Commit 38c2bdba authored by Matthijs Mekking's avatar Matthijs Mekking 🏡 Committed by Evan Hunt

Add tests for mkeys with unsupported algorithm

These tests check if a key with an unsupported algorithm in
managed-keys is ignored and when seeing an algorithm rollover to
an unsupported algorithm, the new key will be ignored too.
parent 235a64a5
......@@ -19,3 +19,6 @@ managed-keys.jnl, causing RFC 5011 initialization to fail.
ns5 is a validator which is prevented from getting a response from the
root server, causing key refresh queries to fail.
ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.
......@@ -16,9 +16,10 @@ rm -f */named.conf
rm -f */named.memstats */named.run */named.run.prev
rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f dsset-. ns1/dsset-.
rm -f ns1/zone.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns5/named.args
rm -f ns6/view1.mkeys ns6/view2.mkeys
rm -f ns7/view1.mkeys ns7/view2.mkeys
rm -rf ns4/nope
......@@ -26,13 +26,18 @@ cp managed.conf ../ns2/managed.conf
cp managed.conf ../ns4/managed.conf
cp managed.conf ../ns5/managed.conf
# Configure a trusted key statement (used by delv)
# Configure a trusted key statement (used by delv).
keyfile_to_trusted_keys $keyname > trusted.conf
# Prepare an unsupported algorithm key.
unsupportedkey=K.+003+28683
cp unsupported.key "${unsupportedkey}.key"
#
# Save keyname and keyid for managed key id test.
#
echo "$keyname" > managed.key
echo "$zskkeyname" > zone.key
keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
keyid=`expr $keyid + 0`
echo "$keyid" > managed.key.id
. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20
......@@ -22,8 +22,8 @@ options {
recursion yes;
notify no;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
dnssec-validation yes;
trust-anchor-telemetry no;
};
key rndc_key {
......@@ -35,16 +35,9 @@ controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
view view1 {
zone "." {
zone "." {
type hint;
file "../../common/root.hint";
};
};
view view2 {
zone "." {
type hint;
file "../../common/root.hint";
};
};
include "managed.conf";
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=.
zonefile=root.db
# an RSA key
rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
# a key with unsupported algorithm
unsupportedkey=Kunknown.+255+00000
cp unsupported-managed.key "${unsupportedkey}.key"
# root key
rootkey=`cat ../ns1/managed.key`
cp "../ns1/${rootkey}.key" .
# Configure the resolving server with a managed trusted key.
keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf
unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS7
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
recursion yes;
notify no;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
view view1 {
zone "." {
type hint;
file "../../common/root.hint";
};
};
view view2 {
zone "." {
type hint;
file "../../common/root.hint";
};
};
......@@ -20,10 +20,12 @@ copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
cp ns5/named1.args ns5/named.args
( cd ns1 && $SHELL sign.sh )
( cd ns6 && $SHELL setup.sh )
cp ns2/managed.conf ns2/managed1.conf
......
......@@ -745,7 +745,7 @@ nextpart ns5/named.run > /dev/null
mkeys_reconfig_on 1
wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
mkeys_secroots_on 5
grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
grep '; managed' ns5/named.secroots > /dev/null || ret=1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
# correctly refreshed and resolving should succeed
$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
......@@ -755,17 +755,71 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
ret=0
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
rm -f ns6/managed-keys.bind*
nextpart ns6/named.run > /dev/null
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
# log when an unsupported algorithm is encountered during startup
wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "skipping unsupported algorithm in managed-keys ($n)"
ret=0
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
n=`expr $n + 1`
echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
ret=0
cp ns1/root.db ns1/root.db.orig
ksk=`cat ns1/managed.key`
zsk=`cat ns1/zone.key`
cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
cp ns1/root.db.orig ns1/root.db
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "skipping unsupported algorithm in rollover ($n)"
ret=0
mkeys_reload_on 1
mkeys_refresh_on 6
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# log when an unsupported algorithm is encountered during rollover
wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check 'rndc managed-keys' and views ($n)"
ret=0
$RNDCCMD 10.53.0.6 managed-keys refresh in view1 > rndc.out.ns6.view1.test$n || ret=1
grep "refreshing managed keys for 'view1'" rndc.out.ns6.view1.test$n > /dev/null || ret=1
lines=`wc -l < rndc.out.ns6.view1.test$n`
$RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1
grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1
lines=`wc -l < rndc.out.ns7.view1.test$n`
[ $lines -eq 1 ] || ret=1
$RNDCCMD 10.53.0.6 managed-keys refresh > rndc.out.ns6.view2.test$n || ret=1
lines=`wc -l < rndc.out.ns6.view2.test$n`
grep "refreshing managed keys for 'view1'" rndc.out.ns6.view2.test$n > /dev/null || ret=1
grep "refreshing managed keys for 'view2'" rndc.out.ns6.view2.test$n > /dev/null || ret=1
$RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1
lines=`wc -l < rndc.out.ns7.view2.test$n`
grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
[ $lines -eq 2 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment