Annotation of src/external/mpl/bind/dist/bin/tests/system/smartsign/tests.sh, Revision 1.1.1.6
1.1 christos 1: #!/bin/sh
1.1.1.6 ! christos 2:
1.1 christos 3: # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4: #
1.1.1.6 ! christos 5: # SPDX-License-Identifier: MPL-2.0
! 6: #
1.1 christos 7: # This Source Code Form is subject to the terms of the Mozilla Public
1.1.1.6 ! christos 8: # License, v. 2.0. If a copy of the MPL was not distributed with this
1.1.1.5 christos 9: # file, you can obtain one at https://mozilla.org/MPL/2.0/.
1.1 christos 10: #
11: # See the COPYRIGHT file distributed with this work for additional
12: # information regarding copyright ownership.
13:
14: SYSTEMTESTTOP=..
15: . $SYSTEMTESTTOP/conf.sh
16:
17: status=0
18:
19: pzone=parent.nil
20: pfile=parent.db
21:
22: czone=child.parent.nil
23: cfile=child.db
24:
25: echo_i "generating child's keys"
26: # active zsk
1.1.1.2 christos 27: czsk1=`$KEYGEN -q -a rsasha1 -L 30 $czone`
1.1 christos 28:
29: # not yet published or active
1.1.1.2 christos 30: czsk2=`$KEYGEN -q -a rsasha1 -P none -A none $czone`
1.1 christos 31:
32: # published but not active
1.1.1.2 christos 33: czsk3=`$KEYGEN -q -a rsasha1 -A none $czone`
1.1 christos 34:
35: # inactive
1.1.1.2 christos 36: czsk4=`$KEYGEN -q -a rsasha1 -P now-24h -A now-24h -I now $czone`
1.1 christos 37:
38: # active in 12 hours, inactive 12 hours after that...
1.1.1.2 christos 39: czsk5=`$KEYGEN -q -a rsasha1 -P now+12h -A now+12h -I now+24h $czone`
1.1 christos 40:
41: # explicit successor to czk5
42: # (suppressing warning about lack of removal date)
1.1.1.2 christos 43: czsk6=`$KEYGEN -q -S $czsk5 -i 6h 2>/dev/null`
1.1 christos 44:
45: # active ksk
1.1.1.2 christos 46: cksk1=`$KEYGEN -q -a rsasha1 -fk -L 30 $czone`
1.1 christos 47:
48: # published but not YET active; will be active in 20 seconds
1.1.1.2 christos 49: cksk2=`$KEYGEN -q -a rsasha1 -fk $czone`
1.1 christos 50: # $SETTIME moved after other $KEYGENs
51:
52: echo_i "revoking key"
53: # revoking key changes its ID
1.1.1.2 christos 54: cksk3=`$KEYGEN -q -a rsasha1 -fk $czone`
1.1 christos 55: cksk4=`$REVOKE $cksk3`
56:
57: echo_i "setting up sync key"
1.1.1.2 christos 58: cksk5=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now $czone`
1.1 christos 59:
1.1.1.4 christos 60: echo_i "and future sync key"
61: cksk6=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now+1mo $czone`
62:
1.1 christos 63: echo_i "generating parent keys"
1.1.1.2 christos 64: pzsk=`$KEYGEN -q -a rsasha1 $pzone`
65: pksk=`$KEYGEN -q -a rsasha1 -fk $pzone`
1.1 christos 66:
67: echo_i "setting child's activation time"
68: # using now+30s to fix RT 24561
69: $SETTIME -A now+30s $cksk2 > /dev/null
70:
71: echo_i "signing child zone"
1.1.1.4 christos 72: czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile`
1.1 christos 73:
74: echo_i "signing parent zone"
1.1.1.4 christos 75: pzoneout=`$SIGNER -Sg -o $pzone $pfile`
1.1 christos 76:
1.1.1.3 christos 77: czactive=$(keyfile_to_key_id $czsk1)
78: czgenerated=$(keyfile_to_key_id $czsk2)
79: czpublished=$(keyfile_to_key_id $czsk3)
80: czinactive=$(keyfile_to_key_id $czsk4)
81: czpredecessor=$(keyfile_to_key_id $czsk5)
82: czsuccessor=$(keyfile_to_key_id $czsk6)
83: ckactive=$(keyfile_to_key_id $cksk1)
84: ckpublished=$(keyfile_to_key_id $cksk2)
85: ckprerevoke=$(keyfile_to_key_id $cksk3)
86: ckrevoked=$(keyfile_to_key_id $cksk4)
1.1 christos 87:
1.1.1.3 christos 88: pzid=$(keyfile_to_key_id $pzsk)
89: pkid=$(keyfile_to_key_id $pksk)
1.1 christos 90:
91: echo_i "checking dnssec-signzone output matches expectations"
92: ret=0
93: echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
94: echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
95: echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
96: echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
97: if [ $ret != 0 ]; then
98: echo_i "parent $pzoneout"
99: echo_i "child $czoneout"
100: echo_i "failed";
101: fi
102: status=`expr $status + $ret`
103:
104: echo_i "rechecking dnssec-signzone output with -x"
105: ret=0
106: # use an alternate output file so -x doesn't interfere with later checks
1.1.1.4 christos 107: pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile`
108: czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile`
1.1 christos 109: echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
110: echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1
111: echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
112: echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1
113: if [ $ret != 0 ]; then
114: echo_i "parent $pzoneout"
115: echo_i "child $czoneout"
116: echo_i "failed";
117: fi
118: status=`expr $status + $ret`
119:
120: echo_i "checking parent zone DNSKEY set"
121: ret=0
122: grep "key id = $pzid" $pfile.signed > /dev/null || {
123: ret=1
124: echo_i "missing expected parent ZSK id = $pzid"
125: }
126: grep "key id = $pkid" $pfile.signed > /dev/null || {
127: ret=1
128: echo_i "missing expected parent KSK id = $pkid"
129: }
130: if [ $ret != 0 ]; then echo_i "failed"; fi
131: status=`expr $status + $ret`
132:
133: echo_i "checking parent zone DS records"
134: ret=0
135: awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
136: grep -w "$ckactive" dsset.out > /dev/null || ret=1
137: grep -w "$ckpublished" dsset.out > /dev/null || ret=1
138: # revoked key should not be there, hence the &&
139: grep -w "$ckprerevoke" dsset.out > /dev/null && ret=1
140: grep -w "$ckrevoked" dsset.out > /dev/null && ret=1
141: if [ $ret != 0 ]; then echo_i "failed"; fi
142: status=`expr $status + $ret`
143:
144: echo_i "checking child zone DNSKEY set"
145: ret=0
146: grep "key id = $ckactive\$" $cfile.signed > /dev/null || {
147: ret=1
148: echo_i "missing expected child KSK id = $ckactive"
149: }
150: grep "key id = $ckpublished\$" $cfile.signed > /dev/null || {
151: ret=1
152: echo_i "missing expected child prepublished KSK id = $ckpublished"
153: }
154: grep "key id = $ckrevoked\$" $cfile.signed > /dev/null || {
155: ret=1
156: echo_i "missing expected child revoked KSK id = $ckrevoked"
157: }
158: grep "key id = $czactive\$" $cfile.signed > /dev/null || {
159: ret=1
160: echo_i "missing expected child ZSK id = $czactive"
161: }
162: grep "key id = $czpublished\$" $cfile.signed > /dev/null || {
163: ret=1
164: echo_i "missing expected child prepublished ZSK id = $czpublished"
165: }
166: grep "key id = $czinactive\$" $cfile.signed > /dev/null || {
167: ret=1
168: echo_i "missing expected child inactive ZSK id = $czinactive"
169: }
170: # should not be there, hence the &&
171: grep "key id = $ckprerevoke\$" $cfile.signed > /dev/null && {
172: ret=1
1.1.1.4 christos 173: echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke"
1.1 christos 174: }
175: grep "key id = $czgenerated\$" $cfile.signed > /dev/null && {
176: ret=1
177: echo_i "found unexpected child generated ZSK id = $czgenerated"
178: }
179: grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && {
180: echo_i "found unexpected ZSK predecessor id = $czpredecessor (ignored)"
181: }
182: grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && {
183: echo_i "found unexpected ZSK successor id = $czsuccessor (ignored)"
184: }
185: #grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && ret=1
186: #grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && ret=1
