the future, and that the
! 1151: # event scheduled is within 10 seconds of expected interval.
! 1152: check_interval () {
! 1153: awk '/next key event/ {print $2 ":" $9}' $1/named.run |
! 1154: sed 's/\.//g' |
! 1155: awk -F: '
! 1156: {
! 1157: x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000);
! 1158: # abs(x) < 1000 ms treat as 'now'
! 1159: if (x < 1000 && x > -1000)
! 1160: x = 0;
! 1161: # convert to seconds
! 1162: x = x/1000;
! 1163: # handle end of day roll over
! 1164: if (x < 0)
! 1165: x = x + 24*3600;
! 1166: # handle log timestamp being a few milliseconds later
! 1167: if (x != int(x))
! 1168: x = int(x + 1);
! 1169: if (int(x) > int(interval))
! 1170: exit (1);
! 1171: }
! 1172: END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2
! 1173: return $?
! 1174: }
! 1175:
! 1176: echo_i "checking automatic key reloading interval ($n)"
! 1177: ret=0
! 1178: check_interval ns1 3600 || ret=1
! 1179: check_interval ns2 1800 || ret=1
! 1180: check_interval ns3 600 || ret=1
! 1181: n=`expr $n + 1`
! 1182: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1183: status=`expr $status + $ret`
! 1184:
! 1185: echo_i "checking for key reloading loops ($n)"
! 1186: ret=0
! 1187: # every key event should schedule a successor, so these should be equal
! 1188: rekey_calls=`grep "reconfiguring zone keys" ns*/named.run | wc -l`
! 1189: rekey_events=`grep "next key event" ns*/named.run | wc -l`
! 1190: [ "$rekey_calls" = "$rekey_events" ] || ret=1
! 1191: n=`expr $n + 1`
! 1192: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1193: status=`expr $status + $ret`
! 1194:
! 1195: echo_i "forcing full sign with unreadable keys ($n)"
! 1196: ret=0
! 1197: chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1
! 1198: $RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i
! 1199: $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
! 1200: grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
! 1201: n=`expr $n + 1`
! 1202: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1203: status=`expr $status + $ret`
! 1204:
! 1205: echo_i "test turning on auto-dnssec during reconfig ($n)"
! 1206: ret=0
! 1207: # first create a zone that doesn't have auto-dnssec
! 1208: $RNDCCMD 10.53.0.3 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i
! 1209: rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
! 1210: [ "$rekey_calls" -eq 0 ] || ret=1
! 1211: # ...then we add auto-dnssec and reconfigure
! 1212: $RNDCCMD 10.53.0.3 modzone reconf.example '{ type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i
! 1213: $RNDCCMD 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
! 1214: for i in 0 1 2 3 4 5 6 7 8 9; do
! 1215: lret=0
! 1216: rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
! 1217: [ "$rekey_calls" -gt 0 ] || lret=1
! 1218: if [ "$lret" -eq 0 ]; then break; fi
! 1219: echo_i "waiting ... ($i)"
! 1220: sleep 1
! 1221: done
! 1222: n=`expr $n + 1`
! 1223: if [ "$lret" != 0 ]; then ret=$lret; fi
! 1224: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1225: status=`expr $status + $ret`
! 1226:
! 1227: echo_i "test CDS and CDNSKEY auto generation ($n)"
! 1228: ret=0
! 1229: $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
! 1230: $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
! 1231: grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1
! 1232: grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1
! 1233: n=`expr $n + 1`
! 1234: if [ "$lret" != 0 ]; then ret=$lret; fi
! 1235: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1236: status=`expr $status + $ret`
! 1237:
! 1238: echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)"
! 1239: ret=0
! 1240: $DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n
! 1241: $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
! 1242: $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
! 1243: lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l`
! 1244: test ${lines:-0} -eq 2 || ret=1
! 1245: lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l`
! 1246: test ${lines:-0} -eq 2 || ret=1
! 1247: lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l`
! 1248: test ${lines:-0} -eq 2 || ret=1
! 1249: n=`expr $n + 1`
! 1250: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1251: status=`expr $status + $ret`
! 1252:
! 1253: echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)"
! 1254: ret=0
! 1255: $DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n
! 1256: $DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n
! 1257: $DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n
! 1258: lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l`
! 1259: test ${lines:-0} -eq 1 || ret=1
! 1260: lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l`
! 1261: test ${lines:-0} -eq 1 || ret=1
! 1262: lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l`
! 1263: test ${lines:-0} -eq 1 || ret=1
! 1264: n=`expr $n + 1`
! 1265: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1266: status=`expr $status + $ret`
! 1267:
! 1268: echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
! 1269: $SETTIME -D sync now+2 `cat sync.key` > /dev/null
! 1270: $RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i
! 1271: echo_i "waiting for deletion to occur"
! 1272: sleep 3
! 1273:
! 1274: echo_i "checking that the CDS and CDNSKEY are deleted ($n)"
! 1275: ret=0
! 1276: $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
! 1277: $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
! 1278: grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null && ret=1
! 1279: grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null && ret=1
! 1280: n=`expr $n + 1`
! 1281: if [ "$lret" != 0 ]; then ret=$lret; fi
! 1282: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1283: status=`expr $status + $ret`
! 1284:
! 1285: echo_i "check that dnssec-settime -p Dsync works ($n)"
! 1286: ret=0
! 1287: $SETTIME -p Dsync `cat sync.key` > settime.out.$n|| ret=0
! 1288: grep "SYNC Delete:" settime.out.$n >/dev/null || ret=0
! 1289: n=`expr $n + 1`
! 1290: if [ "$lret" != 0 ]; then ret=$lret; fi
! 1291: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1292: status=`expr $status + $ret`
! 1293:
! 1294: echo_i "check that dnssec-settime -p Psync works ($n)"
! 1295: ret=0
! 1296: $SETTIME -p Psync `cat sync.key` > settime.out.$n|| ret=0
! 1297: grep "SYNC Publish:" settime.out.$n >/dev/null || ret=0
! 1298: n=`expr $n + 1`
! 1299: if [ "$lret" != 0 ]; then ret=$lret; fi
! 1300: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1301: status=`expr $status + $ret`
! 1302:
! 1303: echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)"
! 1304: ret=0
! 1305: $DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
! 1306:
! 1307: zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
! 1308: $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' `
! 1309: pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
! 1310: grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
! 1311:
! 1312: kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
! 1313: $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' `
! 1314: pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} "
! 1315: grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
! 1316:
! 1317: n=`expr $n + 1`
! 1318: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1319: status=`expr $status + $ret`
! 1320:
! 1321: echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
! 1322: ret=0
! 1323: $DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
! 1324: grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1
! 1325: n=`expr $n + 1`
! 1326: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1327: status=`expr $status + $ret`
! 1328:
! 1329: #
! 1330: # Check that DNSKEY is now signed with the ZSK.
! 1331: #
! 1332: echo_i "check that zone with active and inactive KSK and active ZSK is properly"
! 1333: echo_i " resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
! 1334: echo_i " is now signed with the ZSK. ($n)"
! 1335: ret=0
! 1336:
! 1337: $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
! 1338:
! 1339: zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
! 1340: $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
! 1341: pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
! 1342: grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
! 1343:
! 1344: count=`awk 'BEGIN { count = 0 }
! 1345: $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
! 1346: END {print count}' dig.out.ns3.test$n`
! 1347: test $count -eq 1 || ret=1
! 1348:
! 1349: count=`awk 'BEGIN { count = 0 }
! 1350: $4 == "DNSKEY" { count++ }
! 1351: END {print count}' dig.out.ns3.test$n`
! 1352: test $count -eq 2 || ret=1
! 1353:
! 1354: n=`expr $n + 1`
! 1355: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1356: status=`expr $status + $ret`
! 1357:
! 1358: #
! 1359: # Check that zone is now signed with the KSK.
! 1360: #
! 1361: echo_i "check that zone with active and inactive ZSK and active KSK is properly"
! 1362: echo_i " resigned after the active ZSK is deleted - stage 2: Verify that zone"
! 1363: echo_i " is now signed with the KSK. ($n)"
! 1364: ret=0
! 1365: $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
! 1366: kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
! 1367: $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
! 1368: grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
! 1369: count=`awk 'BEGIN { count = 0 }
! 1370: $4 == "RRSIG" && $5 == "CNAME" { count++ }
! 1371: END {print count}' dig.out.ns3.test$n`
! 1372: test $count -eq 1 || ret=1
! 1373: count=`awk 'BEGIN { count = 0 }
! 1374: $4 == "DNSKEY" { count++ }
! 1375: END {print count}' dig.out.ns3.test$n`
! 1376: test $count -eq 2 || ret=1
! 1377: n=`expr $n + 1`
! 1378: if [ $ret != 0 ]; then echo_i "failed"; fi
! 1379: status=`expr $status + $ret`
! 1380:
! 1381: echo_i "exit status: $status"
! 1382: [ $status -eq 0 ] || exit 1
CVSweb <webmaster@jp.NetBSD.org>