Commit 83473b97 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Harden grep key ID calls

Key IDs may accidentally match dig output that is not the key ID (for
example the RRSIG inception or expiration time, the query ID, ...).
Search for key ID + signer name should prevent that, as that is what
only should occur in the RRSIG record, and signer name always follows
the key ID.
parent 67f0635f
Pipeline #13768 passed with stages
in 15 minutes and 54 seconds
......@@ -3892,16 +3892,25 @@ ZSK_ID=`cat ns2/${zone}.zsk.id`
SECTIONS="+answer +noauthority +noadditional"
echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID"
# Print IDs of keys used for generating RRSIG records for RRsets of type $1
# found in dig output file $2.
get_keys_which_signed() {
qtype=$1
output=$2
# The key ID is the 11th column of the RRSIG record line.
awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$output"
}
# Basic checks to make sure everything is fine before the KSK is made offline.
for qtype in "DNSKEY" "CDNSKEY" "CDS"
do
echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l)
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
grep $KSK_ID dig.out.test$n > /dev/null || ret=1
grep $ZSK_ID dig.out.test$n > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -3910,10 +3919,10 @@ done
echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n
lines=$(awk '$4 == "RRSIG" && $5 == "SOA" {print}' dig.out.test$n | wc -l)
grep $KSK_ID dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID dig.out.test$n > /dev/null || ret=1
lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -3960,11 +3969,11 @@ do
echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l)
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
grep $KSK_ID dig.out.test$n > /dev/null || ret=1
grep $ZSK_ID dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -3975,11 +3984,11 @@ do
echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l)
grep $KSK_ID dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID2 dig.out.test$n > /dev/null || ret=1
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -4032,12 +4041,12 @@ do
echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l)
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
grep $KSK_ID dig.out.test$n > /dev/null || ret=1
grep $ZSK_ID dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -4048,12 +4057,12 @@ do
echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l)
grep $KSK_ID dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID2 dig.out.test$n > /dev/null || ret=1
grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -4078,12 +4087,12 @@ do
echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)"
ret=0
dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l)
lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
test "$lines" -eq 1 || ret=1
grep $KSK_ID dig.out.test$n > /dev/null || ret=1
grep $ZSK_ID dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1
grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment