tests.sh 30.6 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2
#!/bin/sh
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 9 10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
Evan Hunt's avatar
Evan Hunt committed
11 12 13 14

SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh

Evan Hunt's avatar
Evan Hunt committed
15 16 17 18
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
DELVOPTS="-a ns1/trusted.conf -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"

19 20 21 22 23 24 25
wait_for_log() {
	msg=$1
	file=$2
	for i in 1 2 3 4 5 6 7 8 9 10; do
		nextpart "$file" | grep "$msg" > /dev/null && return
		sleep 1
	done
Evan Hunt's avatar
Evan Hunt committed
26
	echo_i "exceeded time limit waiting for '$msg' in $file"
27 28 29 30 31
	ret=1
}

mkeys_reconfig_on() {
	nsidx=$1
Evan Hunt's avatar
Evan Hunt committed
32
	$RNDCCMD 10.53.0.${nsidx} reconfig . | sed "s/^/ns${nsidx} /" | cat_i
33 34 35 36 37
}

mkeys_reload_on() {
	nsidx=$1
	nextpart ns${nsidx}/named.run > /dev/null
38
	rndc_reload ns${nsidx} 10.53.0.${nsidx}
39 40 41 42 43 44
	wait_for_log "loaded serial" ns${nsidx}/named.run
}

mkeys_loadkeys_on() {
	nsidx=$1
	nextpart ns${nsidx}/named.run > /dev/null
Evan Hunt's avatar
Evan Hunt committed
45
	$RNDCCMD 10.53.0.${nsidx} loadkeys . | sed "s/^/ns${nsidx} /" | cat_i
46 47 48 49 50 51
	wait_for_log "next key event" ns${nsidx}/named.run
}

mkeys_refresh_on() {
	nsidx=$1
	nextpart ns${nsidx}/named.run > /dev/null
Evan Hunt's avatar
Evan Hunt committed
52
	$RNDCCMD 10.53.0.${nsidx} managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i
53 54 55 56 57 58 59 60 61 62
	wait_for_log "Returned from key fetch in keyfetch_done()" ns${nsidx}/named.run
}

mkeys_sync_on() {
	# No race with mkeys_refresh_on() is possible as even if the latter
	# returns immediately after the expected log message is written, the
	# managed-keys zone is already locked and the command below calls
	# dns_zone_flush(), which also attempts to take that zone's lock
	nsidx=$1
	nextpart ns${nsidx}/named.run > /dev/null
Evan Hunt's avatar
Evan Hunt committed
63
	$RNDCCMD 10.53.0.${nsidx} managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i
64 65 66 67 68 69 70 71 72 73
	wait_for_log "dump_done" ns${nsidx}/named.run
}

mkeys_status_on() {
	# No race with mkeys_refresh_on() is possible as even if the latter
	# returns immediately after the expected log message is written, the
	# managed-keys zone is already locked and the command below calls
	# mkey_status(), which in turn calls dns_zone_getrefreshkeytime(),
	# which also attempts to take that zone's lock
	nsidx=$1
Evan Hunt's avatar
Evan Hunt committed
74
	$RNDCCMD 10.53.0.${nsidx} managed-keys status
75 76 77 78
}

mkeys_flush_on() {
	nsidx=$1
Evan Hunt's avatar
Evan Hunt committed
79
	$RNDCCMD 10.53.0.${nsidx} flush | sed "s/^/ns${nsidx} /" | cat_i
80 81 82 83
}

mkeys_secroots_on() {
	nsidx=$1
Evan Hunt's avatar
Evan Hunt committed
84
	$RNDCCMD 10.53.0.${nsidx} secroots | sed "s/^/ns${nsidx} /" | cat_i
85 86
}

87 88 89
original=`cat ns1/managed.key`
originalid=`cat ns1/managed.key.id`

Evan Hunt's avatar
Evan Hunt committed
90 91 92 93 94
status=0
n=1

rm -f dig.out.*

Evan Hunt's avatar
Evan Hunt committed
95
echo_i "check for signed record ($n)"
Evan Hunt's avatar
Evan Hunt committed
96 97
ret=0
$DIG $DIGOPTS +norec example.  @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1
98 99
grep "^example\.[ 	]*[0-9].*[ 	]*IN[ 	]*TXT[ 	]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1
grep "^example\.[ 	]*[0-9].*[ 	]*IN[ 	]*RRSIG[ 	]*TXT[ 	]" dig.out.ns1.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
100
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
101 102 103
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
104
echo_i "check positive validation with valid trust anchor ($n)"
Evan Hunt's avatar
Evan Hunt committed
105 106 107 108
ret=0
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
109
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
110 111 112 113
status=`expr $status + $ret`

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
114
echo_i "check positive validation using delv ($n)"
Evan Hunt's avatar
Evan Hunt committed
115 116 117 118
$DELV $DELVOPTS @10.53.0.1 txt example > delv.out$n || ret=1
grep "; fully validated" delv.out$n > /dev/null || ret=1	# redundant
grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
119
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
120 121 122
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
123
echo_i "check for failed validation due to wrong key in managed-keys ($n)"
Evan Hunt's avatar
Evan Hunt committed
124 125 126 127 128
ret=0
$DIG $DIGOPTS +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1
grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
129
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
130 131 132
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
133
echo_i "check new trust anchor can be added ($n)"
Evan Hunt's avatar
Evan Hunt committed
134
ret=0
135
standby1=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
136 137 138
mkeys_loadkeys_on 1
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
139
# there should be two keys listed now
140
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
141 142
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
143
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
144 145
[ "$count" -eq 2 ] || ret=1
# one indicates current trust
146
count=`grep -c "trusted since" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
147 148 149 150
[ "$count" -eq 1 ] || ret=1
# one indicates pending trust
count=`grep -c "trust pending" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
151
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
152 153 154
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
155
echo_i "check new trust anchor can't be added with bad initial key ($n)"
Evan Hunt's avatar
Evan Hunt committed
156
ret=0
157 158
mkeys_refresh_on 3
mkeys_status_on 3 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
159
# there should be one key listed now
160
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
161 162
[ "$count" -eq 1 ] || ret=1
# one line indicating trust status
163
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
164 165 166 167
[ "$count" -eq 1 ] || ret=1
# ... and the key is not trusted
count=`grep -c "no trust" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
168
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
169 170 171
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
172
echo_i "remove untrusted standby key, check timer restarts ($n)"
Evan Hunt's avatar
Evan Hunt committed
173
ret=0
174
mkeys_sync_on 2
Evan Hunt's avatar
Evan Hunt committed
175
t1=`grep "trust pending" ns2/managed-keys.bind`
176 177 178 179 180 181
$SETTIME -D now -K ns1 $standby1 > /dev/null
mkeys_loadkeys_on 1
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
# reset to the same timestamp.
Evan Hunt's avatar
Evan Hunt committed
182
sleep 1
183 184
mkeys_refresh_on 2
mkeys_sync_on 2
Evan Hunt's avatar
Evan Hunt committed
185 186 187 188
t2=`grep "trust pending" ns2/managed-keys.bind`
# trust pending date must be different
[ -n "$t2" ] || ret=1
[ "$t1" = "$t2" ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
189
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
190 191 192 193
status=`expr $status + $ret`

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
194
echo_i "restore untrusted standby key, revoke original key ($n)"
Evan Hunt's avatar
Evan Hunt committed
195 196
t1=$t2
$SETTIME -D none -K ns1 $standby1 > /dev/null
197
$SETTIME -R now -K ns1 $original > /dev/null
198 199 200 201 202
mkeys_loadkeys_on 1
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
# reset to the same timestamp.
Evan Hunt's avatar
Evan Hunt committed
203
sleep 1
204 205 206
mkeys_refresh_on 2
mkeys_sync_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
207
# two keys listed
208
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
209 210
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
211
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
212 213 214 215 216 217 218 219 220 221 222 223 224 225
[ "$count" -eq 2 ] || ret=1
# trust is revoked
count=`grep -c "trust revoked" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# removal scheduled
count=`grep -c "remove at" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# trust is still pending on the standby key
count=`grep -c "trust pending" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# pending date moved forward for the standby key
t2=`grep "trust pending" ns2/managed-keys.bind`
[ -n "$t2" ] || ret=1
[ "$t1" = "$t2" ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
226
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
227 228 229 230
status=`expr $status + $ret`

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
231
echo_i "refresh managed-keys, ensure same result ($n)"
Evan Hunt's avatar
Evan Hunt committed
232
t1=$t2
233 234 235 236 237 238 239 240
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
# reset to the same timestamp.
sleep 1
mkeys_refresh_on 2
mkeys_sync_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
241
# two keys listed
242
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
243 244
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
245
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
246 247 248 249 250 251 252 253 254 255 256 257 258 259
[ "$count" -eq 2 ] || ret=1
# trust is revoked
count=`grep -c "trust revoked" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# removal scheduled
count=`grep -c "remove at" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# trust is still pending on the standby key
count=`grep -c "trust pending" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# pending date moved forward for the standby key
t2=`grep "trust pending" ns2/managed-keys.bind`
[ -n "$t2" ] || ret=1
[ "$t1" = "$t2" ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
260
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
261 262 263 264
status=`expr $status + $ret`

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
265
echo_i "restore revoked key, ensure same result ($n)"
Evan Hunt's avatar
Evan Hunt committed
266
t1=$t2
267
$SETTIME -R none -D now -K ns1 $original > /dev/null
268
mkeys_loadkeys_on 1
269
$SETTIME -D none -K ns1 $original > /dev/null
270 271 272 273 274
mkeys_loadkeys_on 1
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
# timestamp to prevent false negatives caused by the acceptance timer getting
# reset to the same timestamp.
Evan Hunt's avatar
Evan Hunt committed
275
sleep 1
276 277 278
mkeys_refresh_on 2
mkeys_sync_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
279
# two keys listed
280
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
281 282
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
283
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
284 285 286 287 288 289 290 291 292 293 294 295 296 297
[ "$count" -eq 2 ] || ret=1
# trust is revoked
count=`grep -c "trust revoked" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# removal scheduled
count=`grep -c "remove at" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# trust is still pending on the standby key
count=`grep -c "trust pending" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
# pending date moved forward for the standby key
t2=`grep "trust pending" ns2/managed-keys.bind`
[ -n "$t2" ] || ret=1
[ "$t1" = "$t2" ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
298
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
299 300
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
301
echo_i "reinitialize trust anchors, add second key to bind.keys"
302
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2
Evan Hunt's avatar
Evan Hunt committed
303
rm -f ns2/managed-keys.bind*
304
keyfile_to_managed_keys ns1/$original ns1/$standby1 > ns2/managed.conf
305
nextpart ns2/named.run > /dev/null
306
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2
Evan Hunt's avatar
Evan Hunt committed
307 308

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
309
echo_i "check that no key from bind.keys is marked as an initializing key ($n)"
Evan Hunt's avatar
Evan Hunt committed
310
ret=0
311 312
wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
mkeys_secroots_on 2
Evan Hunt's avatar
Evan Hunt committed
313
grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
314
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
315 316
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
317
echo_i "reinitialize trust anchors, revert to one key in bind.keys"
318
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2
Evan Hunt's avatar
Evan Hunt committed
319 320
rm -f ns2/managed-keys.bind*
mv ns2/managed1.conf ns2/managed.conf
321
nextpart ns2/named.run > /dev/null
322
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2
Evan Hunt's avatar
Evan Hunt committed
323 324

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
325
echo_i "check that standby key is now trusted ($n)"
Evan Hunt's avatar
Evan Hunt committed
326
ret=0
327 328
wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
329
# two keys listed
330
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
331 332
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
333
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
334 335
[ "$count" -eq 2 ] || ret=1
# both indicate current trust
336
count=`grep -c "trusted since" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
337
[ "$count" -eq 2 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
338
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
339 340 341
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
342
echo_i "revoke original key, add new standby ($n)"
Evan Hunt's avatar
Evan Hunt committed
343
ret=0
344
standby2=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
345
$SETTIME -R now -K ns1 $original > /dev/null
346 347 348
mkeys_loadkeys_on 1
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
349
# three keys listed
350
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
351 352
[ "$count" -eq 3 ] || ret=1
# one is revoked
353
count=`grep -c "REVOKE" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
354 355
[ "$count" -eq 1 ] || ret=1
# three lines indicating trust status
356
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
357 358
[ "$count" -eq 3 ] || ret=1
# one indicates current trust
359
count=`grep -c "trusted since" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
360 361
[ "$count" -eq 1 ] || ret=1
# one indicates revoked trust
362
count=`grep -c "trust revoked" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
363 364
[ "$count" -eq 1 ] || ret=1
# one indicates trust pending
365
count=`grep -c "trust pending" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
366 367 368 369
[ "$count" -eq 1 ] || ret=1
# removal scheduled
count=`grep -c "remove at" rndc.out.$n`
[ "$count" -eq 1 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
370
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
371 372
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
373
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
374
echo_i "revoke standby before it is trusted ($n)"
Evan Hunt's avatar
Evan Hunt committed
375
ret=0
376
standby3=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
377 378 379
mkeys_loadkeys_on 1
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.a.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
380
# four keys listed
381
count=`grep -c "keyid: " rndc.out.a.$n`
Mark Andrews's avatar
Mark Andrews committed
382
[ "$count" -eq 4 ] || { echo "keyid: count ($count) != 4"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
383
# one revoked
384
count=`grep -c "trust revoked" rndc.out.a.$n`
Mark Andrews's avatar
Mark Andrews committed
385
[ "$count" -eq 1 ] || { echo "trust revoked count ($count) != 1"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
386
# two pending
387
count=`grep -c "trust pending" rndc.out.a.$n`
Mark Andrews's avatar
Mark Andrews committed
388
[ "$count" -eq 2 ] || { echo "trust pending count ($count) != 2"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
389
$SETTIME -R now -K ns1 $standby3 > /dev/null
390 391 392
mkeys_loadkeys_on 1
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.b.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
393
# now three keys listed
394
count=`grep -c "keyid: " rndc.out.b.$n`
Mark Andrews's avatar
Mark Andrews committed
395
[ "$count" -eq 3 ] || { echo "keyid: count ($count) != 3"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
396
# one revoked
397
count=`grep -c "trust revoked" rndc.out.b.$n`
Mark Andrews's avatar
Mark Andrews committed
398
[ "$count" -eq 1 ] || { echo "trust revoked count ($count) != 1"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
399
# one pending
400
count=`grep -c "trust pending" rndc.out.b.$n`
Mark Andrews's avatar
Mark Andrews committed
401
[ "$count" -eq 1 ] || { echo "trust pending count ($count) != 1"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
402
$SETTIME -D now -K ns1 $standby3 > /dev/null
403
mkeys_loadkeys_on 1
Evan Hunt's avatar
Evan Hunt committed
404
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
405 406
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
407
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
408
echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)"
Evan Hunt's avatar
Evan Hunt committed
409
ret=0
410
sleep 20
411 412
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
413
# two keys listed
414
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
415 416
[ "$count" -eq 2 ] || ret=1
# none revoked
417
count=`grep -c "REVOKE" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
418 419
[ "$count" -eq 0 ] || ret=1
# two lines indicating trust status
420
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
421 422
[ "$count" -eq 2 ] || ret=1
# both indicate current trust
423
count=`grep -c "trusted since" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
424
[ "$count" -eq 2 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
425
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
426 427 428
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
429
echo_i "revoke all keys, confirm roll to insecure ($n)"
Evan Hunt's avatar
Evan Hunt committed
430
ret=0
431
$SETTIME -D now -K ns1 $original > /dev/null
Evan Hunt's avatar
Evan Hunt committed
432 433
$SETTIME -R now -K ns1 $standby1 > /dev/null
$SETTIME -R now -K ns1 $standby2 > /dev/null
434 435 436
mkeys_loadkeys_on 1
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
437
# two keys listed
438
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
439 440
[ "$count" -eq 2 ] || ret=1
# both revoked
441
count=`grep -c "REVOKE" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
442 443
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
444
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
445 446
[ "$count" -eq 2 ] || ret=1
# both indicate trust revoked
447
count=`grep -c "trust revoked" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
448 449 450 451
[ "$count" -eq 2 ] || ret=1
# both have removal scheduled
count=`grep -c "remove at" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
452
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
453 454 455
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
456
echo_i "check for insecure response ($n)"
Evan Hunt's avatar
Evan Hunt committed
457
ret=0
458
mkeys_refresh_on 2
Evan Hunt's avatar
Evan Hunt committed
459 460
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
461
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
462
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
463
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
464 465
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
466
echo_i "reset the root server"
467
$SETTIME -D none -R none -K ns1 $original > /dev/null
Evan Hunt's avatar
Evan Hunt committed
468 469
$SETTIME -D now -K ns1 $standby1 > /dev/null
$SETTIME -D now -K ns1 $standby2 > /dev/null
470
$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
Evan Hunt's avatar
Evan Hunt committed
471
copy_setports ns1/named2.conf.in ns1/named.conf
Evan Hunt's avatar
Evan Hunt committed
472
rm -f ns1/root.db.signed.jnl
473
mkeys_reconfig_on 1
Evan Hunt's avatar
Evan Hunt committed
474

Evan Hunt's avatar
Evan Hunt committed
475
echo_i "reinitialize trust anchors"
476
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2
Evan Hunt's avatar
Evan Hunt committed
477
rm -f ns2/managed-keys.bind*
478
nextpart ns2/named.run > /dev/null
479
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2
Evan Hunt's avatar
Evan Hunt committed
480 481

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
482
echo_i "check positive validation ($n)"
Evan Hunt's avatar
Evan Hunt committed
483
ret=0
484
wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
Evan Hunt's avatar
Evan Hunt committed
485 486 487
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
488
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
489 490 491
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
492
echo_i "revoke key with bad signature, check revocation is ignored ($n)"
Evan Hunt's avatar
Evan Hunt committed
493
ret=0
494
revoked=`$REVOKE -K ns1 $original`
495
rkeyid=`expr $revoked : 'ns1/K\.+00.+0*\([1-9]*[0-9]*[0-9]\)'`
496 497 498 499 500
rm -f ns1/root.db.signed.jnl
# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from
# failing.  Alternatively, we could use -P to disable post-sign verification,
# but we actually do want post-sign verification to happen to ensure the zone
# is correct before we break it on purpose.
Evan Hunt's avatar
Evan Hunt committed
501
$SETTIME -R none -D none -K ns1 $standby1 > /dev/null
502
$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null
Evan Hunt's avatar
Evan Hunt committed
503 504
cp -f ns1/root.db.signed ns1/root.db.tmp
BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
505 506 507 508 509
# Less than a second may have passed since ns1 was started.  If we call
# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
# subsequent "rndc reload ." call on platforms which do not set the
# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
# equal to master file modification time.
Evan Hunt's avatar
Evan Hunt committed
510
sleep 1
511 512 513 514
sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed
mkeys_reload_on 1
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
515
# one key listed
516
count=`grep -c "keyid: " rndc.out.$n`
517
[ "$count" -eq 1 ] || { echo "'keyid:' count ($count) != 1"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
518
# it's the original key id
519
count=`grep -c "keyid: $originalid" rndc.out.$n`
520
[ "$count" -eq 1 ] || { echo "'keyid: $originalid' count ($count) != 1"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
521
# not revoked
522
count=`grep -c "REVOKE" rndc.out.$n`
523
[ "$count" -eq 0 ] || { echo "'REVOKE' count ($count) != 0"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
524
# trust is still current
525
count=`grep -c "trust" rndc.out.$n`
526
[ "$count" -eq 1 ] || { echo "'trust' count != 1"; ret=1; }
527
count=`grep -c "trusted since" rndc.out.$n`
528
[ "$count" -eq 1 ] || { echo "'trusted since' count != 1"; ret=1; }
Evan Hunt's avatar
Evan Hunt committed
529
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
530 531 532
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
533
echo_i "check validation fails with bad DNSKEY rrset ($n)"
Evan Hunt's avatar
Evan Hunt committed
534
ret=0
535
mkeys_flush_on 2
Evan Hunt's avatar
Evan Hunt committed
536 537
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
538
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
539 540 541
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
542
echo_i "restore DNSKEY rrset, check validation succeeds again ($n)"
Evan Hunt's avatar
Evan Hunt committed
543 544
ret=0
rm -f ${revoked}.key ${revoked}.private
545
rm -f ns1/root.db.signed.jnl
546
$SETTIME -D none -R none -K ns1 $original > /dev/null
Evan Hunt's avatar
Evan Hunt committed
547
$SETTIME -D now -K ns1 $standby1 > /dev/null
548 549 550 551 552
# Less than a second may have passed since ns1 was started.  If we call
# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
# subsequent "rndc reload ." call on platforms which do not set the
# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
# equal to master file modification time.
Evan Hunt's avatar
Evan Hunt committed
553
sleep 1
554
$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
555 556
mkeys_reload_on 1
mkeys_flush_on 2
Evan Hunt's avatar
Evan Hunt committed
557 558 559
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
560
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
561 562
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
563
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
564
echo_i "reset the root server with no keys, check for minimal update ($n)"
565 566 567 568 569 570 571 572 573
ret=0
# Refresh keys first to prevent previous checks from influencing this one.
# Note that we might still get occasional false negatives on some really slow
# machines, when $t1 equals $t2 due to the time elapsed between "rndc
# managed-keys status" calls being equal to the normal active refresh period
# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as
# set using -T mkeytimers).
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
574
t1=`grep 'next refresh:' rndc.out.$n`
575
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns1
576
rm -f ns1/root.db.signed.jnl
Evan Hunt's avatar
Evan Hunt committed
577
cp ns1/root.db ns1/root.db.signed
578
nextpart ns1/named.run > /dev/null
579
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns1
580 581 582
wait_for_log "loaded serial" ns1/named.run
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
583
# one key listed
584
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
585 586
[ "$count" -eq 1 ] || ret=1
# it's the original key id
587
count=`grep -c "keyid: $originalid" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
588 589
[ "$count" -eq 1 ] || ret=1
# not revoked
590
count=`grep -c "REVOKE" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
591 592
[ "$count" -eq 0 ] || ret=1
# trust is still current
593
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
594
[ "$count" -eq 1 ] || ret=1
595
count=`grep -c "trusted since" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
596 597 598
[ "$count" -eq 1 ] || ret=1
t2=`grep 'next refresh:' rndc.out.$n`
[ "$t1" = "$t2" ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
599
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
600 601 602
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
603
echo_i "reset the root server with no signatures, check for minimal update ($n)"
604 605 606 607 608
ret=0
# Refresh keys first to prevent previous checks from influencing this one
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
t1=`grep 'next refresh:' rndc.out.$n`
609
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns1
610
rm -f ns1/root.db.signed.jnl
Evan Hunt's avatar
Evan Hunt committed
611
cat ns1/K*.key >> ns1/root.db.signed
612
nextpart ns1/named.run > /dev/null
613
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns1
614 615 616 617
wait_for_log "loaded serial" ns1/named.run
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
# timestamp to prevent minimal update from resetting it to the same timestamp.
Evan Hunt's avatar
Evan Hunt committed
618
sleep 1
619 620
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
621
# one key listed
622
count=`grep -c "keyid: " rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
623 624
[ "$count" -eq 1 ] || ret=1
# it's the original key id
625
count=`grep -c "keyid: $originalid" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
626 627
[ "$count" -eq 1 ] || ret=1
# not revoked
628
count=`grep -c "REVOKE" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
629 630
[ "$count" -eq 0 ] || ret=1
# trust is still current
631
count=`grep -c "trust" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
632
[ "$count" -eq 1 ] || ret=1
633
count=`grep -c "trusted since" rndc.out.$n`
Evan Hunt's avatar
Evan Hunt committed
634 635 636
[ "$count" -eq 1 ] || ret=1
t2=`grep 'next refresh:' rndc.out.$n`
[ "$t1" = "$t2" ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
637
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
638 639 640
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
641
echo_i "restore root server, check validation succeeds again ($n)"
642
ret=0
Evan Hunt's avatar
Evan Hunt committed
643
rm -f ns1/root.db.signed.jnl
644
$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
645 646 647
mkeys_reload_on 1
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
648 649 650
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
651
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
652 653
status=`expr $status + $ret`

654
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
655
echo_i "check that trust-anchor-telemetry queries are logged ($n)"
656
ret=0
Evan Hunt's avatar
Evan Hunt committed
657
grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
658
if [ $ret != 0 ]; then echo_i "failed"; fi
659 660 661
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
662
echo_i "check that trust-anchor-telemetry queries are received ($n)"
663
ret=0
Evan Hunt's avatar
Evan Hunt committed
664
grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
665
if [ $ret != 0 ]; then echo_i "failed"; fi
666 667
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
668
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
669
echo_i "check 'rndc-managed-keys destroy' ($n)"
Evan Hunt's avatar
Evan Hunt committed
670
ret=0
Evan Hunt's avatar
Evan Hunt committed
671
$RNDCCMD 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i
672
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
673
grep "no views with managed keys" rndc.out.$n > /dev/null || ret=1
674 675
mkeys_reconfig_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
676
grep "name: \." rndc.out.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
677
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
678 679
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
680
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
681
echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)"
Evan Hunt's avatar
Evan Hunt committed
682 683 684 685 686
ret=0
# convert the hexadecimal key from the TAT query into decimal and
# compare against the known key.
tathex=`grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/'`
tatkey=`$PERL -e 'printf("%d\n", hex(@ARGV[0]));' $tathex`
Evan Hunt's avatar
Evan Hunt committed
687
realkey=`$RNDCCMD 10.53.0.2 secroots - | sed -n 's#.*SHA256/\([0-9][0-9]*\) ; .*managed.*#\1#p'`
Evan Hunt's avatar
Evan Hunt committed
688
[ "$tatkey" -eq "$realkey" ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
689
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
690 691 692
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
693
echo_i "check initialization fails if managed-keys can't be created ($n)"
Evan Hunt's avatar
Evan Hunt committed
694
ret=0
695
mkeys_secroots_on 4
Evan Hunt's avatar
Evan Hunt committed
696 697 698
grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1
grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1
grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
699
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
700 701 702
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
703
echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)"
Evan Hunt's avatar
Evan Hunt committed
704 705 706 707 708 709 710
ret=0
# By the time we get here, ns5 should have attempted refreshing its managed
# keys.  These attempts should fail as ns1 is configured to REFUSE all queries
# from ns5.  Note that named1.args does not contain "-T mkeytimers"; this is to
# ensure key refresh retry will be scheduled to one actual hour after the first
# key refresh failure instead of just a few seconds, in order to prevent races
# between the next scheduled key refresh time and startup time of restarted ns5.
711
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns5
712
nextpart ns5/named.run > /dev/null
713
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns5
714
wait_for_log "Returned from key fetch in keyfetch_done()" ns5/named.run
Evan Hunt's avatar
Evan Hunt committed
715 716 717 718
# ns5/named.run will contain logs from both the old instance and the new
# instance.  In order for the test to pass, both must attempt a fetch.
count=`grep -c "Creating key fetch" ns5/named.run`
[ $count -lt 2 ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
719
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
720 721 722
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
723
echo_i "check key refreshes are resumed after root servers become available ($n)"
Evan Hunt's avatar
Evan Hunt committed
724
ret=0
725
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns5
Evan Hunt's avatar
Evan Hunt committed
726
# Prevent previous check from affecting this one
727
rm -f ns5/managed-keys.bind*
Evan Hunt's avatar
Evan Hunt committed
728 729 730
# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for
# an "hour" until keys are refreshed again after initial failure
cp ns5/named2.args ns5/named.args
731
nextpart ns5/named.run > /dev/null
732
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns5
733
wait_for_log "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run
734
mkeys_secroots_on 5
Evan Hunt's avatar
Evan Hunt committed
735 736 737 738 739 740 741
grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
# ns1 should still REFUSE queries from ns5, so resolving should be impossible
$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1
grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1
# Allow queries from ns5 to ns1
Evan Hunt's avatar
Evan Hunt committed
742
copy_setports ns1/named3.conf.in ns1/named.conf
Evan Hunt's avatar
Evan Hunt committed
743
rm -f ns1/root.db.signed.jnl
744
nextpart ns5/named.run > /dev/null
745 746
mkeys_reconfig_on 1
wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
747
mkeys_secroots_on 5
748
grep '; managed' ns5/named.secroots > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
749 750 751 752 753 754
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
# correctly refreshed and resolving should succeed
$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
755
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
756 757
status=`expr $status + $ret`

758 759 760 761 762 763 764 765
n=`expr $n + 1`
echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
ret=0
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
rm -f ns6/managed-keys.bind*
nextpart ns6/named.run > /dev/null
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
# log when an unsupported algorithm is encountered during startup
766
wait_for_log "ignoring managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
767 768 769 770
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
771
echo_i "ignoring unsupported algorithm in managed-keys ($n)"
772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795
ret=0
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1

n=`expr $n + 1`
echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
ret=0
cp ns1/root.db ns1/root.db.orig
ksk=`cat ns1/managed.key`
zsk=`cat ns1/zone.key`
cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
cp ns1/root.db.orig ns1/root.db
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
796
echo_i "ignoring unsupported algorithm in rollover ($n)"
797 798 799 800 801 802 803 804 805 806 807 808 809 810 811
ret=0
mkeys_reload_on 1
mkeys_refresh_on 6
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# log when an unsupported algorithm is encountered during rollover
wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

Mark Andrews's avatar
Mark Andrews committed
812 813 814
n=`expr $n + 1`
echo_i "check 'rndc managed-keys' and views ($n)"
ret=0
815