[BACK]Return to tests.sh CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / external / mpl / bind / dist / bin / tests / system / smartsign

Annotation of src/external/mpl/bind/dist/bin/tests/system/smartsign/tests.sh, Revision 1.1.1.6

1.1       christos    1: #!/bin/sh
1.1.1.6 ! christos    2:
1.1       christos    3: # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
                      4: #
1.1.1.6 ! christos    5: # SPDX-License-Identifier: MPL-2.0
        !             6: #
1.1       christos    7: # This Source Code Form is subject to the terms of the Mozilla Public
1.1.1.6 ! christos    8: # License, v. 2.0.  If a copy of the MPL was not distributed with this
1.1.1.5   christos    9: # file, you can obtain one at https://mozilla.org/MPL/2.0/.
1.1       christos   10: #
                     11: # See the COPYRIGHT file distributed with this work for additional
                     12: # information regarding copyright ownership.
                     13:
                     14: SYSTEMTESTTOP=..
                     15: . $SYSTEMTESTTOP/conf.sh
                     16:
                     17: status=0
                     18:
                     19: pzone=parent.nil
                     20: pfile=parent.db
                     21:
                     22: czone=child.parent.nil
                     23: cfile=child.db
                     24:
                     25: echo_i "generating child's keys"
                     26: # active zsk
1.1.1.2   christos   27: czsk1=`$KEYGEN -q -a rsasha1 -L 30 $czone`
1.1       christos   28:
                     29: # not yet published or active
1.1.1.2   christos   30: czsk2=`$KEYGEN -q -a rsasha1 -P none -A none $czone`
1.1       christos   31:
                     32: # published but not active
1.1.1.2   christos   33: czsk3=`$KEYGEN -q -a rsasha1 -A none $czone`
1.1       christos   34:
                     35: # inactive
1.1.1.2   christos   36: czsk4=`$KEYGEN -q -a rsasha1 -P now-24h -A now-24h -I now $czone`
1.1       christos   37:
                     38: # active in 12 hours, inactive 12 hours after that...
1.1.1.2   christos   39: czsk5=`$KEYGEN -q -a rsasha1 -P now+12h -A now+12h -I now+24h $czone`
1.1       christos   40:
                     41: # explicit successor to czk5
                     42: # (suppressing warning about lack of removal date)
1.1.1.2   christos   43: czsk6=`$KEYGEN -q -S $czsk5 -i 6h 2>/dev/null`
1.1       christos   44:
                     45: # active ksk
1.1.1.2   christos   46: cksk1=`$KEYGEN -q -a rsasha1 -fk -L 30 $czone`
1.1       christos   47:
                     48: # published but not YET active; will be active in 20 seconds
1.1.1.2   christos   49: cksk2=`$KEYGEN -q -a rsasha1 -fk $czone`
1.1       christos   50: # $SETTIME moved after other $KEYGENs
                     51:
                     52: echo_i "revoking key"
                     53: # revoking key changes its ID
1.1.1.2   christos   54: cksk3=`$KEYGEN -q -a rsasha1 -fk $czone`
1.1       christos   55: cksk4=`$REVOKE $cksk3`
                     56:
                     57: echo_i "setting up sync key"
1.1.1.2   christos   58: cksk5=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now $czone`
1.1       christos   59:
1.1.1.4   christos   60: echo_i "and future sync key"
                     61: cksk6=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now+1mo $czone`
                     62:
1.1       christos   63: echo_i "generating parent keys"
1.1.1.2   christos   64: pzsk=`$KEYGEN -q -a rsasha1 $pzone`
                     65: pksk=`$KEYGEN -q -a rsasha1 -fk $pzone`
1.1       christos   66:
                     67: echo_i "setting child's activation time"
                     68: # using now+30s to fix RT 24561
                     69: $SETTIME -A now+30s $cksk2 > /dev/null
                     70:
                     71: echo_i "signing child zone"
1.1.1.4   christos   72: czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile`
1.1       christos   73:
                     74: echo_i "signing parent zone"
1.1.1.4   christos   75: pzoneout=`$SIGNER -Sg -o $pzone $pfile`
1.1       christos   76:
1.1.1.3   christos   77: czactive=$(keyfile_to_key_id $czsk1)
                     78: czgenerated=$(keyfile_to_key_id $czsk2)
                     79: czpublished=$(keyfile_to_key_id $czsk3)
                     80: czinactive=$(keyfile_to_key_id $czsk4)
                     81: czpredecessor=$(keyfile_to_key_id $czsk5)
                     82: czsuccessor=$(keyfile_to_key_id $czsk6)
                     83: ckactive=$(keyfile_to_key_id $cksk1)
                     84: ckpublished=$(keyfile_to_key_id $cksk2)
                     85: ckprerevoke=$(keyfile_to_key_id $cksk3)
                     86: ckrevoked=$(keyfile_to_key_id $cksk4)
1.1       christos   87:
1.1.1.3   christos   88: pzid=$(keyfile_to_key_id $pzsk)
                     89: pkid=$(keyfile_to_key_id $pksk)
1.1       christos   90:
                     91: echo_i "checking dnssec-signzone output matches expectations"
                     92: ret=0
                     93: echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
                     94: echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
                     95: echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
                     96: echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
                     97: if [ $ret != 0 ]; then
                     98:        echo_i "parent $pzoneout"
                     99:        echo_i "child $czoneout"
                    100:        echo_i "failed";
                    101: fi
                    102: status=`expr $status + $ret`
                    103:
                    104: echo_i "rechecking dnssec-signzone output with -x"
                    105: ret=0
                    106: # use an alternate output file so -x doesn't interfere with later checks
1.1.1.4   christos  107: pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile`
                    108: czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile`
1.1       christos  109: echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
                    110: echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1
                    111: echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
                    112: echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1
                    113: if [ $ret != 0 ]; then
                    114:        echo_i "parent $pzoneout"
                    115:        echo_i "child $czoneout"
                    116:        echo_i "failed";
                    117: fi
                    118: status=`expr $status + $ret`
                    119:
                    120: echo_i "checking parent zone DNSKEY set"
                    121: ret=0
                    122: grep "key id = $pzid" $pfile.signed > /dev/null || {
                    123:        ret=1
                    124:        echo_i "missing expected parent ZSK id = $pzid"
                    125: }
                    126: grep "key id = $pkid" $pfile.signed > /dev/null || {
                    127:        ret=1
                    128:        echo_i "missing expected parent KSK id = $pkid"
                    129: }
                    130: if [ $ret != 0 ]; then echo_i "failed"; fi
                    131: status=`expr $status + $ret`
                    132:
                    133: echo_i "checking parent zone DS records"
                    134: ret=0
                    135: awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
                    136: grep -w "$ckactive" dsset.out > /dev/null || ret=1
                    137: grep -w "$ckpublished" dsset.out > /dev/null || ret=1
                    138: # revoked key should not be there, hence the &&
                    139: grep -w "$ckprerevoke" dsset.out > /dev/null && ret=1
                    140: grep -w "$ckrevoked" dsset.out > /dev/null && ret=1
                    141: if [ $ret != 0 ]; then echo_i "failed"; fi
                    142: status=`expr $status + $ret`
                    143:
                    144: echo_i "checking child zone DNSKEY set"
                    145: ret=0
                    146: grep "key id = $ckactive\$" $cfile.signed > /dev/null || {
                    147:        ret=1
                    148:        echo_i "missing expected child KSK id = $ckactive"
                    149: }
                    150: grep "key id = $ckpublished\$" $cfile.signed > /dev/null || {
                    151:        ret=1
                    152:        echo_i "missing expected child prepublished KSK id = $ckpublished"
                    153: }
                    154: grep "key id = $ckrevoked\$" $cfile.signed > /dev/null || {
                    155:        ret=1
                    156:        echo_i "missing expected child revoked KSK id = $ckrevoked"
                    157: }
                    158: grep "key id = $czactive\$" $cfile.signed > /dev/null || {
                    159:        ret=1
                    160:        echo_i "missing expected child ZSK id = $czactive"
                    161: }
                    162: grep "key id = $czpublished\$" $cfile.signed > /dev/null || {
                    163:        ret=1
                    164:        echo_i "missing expected child prepublished ZSK id = $czpublished"
                    165: }
                    166: grep "key id = $czinactive\$" $cfile.signed > /dev/null || {
                    167:        ret=1
                    168:        echo_i "missing expected child inactive ZSK id = $czinactive"
                    169: }
                    170: # should not be there, hence the &&
                    171: grep "key id = $ckprerevoke\$" $cfile.signed > /dev/null && {
                    172:        ret=1
1.1.1.4   christos  173:        echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke"
1.1       christos  174: }
                    175: grep "key id = $czgenerated\$" $cfile.signed > /dev/null && {
                    176:        ret=1
                    177:        echo_i "found unexpected child generated ZSK id = $czgenerated"
                    178: }
                    179: grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && {
                    180:        echo_i "found unexpected ZSK predecessor id = $czpredecessor (ignored)"
                    181: }
                    182: grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && {
                    183:        echo_i "found unexpected ZSK successor id = $czsuccessor (ignored)"
                    184: }
                    185: #grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && ret=1
                    186: #grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && ret=1
                    187: if [ $ret != 0 ]; then echo_i "failed"; fi
                    188: status=`expr $status + $ret`
                    189:
                    190: echo_i "checking key TTLs are correct"
                    191: ret=0
                    192: grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1
                    193: grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1
                    194: grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
                    195: $SETTIME -L 45 ${czsk2} > /dev/null
                    196: grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
                    197: $SETTIME -L 0 ${czsk2} > /dev/null
                    198: grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
                    199: if [ $ret != 0 ]; then echo_i "failed"; fi
                    200: status=`expr $status + $ret`
                    201:
                    202: echo_i "checking key TTLs were imported correctly"
                    203: ret=0
                    204: awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \
                    205:         ${cfile}.signed || ret=1
                    206: if [ $ret != 0 ]; then echo_i "failed"; fi
                    207: status=`expr $status + $ret`
                    208:
                    209: echo_i "re-signing and checking imported TTLs again"
                    210: ret=0
                    211: $SETTIME -L 15 ${czsk2} > /dev/null
1.1.1.4   christos  212: czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile`
1.1       christos  213: awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
                    214:         ${cfile}.signed || ret=1
                    215: if [ $ret != 0 ]; then echo_i "failed"; fi
                    216: status=`expr $status + $ret`
                    217:
                    218: # There is some weirdness in Solaris 10 (Generic_120011-14), which
                    219: # is why the next section has all those echo $ret > /dev/null;sync
                    220: # commands
                    221: echo_i "checking child zone signatures"
                    222: ret=0
                    223: # check DNSKEY signatures first
                    224: awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
                    225: sub=0
                    226: grep -w "$ckactive" dnskey.sigs > /dev/null || sub=1
                    227: if [ $sub != 0 ]; then echo_i "missing ckactive $ckactive (dnskey)"; ret=1; fi
                    228: echo $ret > /dev/null
                    229: sync
                    230: sub=0
                    231: grep -w "$ckrevoked" dnskey.sigs > /dev/null || sub=1
                    232: if [ $sub != 0 ]; then echo_i "missing ckrevoke $ckrevoke (dnskey)"; ret=1; fi
                    233: echo $ret > /dev/null
                    234: sync
                    235: sub=0
                    236: grep -w "$czactive" dnskey.sigs > /dev/null || sub=1
                    237: if [ $sub != 0 ]; then echo_i "missing czactive $czactive (dnskey)"; ret=1; fi
                    238: # should not be there:
                    239: echo $ret > /dev/null
                    240: sync
                    241: sub=0
                    242: grep -w "$ckprerevoke" dnskey.sigs > /dev/null && sub=1
                    243: if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (dnskey)"; ret=1; fi
                    244: echo $ret > /dev/null
                    245: sync
                    246: sub=0
                    247: grep -w "$ckpublished" dnskey.sigs > /dev/null && sub=1
                    248: if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (dnskey)"; ret=1; fi
                    249: echo $ret > /dev/null
                    250: sync
                    251: sub=0
                    252: grep -w "$czpublished" dnskey.sigs > /dev/null && sub=1
                    253: if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (dnskey)"; ret=1; fi
                    254: echo $ret > /dev/null
                    255: sync
                    256: sub=0
                    257: grep -w "$czinactive" dnskey.sigs > /dev/null && sub=1
                    258: if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (dnskey)"; ret=1; fi
                    259: echo $ret > /dev/null
                    260: sync
                    261: sub=0
                    262: grep -w "$czgenerated" dnskey.sigs > /dev/null && sub=1
                    263: if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (dnskey)"; ret=1; fi
                    264: # now check other signatures first
                    265: awk '$2 == "RRSIG" && $3 != "DNSKEY" && $3 != "CDNSKEY" && $3 != "CDS" { getline; print $3 }' $cfile.signed | sort -un > other.sigs
                    266: # should not be there:
                    267: echo $ret > /dev/null
                    268: sync
                    269: sub=0
                    270: grep -w "$ckactive" other.sigs > /dev/null && sub=1
                    271: if [ $sub != 0 ]; then echo_i "found ckactive $ckactive (other)"; ret=1; fi
                    272: echo $ret > /dev/null
                    273: sync
                    274: sub=0
                    275: grep -w "$ckpublished" other.sigs > /dev/null && sub=1
                    276: if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (other)"; ret=1; fi
                    277: echo $ret > /dev/null
                    278: sync
                    279: sub=0
                    280: grep -w "$ckprerevoke" other.sigs > /dev/null && sub=1
                    281: if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (other)"; ret=1; fi
                    282: echo $ret > /dev/null
                    283: sync
                    284: sub=0
                    285: grep -w "$ckrevoked" other.sigs > /dev/null && sub=1
                    286: if [ $sub != 0 ]; then echo_i "found ckrevoked $ckrevoked (other)"; ret=1; fi
                    287: echo $ret > /dev/null
                    288: sync
                    289: sub=0
                    290: grep -w "$czpublished" other.sigs > /dev/null && sub=1
                    291: if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (other)"; ret=1; fi
                    292: echo $ret > /dev/null
                    293: sync
                    294: sub=0
                    295: grep -w "$czinactive" other.sigs > /dev/null && sub=1
                    296: if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (other)"; ret=1; fi
                    297: echo $ret > /dev/null
                    298: sync
                    299: sub=0
                    300: grep -w "$czgenerated" other.sigs > /dev/null && sub=1
                    301: if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (other)"; ret=1; fi
                    302: echo $ret > /dev/null
                    303: sync
                    304: sub=0
                    305: grep -w "$czpredecessor" other.sigs > /dev/null && sub=1
                    306: if [ $sub != 0 ]; then echo_i "found czpredecessor $czpredecessor (other)"; ret=1; fi
                    307: echo $ret > /dev/null
                    308: sync
                    309: sub=0
                    310: grep -w "$czsuccessor" other.sigs > /dev/null && sub=1
                    311: if [ $sub != 0 ]; then echo_i "found czsuccessor $czsuccessor (other)"; ret=1; fi
                    312: if [ $ret != 0 ]; then
                    313:     sed 's/^/I:dnskey sigs: /' < dnskey.sigs
                    314:     sed 's/^/I:other sigs: /' < other.sigs
                    315:     echo_i "failed";
                    316: fi
                    317: status=`expr $status + $ret`
                    318:
                    319: echo_i "checking RRSIG expiry date correctness"
                    320: dnskey_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
                    321:               awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' |
                    322:               cut -c1-10`
                    323: soa_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
                    324:            awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' |
                    325:            cut -c1-10`
                    326: [ $dnskey_expiry -gt $soa_expiry ] || ret=1
                    327: if [ $ret != 0 ]; then echo_i "failed"; fi
                    328: status=`expr $status + $ret`
                    329:
                    330: echo_i "waiting 30 seconds for key activation"
                    331: sleep 30
                    332: echo_i "re-signing child zone"
1.1.1.4   christos  333: czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed`
1.1       christos  334: mv $cfile.new $cfile.signed
                    335:
                    336: echo_i "checking dnssec-signzone output matches expectations"
                    337: ret=0
                    338: echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
                    339: if [ $ret != 0 ]; then echo_i "failed"; fi
                    340: status=`expr $status + $ret`
                    341:
                    342: echo_i "checking child zone signatures again"
                    343: ret=0
                    344: awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
                    345: grep -w "$ckpublished" dnskey.sigs > /dev/null || ret=1
                    346: if [ $ret != 0 ]; then echo_i "failed"; fi
                    347: status=`expr $status + $ret`
                    348:
                    349: echo_i "checking sync record publication"
                    350: ret=0
1.1.1.3   christos  351: awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed || ret=1
                    352: awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed || ret=1
1.1       christos  353: if [ $ret != 0 ]; then echo_i "failed"; fi
                    354: status=`expr $status + $ret`
                    355:
1.1.1.4   christos  356: # this also checks that the future sync record is not yet published
1.1       christos  357: echo_i "checking sync record deletion"
                    358: ret=0
                    359: $SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null
1.1.1.4   christos  360: $SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null
1.1       christos  361: mv $cfile.new $cfile.signed
1.1.1.3   christos  362: awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1
                    363: awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1
1.1       christos  364: if [ $ret != 0 ]; then echo_i "failed"; fi
                    365: status=`expr $status + $ret`
                    366:
                    367: echo_i "exit status: $status"
                    368: [ $status -eq 0 ] || exit 1

CVSweb <webmaster@jp.NetBSD.org>