187: if [ $ret != 0 ]; then echo_i "failed"; fi
188: status=`expr $status + $ret`
189:
190: echo_i "checking key TTLs are correct"
191: ret=0
192: grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1
193: grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1
194: grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
195: $SETTIME -L 45 ${czsk2} > /dev/null
196: grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
197: $SETTIME -L 0 ${czsk2} > /dev/null
198: grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
199: if [ $ret != 0 ]; then echo_i "failed"; fi
200: status=`expr $status + $ret`
201:
202: echo_i "checking key TTLs were imported correctly"
203: ret=0
204: awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \
205: ${cfile}.signed || ret=1
206: if [ $ret != 0 ]; then echo_i "failed"; fi
207: status=`expr $status + $ret`
208:
209: echo_i "re-signing and checking imported TTLs again"
210: ret=0
211: $SETTIME -L 15 ${czsk2} > /dev/null
1.1.1.4 christos 212: czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile`
1.1 christos 213: awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
214: ${cfile}.signed || ret=1
215: if [ $ret != 0 ]; then echo_i "failed"; fi
216: status=`expr $status + $ret`
217:
218: # There is some weirdness in Solaris 10 (Generic_120011-14), which
219: # is why the next section has all those echo $ret > /dev/null;sync
220: # commands
221: echo_i "checking child zone signatures"
222: ret=0
223: # check DNSKEY signatures first
224: awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
225: sub=0
226: grep -w "$ckactive" dnskey.sigs > /dev/null || sub=1
227: if [ $sub != 0 ]; then echo_i "missing ckactive $ckactive (dnskey)"; ret=1; fi
228: echo $ret > /dev/null
229: sync
230: sub=0
231: grep -w "$ckrevoked" dnskey.sigs > /dev/null || sub=1
232: if [ $sub != 0 ]; then echo_i "missing ckrevoke $ckrevoke (dnskey)"; ret=1; fi
233: echo $ret > /dev/null
234: sync
235: sub=0
236: grep -w "$czactive" dnskey.sigs > /dev/null || sub=1
237: if [ $sub != 0 ]; then echo_i "missing czactive $czactive (dnskey)"; ret=1; fi
238: # should not be there:
239: echo $ret > /dev/null
240: sync
241: sub=0
242: grep -w "$ckprerevoke" dnskey.sigs > /dev/null && sub=1
243: if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (dnskey)"; ret=1; fi
244: echo $ret > /dev/null
245: sync
246: sub=0
247: grep -w "$ckpublished" dnskey.sigs > /dev/null && sub=1
248: if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (dnskey)"; ret=1; fi
249: echo $ret > /dev/null
250: sync
251: sub=0
252: grep -w "$czpublished" dnskey.sigs > /dev/null && sub=1
253: if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (dnskey)"; ret=1; fi
254: echo $ret > /dev/null
255: sync
256: sub=0
257: grep -w "$czinactive" dnskey.sigs > /dev/null && sub=1
258: if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (dnskey)"; ret=1; fi
259: echo $ret > /dev/null
260: sync
261: sub=0
262: grep -w "$czgenerated" dnskey.sigs > /dev/null && sub=1
263: if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (dnskey)"; ret=1; fi
264: # now check other signatures first
265: awk '$2 == "RRSIG" && $3 != "DNSKEY" && $3 != "CDNSKEY" && $3 != "CDS" { getline; print $3 }' $cfile.signed | sort -un > other.sigs
266: # should not be there:
267: echo $ret > /dev/null
268: sync
269: sub=0
270: grep -w "$ckactive" other.sigs > /dev/null && sub=1
271: if [ $sub != 0 ]; then echo_i "found ckactive $ckactive (other)"; ret=1; fi
272: echo $ret > /dev/null
273: sync
274: sub=0
275: grep -w "$ckpublished" other.sigs > /dev/null && sub=1
276: if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (other)"; ret=1; fi
277: echo $ret > /dev/null
278: sync
279: sub=0
280: grep -w "$ckprerevoke" other.sigs > /dev/null && sub=1
281: if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (other)"; ret=1; fi
282: echo $ret > /dev/null
283: sync
284: sub=0
285: grep -w "$ckrevoked" other.sigs > /dev/null && sub=1
286: if [ $sub != 0 ]; then echo_i "found ckrevoked $ckrevoked (other)"; ret=1; fi
287: echo $ret > /dev/null
288: sync
289: sub=0
290: grep -w "$czpublished" other.sigs > /dev/null && sub=1
291: if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (other)"; ret=1; fi
292: echo $ret > /dev/null
293: sync
294: sub=0
295: grep -w "$czinactive" other.sigs > /dev/null && sub=1
296: if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (other)"; ret=1; fi
297: echo $ret > /dev/null
298: sync
299: sub=0
300: grep -w "$czgenerated" other.sigs > /dev/null && sub=1
301: if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (other)"; ret=1; fi
302: echo $ret > /dev/null
303: sync
304: sub=0
305: grep -w "$czpredecessor" other.sigs > /dev/null && sub=1
306: if [ $sub != 0 ]; then echo_i "found czpredecessor $czpredecessor (other)"; ret=1; fi
307: echo $ret > /dev/null
308: sync
309: sub=0
310: grep -w "$czsuccessor" other.sigs > /dev/null && sub=1
311: if [ $sub != 0 ]; then echo_i "found czsuccessor $czsuccessor (other)"; ret=1; fi
312: if [ $ret != 0 ]; then
313: sed 's/^/I:dnskey sigs: /' < dnskey.sigs
314: sed 's/^/I:other sigs: /' < other.sigs
315: echo_i "failed";
316: fi
317: status=`expr $status + $ret`
318:
319: echo_i "checking RRSIG expiry date correctness"
320: dnskey_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
321: awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' |
322: cut -c1-10`
323: soa_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
324: awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' |
325: cut -c1-10`
326: [ $dnskey_expiry -gt $soa_expiry ] || ret=1
327: if [ $ret != 0 ]; then echo_i "failed"; fi
328: status=`expr $status + $ret`
329:
330: echo_i "waiting 30 seconds for key activation"
331: sleep 30
332: echo_i "re-signing child zone"
1.1.1.4 christos 333: czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed`
1.1 christos 334: mv $cfile.new $cfile.signed
335:
336: echo_i "checking dnssec-signzone output matches expectations"
337: ret=0
338: echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
339: if [ $ret != 0 ]; then echo_i "failed"; fi
340: status=`expr $status + $ret`
341:
342: echo_i "checking child zone signatures again"
343: ret=0
344: awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
345: grep -w "$ckpublished" dnskey.sigs > /dev/null || ret=1
346: if [ $ret != 0 ]; then echo_i "failed"; fi
347: status=`expr $status + $ret`
348:
349: echo_i "checking sync record publication"
350: ret=0
1.1.1.3 christos 351: awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed || ret=1
352: awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed || ret=1
1.1 christos 353: if [ $ret != 0 ]; then echo_i "failed"; fi
354: status=`expr $status + $ret`
355:
1.1.1.4 christos 356: # this also checks that the future sync record is not yet published
1.1 christos 357: echo_i "checking sync record deletion"
358: ret=0
359: $SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null
1.1.1.4 christos 360: $SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null
1.1 christos 361: mv $cfile.new $cfile.signed
1.1.1.3 christos 362: awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1
363: awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1
1.1 christos 364: if [ $ret != 0 ]; then echo_i "failed"; fi
365: status=`expr $status + $ret`
366:
367: echo_i "exit status: $status"
368: [ $status -eq 0 ] || exit 1
CVSweb <webmaster@jp.NetBSD.org>