tests.sh 5.91 KB
Newer Older
1 2
#!/bin/sh
#
3
# Copyright (C) 2009, 2011-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8

9
# $Id: tests.sh,v 1.9 2011/07/08 01:43:26 each Exp $
10 11 12 13 14 15 16 17 18

SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh

pzone=parent.nil pfile=parent.db
czone=child.parent.nil cfile=child.db
status=0
n=0

19 20 21
echo "I:setting key timers"
$SETTIME -A now+15s `cat rolling.key` > /dev/null

22 23 24 25 26 27 28 29
inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key`
ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key`
pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key`
postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key`
prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key`
rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`
30

31
$GENRANDOM 800 $RANDFILE
32 33 34 35 36

echo "I:signing zones"
$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1
$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1

37
awk '$2 ~ /RRSIG/ {
38 39
        type = $3;
        getline;
40 41
	id = $3;
	if ($4 ~ /'${czone}'/) {
42 43
		print type, id
	}
44 45 46
}' < ${cfile}.signed > sigs

awk '$2 ~ /DNSKEY/ {
47 48 49
	flags = $3;
	while ($0 !~ /key id =/)
		getline;
50
	id = $NF;
51
	print flags, id;
52
}' < ${cfile}.signed > keys
53

54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
echo "I:checking that KSK signed DNSKEY only ($n)"
ret=0
grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1
grep "SOA $ksk"'$' sigs > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking that ZSK signed ($n)"
ret=0
grep "SOA $zsk"'$' sigs > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking that standby ZSK did not sign ($n)"
ret=0
grep " $standby"'$' sigs > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking that inactive key did not sign ($n)"
ret=0
grep " $inact"'$' sigs > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking that pending key was not published ($n)"
ret=0
grep " $pending"'$' keys > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking that standby KSK did not sign but is delegated ($n)"
ret=0
grep " $rolling"'$' sigs > /dev/null && ret=1
grep " $rolling"'$' keys > /dev/null || ret=1
egrep "DS[ 	]*$rolling[ 	]" ${pfile}.signed > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking that key was revoked ($n)"
ret=0
grep " $prerev"'$' keys > /dev/null && ret=1
grep " $postrev"'$' keys > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking that revoked key self-signed ($n)"
ret=0
grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1
grep "SOA $postrev"'$' sigs > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:waiting 20 seconds for key changes to occur"
sleep 20

echo "I:re-signing zone"
$SIGNER  -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1

echo "I:checking that standby KSK is now active ($n)"
ret=0
grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

Curtis Blackburn's avatar
Curtis Blackburn committed
128
echo "I:checking update of an old-style key ($n)"
129 130 131 132 133 134 135 136 137 138
ret=0
# printing metadata should not work with an old-style key
$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 && ret=1
$SETTIME -f `cat oldstyle.key` > /dev/null 2>&1 || ret=1
# but now it should
$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

Curtis Blackburn's avatar
Curtis Blackburn committed
139
echo "I:checking warning about permissions change on key with dnssec-settime ($n)"
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
if [ `uname -o` == Cygwin ]; then
	echo "I: Cygwin detected, skipping"
else
	ret=0
	# settime should print a warning about changing the permissions
	chmod 644 `cat oldstyle.key`.private
	$SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
	grep "warning" tmp.out > /dev/null 2>&1 || ret=1
	cat tmp.out
	$SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
	grep "warning" tmp.out > /dev/null 2>&1 && ret=1
	cat tmp.out
	n=`expr $n + 1`
	if [ $ret != 0 ]; then echo "I:failed"; fi
	status=`expr $status + $ret`
fi
Curtis Blackburn's avatar
Curtis Blackburn committed
156

157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174
echo "I:checking warning about delete date < inactive date with dnssec-settime ($n)"
ret=0
# settime should print a warning about delete < inactive
$SETTIME -I now+15s -D now `cat oldstyle.key` > tmp.out 2>&1 || ret=1
grep "warning" tmp.out > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)"
ret=0
# keygen should print a warning about delete < inactive
$KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
grep "warning" tmp.out > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191
echo "I:checking correct behavior setting activation without publication date ($n)"
ret=0
key=`$KEYGEN -q -r $RANDFILE -A +1w $czone`
pub=`$SETTIME -upP $key | awk '{print $2}'`
act=`$SETTIME -upA $key | awk '{print $2}'`
[ $pub -eq $act ] || ret=1
key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone`
pub=`$SETTIME -upP $key | awk '{print $2}'`
act=`$SETTIME -upA $key | awk '{print $2}'`
[ $pub -lt $act ] || ret=1
key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone`
pub=`$SETTIME -upP $key | awk '{print $2}'`
[ $pub = "UNSET" ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

192
echo "I:exit status: $status"
193
[ $status -eq 0 ] || exit 1