Commit 144cb53d authored by Matthijs Mekking's avatar Matthijs Mekking 🏡 Committed by Evan Hunt

Add tests for mkeys with unsupported algorithm

These tests check if a key with an unsupported algorithm in
managed-keys is ignored and when seeing an algorithm rollover to
an unsupported algorithm, the new key will be ignored too.
parent 7a1ca39b
......@@ -19,3 +19,6 @@ managed-keys.jnl, causing RFC 5011 initialization to fail.
ns5 is a validator which is prevented from getting a response from the
root server, causing key refresh queries to fail.
ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.
......@@ -11,6 +11,7 @@
rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
rm -f dsset-. ns1/dsset-.
rm -f ns1/zone.key
rm -f ns*/named.lock
rm -f */managed-keys.bind* */named.secroots
rm -f */managed*.conf ns1/managed.key ns1/managed.key.id
......
......@@ -8,16 +8,16 @@
; information regarding copyright ownership.
$TTL 20
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
; no delegation
example. TXT "This is a test."
example. TXT "This is a test."
......@@ -26,13 +26,18 @@ cp managed.conf ../ns2/managed.conf
cp managed.conf ../ns4/managed.conf
cp managed.conf ../ns5/managed.conf
# Configure a trusted key statement (used by delv)
# Configure a trusted key statement (used by delv).
keyfile_to_trusted_keys $keyname > trusted.conf
# Prepare an unsupported algorithm key.
unsupportedkey=K.+003+28683
cp unsupported.key "${unsupportedkey}.key"
#
# Save keyname and keyid for managed key id test.
#
echo "$keyname" > managed.key
echo "$zskkeyname" > zone.key
keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
keyid=`expr $keyid + 0`
echo "$keyid" > managed.key.id
. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS6
options {
query-source address 10.53.0.6;
notify-source 10.53.0.6;
transfer-source 10.53.0.6;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion yes;
notify no;
dnssec-enable yes;
dnssec-validation yes;
trust-anchor-telemetry no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "managed.conf";
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=.
zonefile=root.db
# an RSA key
rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
# a key with unsupported algorithm
unsupportedkey=Kunknown.+255+00000
cp unsupported-managed.key "${unsupportedkey}.key"
# root key
rootkey=`cat ../ns1/managed.key`
cp "../ns1/${rootkey}.key" .
# Configure the resolving server with a managed trusted key.
keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf
unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6
......@@ -19,10 +19,12 @@ copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
cp ns5/named1.args ns5/named.args
( cd ns1 && $SHELL sign.sh )
( cd ns6 && $SHELL setup.sh )
cp ns2/managed.conf ns2/managed1.conf
......
......@@ -745,7 +745,7 @@ nextpart ns5/named.run > /dev/null
mkeys_reconfig_on 1
wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
mkeys_secroots_on 5
grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
grep '; managed' ns5/named.secroots > /dev/null || ret=1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
# correctly refreshed and resolving should succeed
$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
......@@ -755,5 +755,60 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
ret=0
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
rm -f ns6/managed-keys.bind*
nextpart ns6/named.run > /dev/null
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
# log when an unsupported algorithm is encountered during startup
wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "skipping unsupported algorithm in managed-keys ($n)"
ret=0
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
n=`expr $n + 1`
echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
ret=0
cp ns1/root.db ns1/root.db.orig
ksk=`cat ns1/managed.key`
zsk=`cat ns1/zone.key`
cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
cp ns1/root.db.orig ns1/root.db
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "skipping unsupported algorithm in rollover ($n)"
ret=0
mkeys_reload_on 1
mkeys_refresh_on 6
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# log when an unsupported algorithm is encountered during rollover
wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -811,10 +811,14 @@
./bin/tests/system/mkeys/README TXT.BRIEF 2015,2016,2017,2018
./bin/tests/system/mkeys/clean.sh SH 2015,2016,2017,2018
./bin/tests/system/mkeys/ns1/sign.sh SH 2015,2016,2017,2018
./bin/tests/system/mkeys/ns1/unsupported.key X 2018
./bin/tests/system/mkeys/ns2/named.args X 2015,2016,2017,2018
./bin/tests/system/mkeys/ns3/named.args X 2015,2016,2017,2018
./bin/tests/system/mkeys/ns5/named1.args X 2017,2018
./bin/tests/system/mkeys/ns5/named2.args X 2017,2018
./bin/tests/system/mkeys/ns6/named.args X 2018
./bin/tests/system/mkeys/ns6/setup.sh SH 2018
./bin/tests/system/mkeys/ns6/unsupported-managed.key X 2018
./bin/tests/system/mkeys/setup.sh SH 2015,2016,2017,2018
./bin/tests/system/mkeys/tests.sh SH 2015,2016,2017,2018
./bin/tests/system/names/clean.sh SH 2015,2016,2018
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment