# information regarding copyright ownership.
rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
+rm -f */island.conf
+rm -f */private.conf
rm -f */managed*.conf ns1/managed.key ns1/managed.key.id
rm -f */managed-keys.bind* */named.secroots
rm -f */named.conf
-rm -f ns3/broken.conf
rm -f */named.memstats */named.run */named.run.prev
rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f dsset-. ns1/dsset-.
-rm -f ns1/zone.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
+rm -f ns1/dsset-sub.tld.
+rm -f ns1/dsset-tld.
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
+rm -f ns1/zone.key
+rm -f ns3/broken.conf
+rm -f ns4/dsset-sub.foo.
rm -f ns5/named.args
rm -f ns7/view1.mkeys ns7/view2.mkeys
rm -rf ns4/nope
allow-update { any; };
auto-dnssec maintain;
};
+
+zone "tld" {
+ type primary;
+ file "tld.db.signed";
+};
+
+zone "sub.tld" {
+ type primary;
+ file "sub.tld.db.signed";
+};
type primary;
file "root.db.signed";
};
+
+zone "tld" {
+ type primary;
+ file "tld.db.signed";
+};
+
+zone "sub.tld" {
+ type primary;
+ file "sub.tld.db.signed";
+};
type primary;
file "root.db.signed";
};
+
+zone "tld" {
+ type primary;
+ file "tld.db.signed";
+};
+
+zone "sub.tld" {
+ type primary;
+ file "sub.tld.db.signed";
+};
; no delegation
example. TXT "This is a test."
+
+tld. NS ns.tld.
+ns.tld. A 10.53.0.1
. ../../conf.sh
+zone=sub.tld
+zonefile=sub.tld.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+keyfile_to_initial_ds $keyname > island.conf
+cp island.conf ../ns5/island.conf
+
+zone=tld
+zonefile=tld.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+
zone=.
zonefile=root.db
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+sub.tld. IN SOA marka.isc.org. ns.sub.tld. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 2 ; minimum
+ )
+sub.tld. NS ns.sub.tld.
+ns.sub.tld. A 10.53.0.1
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+tld. IN SOA marka.isc.org. ns.tld. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 2 ; minimum
+ )
+tld. NS ns.tld.
+ns.tld. A 10.53.0.1
+sub.tld. NS ns.sub.tld.
+ns.sub.tld. A 10.53.0.1
type hint;
file "../../common/root.hint";
};
+
+zone "sub.foo" {
+ type primary;
+ file "sub.foo.db.signed";
+};
--- /dev/null
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../../conf.sh
+
+zone=sub.foo
+zonefile=sub.foo.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+keyfile_to_initial_ds $keyname > private.conf
+cp private.conf ../ns5/private.conf
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+sub.foo. IN SOA marka.isc.org. ns.foo. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 2 ; minimum
+ )
+sub.foo. NS ns.sub.foo.
+ns.sub.foo. A 10.53.0.4
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+foo. IN SOA marka.isc.org. ns.foo. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 2 ; minimum
+ )
+foo. NS ns.foo.
+ns.foo. A 10.53.0.5
+sub.foo. NS ns.sub.foo.
+ns.sub.foo. A 10.53.0.4
type hint;
file "../../common/root.hint";
};
+
+zone "foo" {
+ type primary;
+ file "foo.db";
+};
+
+include "island.conf";
+include "private.conf";
cp ns5/named1.args ns5/named.args
( cd ns1 && $SHELL sign.sh )
+( cd ns4 && $SHELL sign.sh )
( cd ns6 && $SHELL setup.sh )
cp ns2/managed.conf ns2/managed1.conf
stop_server --use-rndc --port "${CONTROLPORT}" ns5
nextpart ns5/named.run > /dev/null
start_server --noclean --restart --port "${PORT}" ns5
-wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1
# ns5/named.run will contain logs from both the old instance and the new
# instance. In order for the test to pass, both must attempt a fetch.
count=$(grep -c "Creating key fetch" ns5/named.run) || true
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
+n=$((n+1))
+echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)"
+ret=0
+mkeys_sync_on 5
+mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
+# there should be three keys listed now
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# three lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# one indicates current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
n=$((n+1))
echo_i "check key refreshes are resumed after root servers become available ($n)"
ret=0
cp ns5/named2.args ns5/named.args
nextpart ns5/named.run > /dev/null
start_server --noclean --restart --port "${PORT}" ns5
-wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
mkeys_secroots_on 5 || ret=1
grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
# ns1 should still REFUSE queries from ns5, so resolving should be impossible
rm -f ns1/root.db.signed.jnl
nextpart ns5/named.run > /dev/null
mkeys_reconfig_on 1 || ret=1
-wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
mkeys_secroots_on 5 || ret=1
grep '; managed' ns5/named.secroots > /dev/null || ret=1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
+n=$((n+1))
+echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)"
+ret=0
+mkeys_sync_on 5
+mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
+# there should be three keys listed now
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# theee lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# three indicates current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
