Commit 54a682ea authored by Evan Hunt's avatar Evan Hunt

use DS style trust anchors in all system tests

this adds functions in conf.sh.common to create DS-style trust anchor
files. those functions are then used to create nearly all of the trust
anchors in the system tests.

there are a few exceptions:
 - some tests in dnssec and mkeys rely on detection of unsupported
   algorithms, which only works with key-style trust anchors, so those
   are used for those tests in particular.
 - the mirror test had a problem with the use of a CSK without a
   SEP bit, which still needs addressing

in the future, some of these tests should be changed back to using
traditional trust anchors, so that both types will be exercised going
forward.
parent 342cc9b1
......@@ -33,12 +33,12 @@ rm $zsknopriv.private
ksksby=`$KEYGEN -3 -a RSASHA1 -q -P now -A now+15s -fk $zone`
kskrev=`$KEYGEN -3 -a RSASHA1 -q -R now+15s -fk $zone`
keyfile_to_static_keys $ksksby > trusted.conf
keyfile_to_static_ds $ksksby > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
keyfile_to_static_keys $kskrev > trusted.conf
keyfile_to_static_ds $kskrev > trusted.conf
cp trusted.conf ../ns5/trusted.conf
echo $zskact > ../active.key
......
......@@ -37,7 +37,7 @@ zonefile="${zone}.db"
infile="${zonefile}.in"
ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone`
$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null
keyfile_to_static_keys $ksk > private.conf
keyfile_to_static_ds $ksk > private.conf
cp private.conf ../ns4/private.conf
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null
......
......@@ -221,9 +221,9 @@ assert_int_equal() {
}
# keyfile_to_keys_section: helper function for keyfile_to_*_keys() which
# converts keyfile data into a configuration section using the supplied
# parameters
keyfile_to_keys_section() {
# converts keyfile data into a key-style trust anchor configuration
# section using the supplied parameters
keyfile_to_keys() {
section_name=$1
key_prefix=$2
shift
......@@ -241,18 +241,54 @@ keyfile_to_keys_section() {
echo "};"
}
# keyfile_to_dskeys_section: helper function for keyfile_to_*_dskeys()
# converts keyfile data into a DS-style trust anchor configuration
# section using the supplied parameters
keyfile_to_dskeys() {
section_name=$1
key_prefix=$2
shift
shift
echo "$section_name {"
for keyname in $*; do
$DSFROMKEY $keyname.key | \
awk '!/^; /{
printf "\t\""$1"\" "
printf "'"$key_prefix "'"
printf $4 " " $5 " " $6 " \""
for (i=7; i<=NF; i++) printf $i
printf "\";\n"
}'
done
echo "};"
}
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
# provided to a *static* "dnssec-keys" section suitable for including in a
# provided to a *static-key* "dnssec-keys" section suitable for including in a
# resolver's configuration file
keyfile_to_static_keys() {
keyfile_to_keys_section "dnssec-keys" "static-key" $*
keyfile_to_keys "dnssec-keys" "static-key" $*
}
# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
# provided to an *initialzing* "dnssec-keys" section suitable for including
# provided to an *initial-key* "dnssec-keys" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_keys() {
keyfile_to_keys_section "dnssec-keys" "initial-key" $*
keyfile_to_keys "dnssec-keys" "initial-key" $*
}
# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
# provided to a *static-ds* "dnssec-keys" section suitable for including in a
# resolver's configuration file
keyfile_to_static_ds() {
keyfile_to_dskeys "dnssec-keys" "static-ds" $*
}
# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
# provided to an *initial-ds* "dnssec-keys" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_ds() {
keyfile_to_dskeys "dnssec-keys" "initial-ds" $*
}
# keyfile_to_key_id: convert a key file name to a key ID
......
......@@ -38,7 +38,7 @@ cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
# Configure the resolving server with a staitc key.
keyfile_to_static_keys "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
......@@ -47,7 +47,7 @@ cp trusted.conf ../ns7/trusted.conf
cp trusted.conf ../ns9/trusted.conf
# ...or with an initializing key.
keyfile_to_initial_keys "$ksk" > managed.conf
keyfile_to_initial_ds "$ksk" > managed.conf
cp managed.conf ../ns4/managed.conf
#
......
......@@ -23,7 +23,7 @@ zonefile=root.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
# copy the KSK out first, then revoke it
keyfile_to_initial_keys "$keyname" > revoked.conf
keyfile_to_initial_ds "$keyname" > revoked.conf
"$SETTIME" -R now "${keyname}.key" > /dev/null
......@@ -34,4 +34,4 @@ keyfile_to_initial_keys "$keyname" > revoked.conf
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
keyfile_to_static_keys "$keyname" > trusted.conf
keyfile_to_static_ds "$keyname" > trusted.conf
......@@ -29,7 +29,7 @@ cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a static key.
keyfile_to_static_keys $key2 > trusted.conf
keyfile_to_static_ds $key2 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
......@@ -25,5 +25,5 @@ cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
# Configure the resolving server with a static key.
keyfile_to_static_keys $key1 > trusted.conf
keyfile_to_static_ds $key1 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
......@@ -26,7 +26,7 @@ cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
# Configure the resolving server with a static key.
keyfile_to_static_keys $key1 > trusted.conf
keyfile_to_static_ds $key1 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cd ../ns2 && $SHELL sign.sh
......@@ -24,7 +24,7 @@ $KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i
keyname=`cat keygen.out`
rm -f keygen.out
keyfile_to_static_keys $keyname > trusted.conf
keyfile_to_static_ds $keyname > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns5/trusted.conf
......
......@@ -20,5 +20,5 @@ keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out
[ $? = 0 ] || cat signer.out
keyfile_to_static_keys $keyname > trusted.conf
keyfile_to_static_ds $keyname > trusted.conf
cp trusted.conf ../ns6/trusted.conf
......@@ -28,5 +28,5 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err
keyfile_to_static_keys $keyname2 > trusted.conf
keyfile_to_static_ds $keyname2 > trusted.conf
cp trusted.conf ../ns1
......@@ -21,13 +21,13 @@ zskkeyname=`$KEYGEN -a rsasha256 -q $zone`
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
# Configure the resolving server with an initializing key.
keyfile_to_initial_keys $keyname > managed.conf
keyfile_to_initial_ds $keyname > managed.conf
cp managed.conf ../ns2/managed.conf
cp managed.conf ../ns4/managed.conf
cp managed.conf ../ns5/managed.conf
# Configure a static key to be used by delv.
keyfile_to_static_keys $keyname > trusted.conf
keyfile_to_static_ds $keyname > trusted.conf
# Prepare an unsupported algorithm key.
unsupportedkey=Kunknown.+255+00000
......
......@@ -27,4 +27,6 @@ rootkey=`cat ../ns1/managed.key`
cp "../ns1/${rootkey}.key" .
# Configure the resolving server with an initializing key.
# (We use key-format trust anchors here because otherwise the
# unsupported algorithm test won't work.)
keyfile_to_initial_keys $unsupportedkey $rsakey $rootkey > managed.conf
......@@ -301,7 +301,7 @@ status=`expr $status + $ret`
echo_i "reinitialize trust anchors, add second key to bind.keys"
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2
rm -f ns2/managed-keys.bind*
keyfile_to_initial_keys ns1/$original ns1/$standby1 > ns2/managed.conf
keyfile_to_initial_ds ns1/$original ns1/$standby1 > ns2/managed.conf
nextpart ns2/named.run > /dev/null
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2
......
......@@ -28,7 +28,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a static key.
keyfile_to_static_keys $keyname2 > trusted.conf
keyfile_to_static_ds $keyname2 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
......@@ -31,4 +31,4 @@ cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null
# Configure a static key to be used by delv
keyfile_to_static_keys $ksk > ../ns5/trusted.conf
keyfile_to_static_ds $ksk > ../ns5/trusted.conf
......@@ -28,7 +28,7 @@ cat $infile $keyname.key > $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a static key.
keyfile_to_static_keys $keyname > trusted.conf
keyfile_to_static_ds $keyname > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
......@@ -25,7 +25,7 @@ cat $infile $keyname.key > $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a static key.
keyfile_to_static_keys $keyname > trusted.conf
keyfile_to_static_ds $keyname > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
......
......@@ -29,8 +29,8 @@ cat "$infile" "$keyname.key" > "$zonefile"
$SIGNER -P -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a static key.
keyfile_to_static_keys "$keyname" > trusted.conf
keyfile_to_static_ds "$keyname" > trusted.conf
cp trusted.conf ../ns2/trusted.conf
# ...or with an initializing key.
keyfile_to_initial_keys "$keyname" > managed.conf
keyfile_to_initial_ds "$keyname" > managed.conf
......@@ -16,4 +16,4 @@ set -e
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
keyfile_to_static_keys "$keyname" > trusted.conf
keyfile_to_static_ds "$keyname" > trusted.conf
......@@ -27,7 +27,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a trusted key.
keyfile_to_static_keys $keyname2 > trusted.conf
keyfile_to_static_ds $keyname2 > trusted.conf
zone=undelegated
infile=undelegated.db.in
......@@ -38,5 +38,5 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -g -o $zone $zonefile > /dev/null
keyfile_to_static_keys $keyname2 >> trusted.conf
keyfile_to_static_ds $keyname2 >> trusted.conf
cp trusted.conf ../ns2/trusted.conf
......@@ -40,4 +40,4 @@ cat "$infile" "$keyname.key" > "$zonefile"
$SIGNER -P -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a static key.
keyfile_to_static_keys "$keyname" > trusted.conf
keyfile_to_static_ds "$keyname" > trusted.conf
......@@ -43,7 +43,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
keyfile_to_static_keys $keyname2 > private.nsec.conf
keyfile_to_static_ds $keyname2 > private.nsec.conf
zone=nsec3
infile=nsec3.db.in
......@@ -72,7 +72,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
keyfile_to_static_keys $keyname2 > private.nsec3.conf
keyfile_to_static_ds $keyname2 > private.nsec3.conf
zone=.
infile=root.db.in
......@@ -87,4 +87,4 @@ cat $infile $keyname1.key $keyname2.key $dssets >$zonefile
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
keyfile_to_static_keys $keyname2 > trusted.conf
keyfile_to_static_ds $keyname2 > trusted.conf
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment