tests.sh revision 1.1.1.1.2.2
1 #!/bin/sh 2 # 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # This Source Code Form is subject to the terms of the Mozilla Public 6 # License, v. 2.0. If a copy of the MPL was not distributed with this 7 # file, You can obtain one at http://mozilla.org/MPL/2.0/. 8 # 9 # See the COPYRIGHT file distributed with this work for additional 10 # information regarding copyright ownership. 11 12 SYSTEMTESTTOP=.. 13 . $SYSTEMTESTTOP/conf.sh 14 15 status=0 16 n=0 17 18 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" 19 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" 20 21 # convert private-type records to readable form 22 showprivate () { 23 echo "-- $@ --" 24 $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | 25 while read record; do 26 $PERL -e 'my $rdata = pack("H*", @ARGV[0]); 27 die "invalid record" unless length($rdata) == 5; 28 my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); 29 my $action = "signing"; 30 $action = "removing" if $remove; 31 my $state = " (incomplete)"; 32 $state = " (complete)" if $complete; 33 print ("$action: alg: $alg, key: $key$state\n");' $record 34 done 35 } 36 37 # check that signing records are marked as complete 38 checkprivate () { 39 _ret=0 40 expected="${3:-0}" 41 x=`showprivate "$@"` 42 echo $x | grep incomplete > /dev/null && _ret=1 43 44 if [ $_ret = $expected ]; then 45 return 0 46 fi 47 48 echo "$x" 49 echo_i "failed" 50 return 1 51 } 52 53 # 54 # The NSEC record at the apex of the zone and its RRSIG records are 55 # added as part of the last step in signing a zone. We wait for the 56 # NSEC records to appear before proceeding with a counter to prevent 57 # infinite loops if there is a error. 58 # 59 echo_i "waiting for autosign changes to take effect" 60 i=0 61 while [ $i -lt 30 ] 62 do 63 ret=0 64 # 65 # Wait for the root DNSKEY RRset to be fully signed. 66 # 67 $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 68 grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1 69 for z in . 70 do 71 $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 72 grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 73 done 74 for z in bar. example. private.secure.example. 75 do 76 $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 77 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 78 done 79 for z in bar. example. inacksk2.example. inacksk3.example \ 80 inaczsk2.example. inaczsk3.example 81 do 82 $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 83 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 84 done 85 i=`expr $i + 1` 86 if [ $ret = 0 ]; then break; fi 87 echo_i "waiting ... ($i)" 88 sleep 2 89 done 90 n=`expr $n + 1` 91 if [ $ret != 0 ]; then echo_i "done"; fi 92 status=`expr $status + $ret` 93 94 # 95 # Check that DNSKEY is initially signed with a KSK and not a ZSK. 96 # 97 echo_i "check that zone with active and inactive KSK and active ZSK is properly" 98 echo_i " resigned after the active KSK is deleted - stage 1: Verify that DNSKEY" 99 echo_i " is initially signed with a KSK and not a ZSK. ($n)" 100 ret=0 101 102 $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n 103 104 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | 105 $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'` 106 grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1 107 108 pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " 109 grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 110 111 count=`awk 'BEGIN { count = 0 } 112 $4 == "RRSIG" && $5 == "DNSKEY" { count++ } 113 END {print count}' dig.out.ns3.test$n` 114 test $count -eq 1 || ret=1 115 116 count=`awk 'BEGIN { count = 0 } 117 $4 == "DNSKEY" { count++ } 118 END {print count}' dig.out.ns3.test$n` 119 test $count -eq 3 || ret=1 120 121 awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }' 122 id=`awk "${awk}" dig.out.ns3.test$n` 123 124 $SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > /dev/null 2>&1 125 $RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i 126 127 n=`expr $n + 1` 128 if [ $ret != 0 ]; then echo_i "failed"; fi 129 status=`expr $status + $ret` 130 131 # 132 # Check that zone is initially signed with a ZSK and not a KSK. 133 # 134 echo_i "check that zone with active and inactive ZSK and active KSK is properly" 135 echo_i " resigned after the active ZSK is deleted - stage 1: Verify that zone" 136 echo_i " is initially signed with a ZSK and not a KSK. ($n)" 137 ret=0 138 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n 139 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | 140 $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ` 141 grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1 142 grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 143 count=`awk 'BEGIN { count = 0 } 144 $4 == "RRSIG" && $5 == "CNAME" { count++ } 145 END {print count}' dig.out.ns3.test$n` 146 test $count -eq 1 || ret=1 147 count=`awk 'BEGIN { count = 0 } 148 $4 == "DNSKEY" { count++ } 149 END {print count}' dig.out.ns3.test$n` 150 test $count -eq 3 || ret=1 151 id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n` 152 $SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > /dev/null 2>&1 153 $RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i 154 n=`expr $n + 1` 155 if [ $ret != 0 ]; then echo_i "failed"; fi 156 status=`expr $status + $ret` 157 158 echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)" 159 ret=0 160 # these commands should result in an empty file: 161 $DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 162 grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1 163 $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 164 grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1 165 n=`expr $n + 1` 166 if [ $ret != 0 ]; then echo_i "failed"; fi 167 status=`expr $status + $ret` 168 169 echo_i "checking NSEC3->NSEC conversion prerequisites ($n)" 170 ret=0 171 $DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 172 grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1 173 n=`expr $n + 1` 174 if [ $ret != 0 ]; then echo_i "failed"; fi 175 status=`expr $status + $ret` 176 177 echo_i "converting zones from nsec to nsec3" 178 $NSUPDATE > /dev/null 2>&1 <<END || status=1 179 server 10.53.0.3 ${PORT} 180 zone nsec3.nsec3.example. 181 update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF 182 send 183 zone optout.nsec3.example. 184 update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF 185 send 186 zone nsec3.example. 187 update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF 188 send 189 zone autonsec3.example. 190 update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF 191 send 192 zone nsec3.optout.example. 193 update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF 194 send 195 zone optout.optout.example. 196 update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF 197 send 198 zone optout.example. 199 update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF 200 send 201 END 202 203 # try to convert nsec.example; this should fail due to non-NSEC key 204 echo_i "preset nsec3param in unsigned zone via nsupdate ($n)" 205 $NSUPDATE > nsupdate.out 2>&1 <<END 206 server 10.53.0.3 ${PORT} 207 zone nsec.example. 208 update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF 209 send 210 END 211 212 echo_i "checking for nsec3param in unsigned zone ($n)" 213 ret=0 214 $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 215 grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1 216 n=`expr $n + 1` 217 if [ $ret != 0 ]; then echo_i "failed"; fi 218 status=`expr $status + $ret` 219 220 echo_i "checking for nsec3param signing record ($n)" 221 ret=0 222 $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 | sed 's/^/ns3 /' | cat_i 223 grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1 224 n=`expr $n + 1` 225 if [ $ret != 0 ]; then echo_i "failed"; fi 226 status=`expr $status + $ret` 227 228 echo_i "resetting nsec3param via rndc signing ($n)" 229 ret=0 230 $RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1 231 $RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1 232 for i in 0 1 2 3 4 5 6 7 8 9; do 233 ret=0 234 $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 235 grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 236 num=`grep "Pending " signing.out.test$n | wc -l` 237 [ $num -eq 1 ] || ret=1 238 [ $ret -eq 0 ] && break 239 echo_i "waiting ... ($i)" 240 sleep 2 241 done 242 n=`expr $n + 1` 243 if [ $ret != 0 ]; then echo_i "failed"; fi 244 status=`expr $status + $ret` 245 246 echo_i "signing preset nsec3 zone" 247 zsk=`cat autozsk.key` 248 ksk=`cat autoksk.key` 249 $SETTIME -K ns3 -P now -A now $zsk > /dev/null 2>&1 250 $SETTIME -K ns3 -P now -A now $ksk > /dev/null 2>&1 251 $RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i 252 253 echo_i "waiting for changes to take effect" 254 sleep 3 255 256 echo_i "converting zone from nsec3 to nsec" 257 $NSUPDATE > /dev/null 2>&1 << END || status=1 258 server 10.53.0.3 ${PORT} 259 zone nsec3-to-nsec.example. 260 update delete nsec3-to-nsec.example. NSEC3PARAM 261 send 262 END 263 264 echo_i "waiting for change to take effect" 265 sleep 3 266 267 echo_i "checking that expired RRSIGs from missing key are not deleted ($n)" 268 ret=0 269 missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key` 270 $JOURNALPRINT ns3/nozsk.example.db.jnl | \ 271 awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1 272 n=`expr $n + 1` 273 if [ $ret != 0 ]; then echo_i "failed"; fi 274 status=`expr $status + $ret` 275 276 echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)" 277 ret=0 278 inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key` 279 $JOURNALPRINT ns3/inaczsk.example.db.jnl | \ 280 awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1 281 n=`expr $n + 1` 282 if [ $ret != 0 ]; then echo_i "failed"; fi 283 status=`expr $status + $ret` 284 285 echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)" 286 ret=0 287 loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l` 288 [ "$loglines" -eq 1 ] || ret=1 289 n=`expr $n + 1` 290 if [ $ret != 0 ]; then echo_i "failed"; fi 291 status=`expr $status + $ret` 292 293 echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)" 294 ret=0 295 loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l` 296 [ "$loglines" -eq 1 ] || ret=1 297 n=`expr $n + 1` 298 if [ $ret != 0 ]; then echo_i "failed"; fi 299 status=`expr $status + $ret` 300 301 # Send rndc sync command to ns1, ns2 and ns3, to force the dynamically 302 # signed zones to be dumped to their zone files 303 echo_i "dumping zone files" 304 $RNDCCMD 10.53.0.1 sync 2>&1 | sed 's/^/ns1 /' | cat_i 305 $RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i 306 $RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i 307 308 echo_i "checking expired signatures were updated ($n)" 309 for i in 1 2 3 4 5 6 7 8 9 310 do 311 ret=0 312 $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 313 $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 314 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 315 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 316 [ $ret = 0 ] && break 317 sleep 1 318 done 319 n=`expr $n + 1` 320 status=`expr $status + $ret` 321 322 echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" 323 ret=0 324 $DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 325 grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1 326 $DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 327 $DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 328 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 329 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 330 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 331 n=`expr $n + 1` 332 if [ $ret != 0 ]; then echo_i "failed"; fi 333 status=`expr $status + $ret` 334 335 echo_i "checking direct NSEC3 autosigning succeeded ($n)" 336 ret=0 337 $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 338 [ -s dig.out.ns3.ok.test$n ] || ret=1 339 grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1 340 $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 341 $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 342 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 343 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 344 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 345 n=`expr $n + 1` 346 if [ $ret != 0 ]; then echo_i "failed"; fi 347 status=`expr $status + $ret` 348 349 echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" 350 ret=0 351 grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1 352 n=`expr $n + 1` 353 if [ $ret != 0 ]; then echo_i "failed"; fi 354 status=`expr $status + $ret` 355 356 echo_i "checking NSEC3->NSEC conversion succeeded ($n)" 357 ret=0 358 # this command should result in an empty file: 359 $DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 360 grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 361 $DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 362 $DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 363 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 364 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 365 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 366 n=`expr $n + 1` 367 if [ $ret != 0 ]; then echo_i "failed"; fi 368 status=`expr $status + $ret` 369 370 echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" 371 ret=0 372 $RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1 373 sleep 2 374 # this command should result in an empty file: 375 $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 376 grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 377 $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 378 $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 379 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 380 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 381 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 382 n=`expr $n + 1` 383 if [ $ret != 0 ]; then echo_i "failed"; fi 384 status=`expr $status + $ret` 385 386 echo_i "checking TTLs of imported DNSKEYs (no default) ($n)" 387 ret=0 388 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 389 [ -s dig.out.ns3.test$n ] || ret=1 390 awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i 391 n=`expr $n + 1` 392 if [ $ret != 0 ]; then echo_i "failed"; fi 393 status=`expr $status + $ret` 394 395 echo_i "checking TTLs of imported DNSKEYs (with default) ($n)" 396 ret=0 397 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 398 [ -s dig.out.ns3.test$n ] || ret=1 399 awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i 400 n=`expr $n + 1` 401 if [ $ret != 0 ]; then echo_i "failed"; fi 402 status=`expr $status + $ret` 403 404 echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)" 405 ret=0 406 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 407 [ -s dig.out.ns3.test$n ] || ret=1 408 awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i 409 n=`expr $n + 1` 410 if [ $ret != 0 ]; then echo_i "failed"; fi 411 status=`expr $status + $ret` 412 413 echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)" 414 ret=0 415 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 416 [ -s dig.out.ns3.test$n ] || ret=1 417 awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i 418 n=`expr $n + 1` 419 if [ $ret != 0 ]; then echo_i "failed"; fi 420 status=`expr $status + $ret` 421 422 echo_i "checking positive validation NSEC ($n)" 423 ret=0 424 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 425 $DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 426 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 427 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 428 n=`expr $n + 1` 429 if [ $ret != 0 ]; then echo_i "failed"; fi 430 status=`expr $status + $ret` 431 432 echo_i "checking positive validation NSEC3 ($n)" 433 ret=0 434 $DIG $DIGOPTS +noauth a.nsec3.example. \ 435 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 436 $DIG $DIGOPTS +noauth a.nsec3.example. \ 437 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 438 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 439 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 440 n=`expr $n + 1` 441 if [ $ret != 0 ]; then echo_i "failed"; fi 442 status=`expr $status + $ret` 443 444 echo_i "checking positive validation OPTOUT ($n)" 445 ret=0 446 $DIG $DIGOPTS +noauth a.optout.example. \ 447 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 448 $DIG $DIGOPTS +noauth a.optout.example. \ 449 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 450 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 451 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 452 n=`expr $n + 1` 453 if [ $ret != 0 ]; then echo_i "failed"; fi 454 status=`expr $status + $ret` 455 456 echo_i "checking negative validation NXDOMAIN NSEC ($n)" 457 ret=0 458 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 459 $DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 460 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 461 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 462 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 463 n=`expr $n + 1` 464 if [ $ret != 0 ]; then echo_i "failed"; fi 465 status=`expr $status + $ret` 466 467 echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" 468 ret=0 469 $DIG $DIGOPTS +noauth q.nsec3.example. \ 470 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 471 $DIG $DIGOPTS +noauth q.nsec3.example. \ 472 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 473 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 474 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 475 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 476 n=`expr $n + 1` 477 if [ $ret != 0 ]; then echo_i "failed"; fi 478 status=`expr $status + $ret` 479 480 echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" 481 ret=0 482 $DIG $DIGOPTS +noauth q.optout.example. \ 483 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 484 $DIG $DIGOPTS +noauth q.optout.example. \ 485 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 486 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 487 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 488 # Note - this is looking for failure, hence the && 489 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 490 n=`expr $n + 1` 491 if [ $ret != 0 ]; then echo_i "failed"; fi 492 status=`expr $status + $ret` 493 494 echo_i "checking negative validation NODATA NSEC ($n)" 495 ret=0 496 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 497 $DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 498 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 499 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 500 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 501 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 502 n=`expr $n + 1` 503 if [ $ret != 0 ]; then echo_i "failed"; fi 504 status=`expr $status + $ret` 505 506 echo_i "checking negative validation NODATA NSEC3 ($n)" 507 ret=0 508 $DIG $DIGOPTS +noauth a.nsec3.example. \ 509 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 510 $DIG $DIGOPTS +noauth a.nsec3.example. \ 511 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 512 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 513 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 514 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 515 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 516 n=`expr $n + 1` 517 if [ $ret != 0 ]; then echo_i "failed"; fi 518 status=`expr $status + $ret` 519 520 echo_i "checking negative validation NODATA OPTOUT ($n)" 521 ret=0 522 $DIG $DIGOPTS +noauth a.optout.example. \ 523 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 524 $DIG $DIGOPTS +noauth a.optout.example. \ 525 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 526 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 527 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 528 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 529 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 530 n=`expr $n + 1` 531 if [ $ret != 0 ]; then echo_i "failed"; fi 532 status=`expr $status + $ret` 533 534 # Check the insecure.example domain 535 536 echo_i "checking 1-server insecurity proof NSEC ($n)" 537 ret=0 538 $DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 539 $DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 540 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 541 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 542 # Note - this is looking for failure, hence the && 543 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 544 n=`expr $n + 1` 545 if [ $ret != 0 ]; then echo_i "failed"; fi 546 status=`expr $status + $ret` 547 548 echo_i "checking 1-server negative insecurity proof NSEC ($n)" 549 ret=0 550 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ 551 > dig.out.ns3.test$n || ret=1 552 $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ 553 > dig.out.ns4.test$n || ret=1 554 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 555 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 556 # Note - this is looking for failure, hence the && 557 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 558 n=`expr $n + 1` 559 if [ $ret != 0 ]; then echo_i "failed"; fi 560 status=`expr $status + $ret` 561 562 # Check the secure.example domain 563 564 echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" 565 ret=0 566 $DIG $DIGOPTS +noauth a.secure.example. \ 567 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 568 $DIG $DIGOPTS +noauth a.secure.example. \ 569 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 570 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 571 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 572 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 573 n=`expr $n + 1` 574 if [ $ret != 0 ]; then echo_i "failed"; fi 575 status=`expr $status + $ret` 576 577 echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" 578 ret=0 579 $DIG $DIGOPTS +noauth a.nsec3.example. \ 580 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 581 $DIG $DIGOPTS +noauth a.nsec3.example. \ 582 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 583 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 584 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 585 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 586 n=`expr $n + 1` 587 if [ $ret != 0 ]; then echo_i "failed"; fi 588 status=`expr $status + $ret` 589 590 echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" 591 ret=0 592 $DIG $DIGOPTS +noauth a.optout.example. \ 593 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 594 $DIG $DIGOPTS +noauth a.optout.example. \ 595 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 596 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 597 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 598 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 599 n=`expr $n + 1` 600 if [ $ret != 0 ]; then echo_i "failed"; fi 601 status=`expr $status + $ret` 602 603 echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" 604 ret=0 605 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ 606 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 607 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ 608 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 609 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 610 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 611 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 612 n=`expr $n + 1` 613 if [ $ret != 0 ]; then echo_i "failed"; fi 614 status=`expr $status + $ret` 615 616 echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" 617 ret=0 618 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ 619 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 620 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ 621 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 622 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 623 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 624 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 625 n=`expr $n + 1` 626 if [ $ret != 0 ]; then echo_i "failed"; fi 627 status=`expr $status + $ret` 628 629 echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" 630 ret=0 631 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ 632 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 633 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ 634 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 635 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 636 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 637 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 638 n=`expr $n + 1` 639 if [ $ret != 0 ]; then echo_i "failed"; fi 640 status=`expr $status + $ret` 641 642 echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" 643 ret=0 644 $DIG $DIGOPTS +noauth a.secure.optout.example. \ 645 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 646 $DIG $DIGOPTS +noauth a.secure.optout.example. \ 647 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 648 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 649 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 650 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 651 n=`expr $n + 1` 652 if [ $ret != 0 ]; then echo_i "failed"; fi 653 status=`expr $status + $ret` 654 655 echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" 656 ret=0 657 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ 658 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 659 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ 660 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 661 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 662 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 663 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 664 n=`expr $n + 1` 665 if [ $ret != 0 ]; then echo_i "failed"; fi 666 status=`expr $status + $ret` 667 668 echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" 669 ret=0 670 $DIG $DIGOPTS +noauth a.optout.optout.example. \ 671 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 672 $DIG $DIGOPTS +noauth a.optout.optout.example. \ 673 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 674 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 675 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 676 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 677 n=`expr $n + 1` 678 if [ $ret != 0 ]; then echo_i "failed"; fi 679 status=`expr $status + $ret` 680 681 echo_i "checking empty NODATA OPTOUT ($n)" 682 ret=0 683 $DIG $DIGOPTS +noauth empty.optout.example. \ 684 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 685 $DIG $DIGOPTS +noauth empty.optout.example. \ 686 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 687 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 688 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 689 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 690 n=`expr $n + 1` 691 if [ $ret != 0 ]; then echo_i "failed"; fi 692 status=`expr $status + $ret` 693 694 # Check the insecure.secure.example domain (insecurity proof) 695 696 echo_i "checking 2-server insecurity proof ($n)" 697 ret=0 698 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ 699 > dig.out.ns2.test$n || ret=1 700 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ 701 > dig.out.ns4.test$n || ret=1 702 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 703 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 704 # Note - this is looking for failure, hence the && 705 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 706 n=`expr $n + 1` 707 if [ $ret != 0 ]; then echo_i "failed"; fi 708 status=`expr $status + $ret` 709 710 # Check a negative response in insecure.secure.example 711 712 echo_i "checking 2-server insecurity proof with a negative answer ($n)" 713 ret=0 714 $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ 715 || ret=1 716 $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ 717 || ret=1 718 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 719 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 720 # Note - this is looking for failure, hence the && 721 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 722 n=`expr $n + 1` 723 if [ $ret != 0 ]; then echo_i "failed"; fi 724 status=`expr $status + $ret` 725 726 echo_i "checking security root query ($n)" 727 ret=0 728 $DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 729 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 730 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 731 n=`expr $n + 1` 732 if [ $ret != 0 ]; then echo_i "failed"; fi 733 status=`expr $status + $ret` 734 735 echo_i "checking positive validation RSASHA256 NSEC ($n)" 736 ret=0 737 $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 738 $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 739 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 740 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 741 n=`expr $n + 1` 742 if [ $ret != 0 ]; then echo_i "failed"; fi 743 status=`expr $status + $ret` 744 745 echo_i "checking positive validation RSASHA512 NSEC ($n)" 746 ret=0 747 $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 748 $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 749 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 750 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 751 n=`expr $n + 1` 752 if [ $ret != 0 ]; then echo_i "failed"; fi 753 status=`expr $status + $ret` 754 755 echo_i "checking that positive validation in a privately secure zone works ($n)" 756 ret=0 757 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ 758 > dig.out.ns2.test$n || ret=1 759 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ 760 > dig.out.ns4.test$n || ret=1 761 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 762 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 763 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 764 n=`expr $n + 1` 765 if [ $ret != 0 ]; then echo_i "failed"; fi 766 status=`expr $status + $ret` 767 768 echo_i "checking that negative validation in a privately secure zone works ($n)" 769 ret=0 770 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ 771 > dig.out.ns2.test$n || ret=1 772 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ 773 > dig.out.ns4.test$n || ret=1 774 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 775 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 776 # Note - this is looking for failure, hence the && 777 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 778 n=`expr $n + 1` 779 if [ $ret != 0 ]; then echo_i "failed"; fi 780 status=`expr $status + $ret` 781 782 echo_i "checking privately secure to nxdomain works ($n)" 783 ret=0 784 $DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1 785 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 786 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 787 n=`expr $n + 1` 788 if [ $ret != 0 ]; then echo_i "failed"; fi 789 status=`expr $status + $ret` 790 791 # Try validating with a revoked trusted key. 792 # This should fail. 793 794 echo_i "checking that validation returns insecure due to revoked trusted key ($n)" 795 ret=0 796 $DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 797 grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1 798 grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1 799 n=`expr $n + 1` 800 if [ $ret != 0 ]; then echo_i "failed"; fi 801 status=`expr $status + $ret` 802 803 echo_i "checking that revoked key is present ($n)" 804 ret=0 805 id=`cat rev.key` 806 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 807 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 808 n=`expr $n + 1` 809 if [ $ret != 0 ]; then echo_i "failed"; fi 810 status=`expr $status + $ret` 811 812 echo_i "checking that revoked key self-signs ($n)" 813 ret=0 814 id=`cat rev.key` 815 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 816 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 817 n=`expr $n + 1` 818 if [ $ret != 0 ]; then echo_i "failed"; fi 819 status=`expr $status + $ret` 820 821 echo_i "checking for unpublished key ($n)" 822 ret=0 823 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key` 824 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 825 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 826 n=`expr $n + 1` 827 if [ $ret != 0 ]; then echo_i "failed"; fi 828 status=`expr $status + $ret` 829 830 echo_i "checking for activated but unpublished key ($n)" 831 ret=0 832 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key` 833 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 834 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 835 n=`expr $n + 1` 836 if [ $ret != 0 ]; then echo_i "failed"; fi 837 status=`expr $status + $ret` 838 839 echo_i "checking that standby key does not sign records ($n)" 840 ret=0 841 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key` 842 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 843 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 844 n=`expr $n + 1` 845 if [ $ret != 0 ]; then echo_i "failed"; fi 846 status=`expr $status + $ret` 847 848 echo_i "checking that deactivated key does not sign records ($n)" 849 ret=0 850 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key` 851 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 852 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 853 n=`expr $n + 1` 854 if [ $ret != 0 ]; then echo_i "failed"; fi 855 status=`expr $status + $ret` 856 857 echo_i "checking insertion of public-only key ($n)" 858 ret=0 859 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key` 860 file="ns1/`cat nopriv.key`.key" 861 keydata=`grep DNSKEY $file` 862 $NSUPDATE > /dev/null 2>&1 <<END || status=1 863 server 10.53.0.1 ${PORT} 864 zone . 865 ttl 3600 866 update add $keydata 867 send 868 END 869 sleep 1 870 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 871 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 872 n=`expr $n + 1` 873 if [ $ret != 0 ]; then echo_i "failed"; fi 874 status=`expr $status + $ret` 875 876 echo_i "checking key deletion ($n)" 877 ret=0 878 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < del.key` 879 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 880 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 881 n=`expr $n + 1` 882 if [ $ret != 0 ]; then echo_i "failed"; fi 883 status=`expr $status + $ret` 884 885 echo_i "checking secure-to-insecure transition, nsupdate ($n)" 886 ret=0 887 $NSUPDATE > /dev/null 2>&1 <<END || status=1 888 server 10.53.0.3 ${PORT} 889 zone secure-to-insecure.example 890 update delete secure-to-insecure.example dnskey 891 send 892 END 893 for i in 0 1 2 3 4 5 6 7 8 9; do 894 ret=0 895 $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 896 egrep '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1 897 [ $ret -eq 0 ] && break 898 echo_i "waiting ... ($i)" 899 sleep 2 900 done 901 n=`expr $n + 1` 902 if [ $ret != 0 ]; then echo_i "failed"; fi 903 status=`expr $status + $ret` 904 905 echo_i "checking secure-to-insecure transition, scheduled ($n)" 906 ret=0 907 file="ns3/`cat del1.key`.key" 908 $SETTIME -I now -D now $file > /dev/null 909 file="ns3/`cat del2.key`.key" 910 $SETTIME -I now -D now $file > /dev/null 911 $RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i 912 for i in 0 1 2 3 4 5 6 7 8 9; do 913 ret=0 914 $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 915 egrep '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1 916 [ $ret -eq 0 ] && break 917 echo_i "waiting ... ($i)" 918 sleep 2 919 done 920 n=`expr $n + 1` 921 if [ $ret != 0 ]; then echo_i "failed"; fi 922 status=`expr $status + $ret` 923 924 echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)" 925 ret=0 926 oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` 927 oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u` 928 929 $KEYGEN -a rsasha1 -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null 930 931 $RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i 932 newserial=$oldserial 933 try=0 934 while [ $oldserial -eq $newserial -a $try -lt 42 ] 935 do 936 newserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | 937 awk '$0 !~ /SOA/ {print $3}'` 938 sleep 1 939 try=`expr $try + 1` 940 done 941 newinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u` 942 #echo "$oldserial : $newserial" 943 #echo "$oldinception : $newinception" 944 945 [ "$oldserial" = "$newserial" ] && ret=1 946 [ "$oldinception" = "$newinception" ] && ret=1 947 n=`expr $n + 1` 948 if [ $ret != 0 ]; then echo_i "failed"; fi 949 status=`expr $status + $ret` 950 951 echo_i "preparing to test key change corner cases" 952 echo_i "removing a private key file" 953 file="ns1/`cat vanishing.key`.private" 954 rm -f $file 955 956 echo_i "preparing ZSK roll" 957 starttime=`$PERL -e 'print time(), "\n";'` 958 oldfile=`cat active.key` 959 oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key` 960 newfile=`cat standby.key` 961 newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key` 962 $SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null 963 $SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null 964 965 # note previous zone serial number 966 oldserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'` 967 968 $RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i 969 sleep 4 970 971 echo_i "revoking key to duplicated key ID" 972 $SETTIME -R now -K ns2 Kbar.+005+30676.key > /dev/null 2>&1 973 974 $RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i 975 976 echo_i "waiting for changes to take effect" 977 sleep 5 978 979 echo_i "checking former standby key is now active ($n)" 980 ret=0 981 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 982 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 983 n=`expr $n + 1` 984 if [ $ret != 0 ]; then echo_i "failed"; fi 985 status=`expr $status + $ret` 986 987 echo_i "checking former standby key has only signed incrementally ($n)" 988 ret=0 989 $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 990 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 991 grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 992 n=`expr $n + 1` 993 if [ $ret != 0 ]; then echo_i "failed"; fi 994 status=`expr $status + $ret` 995 996 echo_i "checking that signing records have been marked as complete ($n)" 997 ret=0 998 checkprivate . 10.53.0.1 || ret=1 999 checkprivate bar 10.53.0.2 || ret=1 1000 checkprivate example 10.53.0.2 || ret=1 1001 checkprivate private.secure.example 10.53.0.3 || ret=1 1002 checkprivate nsec3.example 10.53.0.3 || ret=1 1003 checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 1004 checkprivate nsec3.optout.example 10.53.0.3 || ret=1 1005 checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1 1006 checkprivate nsec.example 10.53.0.3 || ret=1 1007 checkprivate oldsigs.example 10.53.0.3 || ret=1 1008 checkprivate optout.example 10.53.0.3 || ret=1 1009 checkprivate optout.nsec3.example 10.53.0.3 || ret=1 1010 checkprivate optout.optout.example 10.53.0.3 || ret=1 1011 checkprivate prepub.example 10.53.0.3 1 || ret=1 1012 checkprivate rsasha256.example 10.53.0.3 || ret=1 1013 checkprivate rsasha512.example 10.53.0.3 || ret=1 1014 checkprivate secure.example 10.53.0.3 || ret=1 1015 checkprivate secure.nsec3.example 10.53.0.3 || ret=1 1016 checkprivate secure.optout.example 10.53.0.3 || ret=1 1017 checkprivate secure-to-insecure2.example 10.53.0.3 || ret=1 1018 checkprivate secure-to-insecure.example 10.53.0.3 || ret=1 1019 checkprivate ttl1.example 10.53.0.3 || ret=1 1020 checkprivate ttl2.example 10.53.0.3 || ret=1 1021 checkprivate ttl3.example 10.53.0.3 || ret=1 1022 checkprivate ttl4.example 10.53.0.3 || ret=1 1023 n=`expr $n + 1` 1024 status=`expr $status + $ret` 1025 1026 echo_i "forcing full sign" 1027 $RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i 1028 1029 echo_i "waiting for change to take effect" 1030 sleep 5 1031 1032 echo_i "checking former standby key has now signed fully ($n)" 1033 ret=0 1034 $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 1035 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 1036 n=`expr $n + 1` 1037 if [ $ret != 0 ]; then echo_i "failed"; fi 1038 status=`expr $status + $ret` 1039 1040 echo_i "checking SOA serial number has been incremented ($n)" 1041 ret=0 1042 newserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'` 1043 [ "$newserial" != "$oldserial" ] || ret=1 1044 n=`expr $n + 1` 1045 if [ $ret != 0 ]; then echo_i "failed"; fi 1046 status=`expr $status + $ret` 1047 1048 echo_i "checking delayed key publication/activation ($n)" 1049 ret=0 1050 zsk=`cat delayzsk.key` 1051 ksk=`cat delayksk.key` 1052 # publication and activation times should be unset 1053 $SETTIME -K ns3 -pA -pP $zsk | grep -v UNSET > /dev/null 2>&1 && ret=1 1054 $SETTIME -K ns3 -pA -pP $ksk | grep -v UNSET > /dev/null 2>&1 && ret=1 1055 $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 1056 # DNSKEY not expected: 1057 awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 1058 n=`expr $n + 1` 1059 if [ $ret != 0 ]; then echo_i "failed"; fi 1060 status=`expr $status + $ret` 1061 1062 echo_i "checking scheduled key publication, not activation ($n)" 1063 ret=0 1064 $SETTIME -K ns3 -P now+3s -A none $zsk > /dev/null 2>&1 1065 $SETTIME -K ns3 -P now+3s -A none $ksk > /dev/null 2>&1 1066 $RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i 1067 1068 echo_i "waiting for changes to take effect" 1069 sleep 5 1070 1071 $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 1072 # DNSKEY expected: 1073 awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1 1074 # RRSIG not expected: 1075 awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 1076 n=`expr $n + 1` 1077 if [ $ret != 0 ]; then echo_i "failed"; fi 1078 status=`expr $status + $ret` 1079 1080 echo_i "checking scheduled key activation ($n)" 1081 ret=0 1082 $SETTIME -K ns3 -A now+3s $zsk > /dev/null 2>&1 1083 $SETTIME -K ns3 -A now+3s $ksk > /dev/null 2>&1 1084 $RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i 1085 1086 echo_i "waiting for changes to take effect" 1087 sleep 5 1088 1089 $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 1090 # DNSKEY expected: 1091 awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1 1092 # RRSIG expected: 1093 awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1 1094 $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 1095 # A expected: 1096 awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1 1097 # RRSIG expected: 1098 awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1 1099 n=`expr $n + 1` 1100 if [ $ret != 0 ]; then echo_i "failed"; fi 1101 status=`expr $status + $ret` 1102 1103 echo_i "checking former active key was removed ($n)" 1104 # 1105 # Work out how long we need to sleep. Allow 4 seconds for the records 1106 # to be removed. 1107 # 1108 now=`$PERL -e 'print time(), "\n";'` 1109 sleep=`expr $starttime + 29 - $now` 1110 case $sleep in 1111 -*|0);; 1112 *) echo_i "waiting for timer to have activated"; sleep $sleep;; 1113 esac 1114 ret=0 1115 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 1116 grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 1117 n=`expr $n + 1` 1118 if [ $ret != 0 ]; then echo_i "failed"; fi 1119 status=`expr $status + $ret` 1120 1121 echo_i "checking private key file removal caused no immediate harm ($n)" 1122 ret=0 1123 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key` 1124 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 1125 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 1126 n=`expr $n + 1` 1127 if [ $ret != 0 ]; then echo_i "failed"; fi 1128 status=`expr $status + $ret` 1129 1130 echo_i "checking revoked key with duplicate key ID (failure expected) ($n)" 1131 lret=0 1132 id=30676 1133 $DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1 1134 grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1 1135 $DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1 1136 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1 1137 n=`expr $n + 1` 1138 if [ $lret != 0 ]; then echo_i "not yet implemented"; fi 1139 1140 echo_i "checking key event timers are always set ($n)" 1141 # this is a regression test for a bug in which the next key event could 1142 # be scheduled for the present moment, and then never fire. check for 1143 # visible evidence of this error in the logs: 1144 awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1 1145 n=`expr $n + 1` 1146 if [ $ret != 0 ]; then echo_i "failed"; fi 1147 status=`expr $status + $ret` 1148 1149 # this confirms that key events are never scheduled more than 1150 # 'dnssec-loadkeys-interval' minutes in the future, and that the 1151 # event scheduled is within 10 seconds of expected interval. 1152 check_interval () { 1153 awk '/next key event/ {print $2 ":" $9}' $1/named.run | 1154 sed 's/\.//g' | 1155 awk -F: ' 1156 { 1157 x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000); 1158 # abs(x) < 1000 ms treat as 'now' 1159 if (x < 1000 && x > -1000) 1160 x = 0; 1161 # convert to seconds 1162 x = x/1000; 1163 # handle end of day roll over 1164 if (x < 0) 1165 x = x + 24*3600; 1166 # handle log timestamp being a few milliseconds later 1167 if (x != int(x)) 1168 x = int(x + 1); 1169 if (int(x) > int(interval)) 1170 exit (1); 1171 } 1172 END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 1173 return $? 1174 } 1175 1176 echo_i "checking automatic key reloading interval ($n)" 1177 ret=0 1178 check_interval ns1 3600 || ret=1 1179 check_interval ns2 1800 || ret=1 1180 check_interval ns3 600 || ret=1 1181 n=`expr $n + 1` 1182 if [ $ret != 0 ]; then echo_i "failed"; fi 1183 status=`expr $status + $ret` 1184 1185 echo_i "checking for key reloading loops ($n)" 1186 ret=0 1187 # every key event should schedule a successor, so these should be equal 1188 rekey_calls=`grep "reconfiguring zone keys" ns*/named.run | wc -l` 1189 rekey_events=`grep "next key event" ns*/named.run | wc -l` 1190 [ "$rekey_calls" = "$rekey_events" ] || ret=1 1191 n=`expr $n + 1` 1192 if [ $ret != 0 ]; then echo_i "failed"; fi 1193 status=`expr $status + $ret` 1194 1195 echo_i "forcing full sign with unreadable keys ($n)" 1196 ret=0 1197 chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1 1198 $RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i 1199 $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 1200 grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 1201 n=`expr $n + 1` 1202 if [ $ret != 0 ]; then echo_i "failed"; fi 1203 status=`expr $status + $ret` 1204 1205 echo_i "test turning on auto-dnssec during reconfig ($n)" 1206 ret=0 1207 # first create a zone that doesn't have auto-dnssec 1208 $RNDCCMD 10.53.0.3 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i 1209 rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` 1210 [ "$rekey_calls" -eq 0 ] || ret=1 1211 # ...then we add auto-dnssec and reconfigure 1212 $RNDCCMD 10.53.0.3 modzone reconf.example '{ type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i 1213 $RNDCCMD 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 1214 for i in 0 1 2 3 4 5 6 7 8 9; do 1215 lret=0 1216 rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` 1217 [ "$rekey_calls" -gt 0 ] || lret=1 1218 if [ "$lret" -eq 0 ]; then break; fi 1219 echo_i "waiting ... ($i)" 1220 sleep 1 1221 done 1222 n=`expr $n + 1` 1223 if [ "$lret" != 0 ]; then ret=$lret; fi 1224 if [ $ret != 0 ]; then echo_i "failed"; fi 1225 status=`expr $status + $ret` 1226 1227 echo_i "test CDS and CDNSKEY auto generation ($n)" 1228 ret=0 1229 $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n 1230 $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n 1231 grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1 1232 grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1 1233 n=`expr $n + 1` 1234 if [ "$lret" != 0 ]; then ret=$lret; fi 1235 if [ $ret != 0 ]; then echo_i "failed"; fi 1236 status=`expr $status + $ret` 1237 1238 echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" 1239 ret=0 1240 $DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n 1241 $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n 1242 $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n 1243 lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l` 1244 test ${lines:-0} -eq 2 || ret=1 1245 lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l` 1246 test ${lines:-0} -eq 2 || ret=1 1247 lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l` 1248 test ${lines:-0} -eq 2 || ret=1 1249 n=`expr $n + 1` 1250 if [ $ret != 0 ]; then echo_i "failed"; fi 1251 status=`expr $status + $ret` 1252 1253 echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" 1254 ret=0 1255 $DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n 1256 $DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n 1257 $DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n 1258 lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l` 1259 test ${lines:-0} -eq 1 || ret=1 1260 lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l` 1261 test ${lines:-0} -eq 1 || ret=1 1262 lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l` 1263 test ${lines:-0} -eq 1 || ret=1 1264 n=`expr $n + 1` 1265 if [ $ret != 0 ]; then echo_i "failed"; fi 1266 status=`expr $status + $ret` 1267 1268 echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" 1269 $SETTIME -D sync now+2 `cat sync.key` > /dev/null 1270 $RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i 1271 echo_i "waiting for deletion to occur" 1272 sleep 3 1273 1274 echo_i "checking that the CDS and CDNSKEY are deleted ($n)" 1275 ret=0 1276 $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n 1277 $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n 1278 grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null && ret=1 1279 grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null && ret=1 1280 n=`expr $n + 1` 1281 if [ "$lret" != 0 ]; then ret=$lret; fi 1282 if [ $ret != 0 ]; then echo_i "failed"; fi 1283 status=`expr $status + $ret` 1284 1285 echo_i "check that dnssec-settime -p Dsync works ($n)" 1286 ret=0 1287 $SETTIME -p Dsync `cat sync.key` > settime.out.$n|| ret=0 1288 grep "SYNC Delete:" settime.out.$n >/dev/null || ret=0 1289 n=`expr $n + 1` 1290 if [ "$lret" != 0 ]; then ret=$lret; fi 1291 if [ $ret != 0 ]; then echo_i "failed"; fi 1292 status=`expr $status + $ret` 1293 1294 echo_i "check that dnssec-settime -p Psync works ($n)" 1295 ret=0 1296 $SETTIME -p Psync `cat sync.key` > settime.out.$n|| ret=0 1297 grep "SYNC Publish:" settime.out.$n >/dev/null || ret=0 1298 n=`expr $n + 1` 1299 if [ "$lret" != 0 ]; then ret=$lret; fi 1300 if [ $ret != 0 ]; then echo_i "failed"; fi 1301 status=`expr $status + $ret` 1302 1303 echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" 1304 ret=0 1305 $DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n 1306 1307 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | 1308 $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ` 1309 pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " 1310 grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 1311 1312 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | 1313 $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ` 1314 pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} " 1315 grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 1316 1317 n=`expr $n + 1` 1318 if [ $ret != 0 ]; then echo_i "failed"; fi 1319 status=`expr $status + $ret` 1320 1321 echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" 1322 ret=0 1323 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n 1324 grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1 1325 n=`expr $n + 1` 1326 if [ $ret != 0 ]; then echo_i "failed"; fi 1327 status=`expr $status + $ret` 1328 1329 # 1330 # Check that DNSKEY is now signed with the ZSK. 1331 # 1332 echo_i "check that zone with active and inactive KSK and active ZSK is properly" 1333 echo_i " resigned after the active KSK is deleted - stage 2: Verify that DNSKEY" 1334 echo_i " is now signed with the ZSK. ($n)" 1335 ret=0 1336 1337 $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n 1338 1339 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | 1340 $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ` 1341 pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " 1342 grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 1343 1344 count=`awk 'BEGIN { count = 0 } 1345 $4 == "RRSIG" && $5 == "DNSKEY" { count++ } 1346 END {print count}' dig.out.ns3.test$n` 1347 test $count -eq 1 || ret=1 1348 1349 count=`awk 'BEGIN { count = 0 } 1350 $4 == "DNSKEY" { count++ } 1351 END {print count}' dig.out.ns3.test$n` 1352 test $count -eq 2 || ret=1 1353 1354 n=`expr $n + 1` 1355 if [ $ret != 0 ]; then echo_i "failed"; fi 1356 status=`expr $status + $ret` 1357 1358 # 1359 # Check that zone is now signed with the KSK. 1360 # 1361 echo_i "check that zone with active and inactive ZSK and active KSK is properly" 1362 echo_i " resigned after the active ZSK is deleted - stage 2: Verify that zone" 1363 echo_i " is now signed with the KSK. ($n)" 1364 ret=0 1365 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n 1366 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | 1367 $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ` 1368 grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 1369 count=`awk 'BEGIN { count = 0 } 1370 $4 == "RRSIG" && $5 == "CNAME" { count++ } 1371 END {print count}' dig.out.ns3.test$n` 1372 test $count -eq 1 || ret=1 1373 count=`awk 'BEGIN { count = 0 } 1374 $4 == "DNSKEY" { count++ } 1375 END {print count}' dig.out.ns3.test$n` 1376 test $count -eq 2 || ret=1 1377 n=`expr $n + 1` 1378 if [ $ret != 0 ]; then echo_i "failed"; fi 1379 status=`expr $status + $ret` 1380 1381 echo_i "exit status: $status" 1382 [ $status -eq 0 ] || exit 1 1383
Indexes created Tue Mar 03 05:31:39 UTC 2026