--- /dev/null
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ log-time-ascii: yes
+ fake-sha1: yes
+ trust-anchor-signaling: no
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+; initial content (say from dig example.com DNSKEY > example.com.key)
+AUTOTRUST_FILE example.com
+PUBKEY1
+PUBKEY2
+AUTOTRUST_END
+CONFIG_END
+
+SCENARIO_BEGIN Test autotrust with ADDPEND twice and exceeded time
+; should work even though not signed with old key at latest time.
+
+; K-ROOT
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id copy_query
+REPLY QR AA
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS k.root-servers.net.
+SECTION ADDITIONAL
+k.root-servers.net IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com. KSK PUBKEY1_ID
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 3600 IN A 10.20.30.40
+SIG1a_PUBKEY2
+SECTION AUTHORITY
+example.com. 3600 IN NS ns.example.com.
+SIG1b_PUBKEY2
+SECTION ADDITIONAL
+ns.example.com. 3600 IN A 1.2.3.4
+SIG1c_PUBKEY2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 1
+PUBKEY1
+; ZSK 1
+PUBKEY2
+; signatures
+SIG2_PUBKEY2
+SIG2_PUBKEY1
+ENTRY_END
+RANGE_END
+
+; ns.example.com. KSK PUBKEY1_ID and PUBKEY3_ID
+RANGE_BEGIN 11 40
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 1
+PUBKEY1
+; KSK 2
+PUBKEY3
+; ZSK 1
+PUBKEY2
+; signatures
+SIG3_PUBKEY2
+SIG3_PUBKEY1
+SIG3_PUBKEY3
+ENTRY_END
+RANGE_END
+
+; ns.example.com. KSK PUBKEY3_ID
+RANGE_BEGIN 41 50
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 2
+PUBKEY3
+; ZSK 1
+PUBKEY2
+; signatures
+SIG4_PUBKEY2
+SIG4_PUBKEY3
+ENTRY_END
+RANGE_END
+
+; ns.example.com. KSK PUBKEY1_ID-REVOKED and PUBKEY3_ID
+RANGE_BEGIN 51 60
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 1
+PUBKEY4
+; KSK 2
+PUBKEY3
+; ZSK 1
+PUBKEY2
+; signatures
+SIG5_PUBKEY2
+SIG5_PUBKEY4
+; wrong keytag:
+SIG5_PUBKEY1
+SIG5_PUBKEY3
+ENTRY_END
+RANGE_END
+
+; ns.example.com. KSK PUBKEY3_ID
+RANGE_BEGIN 61 70
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 2
+PUBKEY3
+; ZSK 1
+PUBKEY2
+; signatures
+SIG6_PUBKEY2
+SIG6_PUBKEY3
+ENTRY_END
+RANGE_END
+
+; set date/time to Aug 24 07:46:40 (2009).
+STEP 5 TIME_PASSES ELAPSE 1251100000
+STEP 6 TRAFFIC ; the initial probe
+STEP 7 ASSIGN t0 = ${time}
+STEP 8 ASSIGN probe0 = ${range 4800 ${timeout} 5400}
+
+; the auto probing should have been done now.
+STEP 10 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t0} ;;${ctime $t0}
+;;last_success: ${$t0} ;;${ctime $t0}
+;;next_probe_time: ${$t0 + $probe0} ;;${ctime $t0 + $probe0}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY1 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
+FILE_END
+
+; key prepublished. First poll. 30 days later
+STEP 11 TIME_PASSES EVAL ${30*24*3600}
+STEP 12 TRAFFIC
+STEP 13 ASSIGN t1 = ${time}
+STEP 14 ASSIGN probe1 = ${range 4800 ${timeout} 5400}
+STEP 15 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t1} ;;${ctime $t1}
+;;last_success: ${$t1} ;;${ctime $t1}
+;;next_probe_time: ${$t1 + $probe1} ;;${ctime $t1 + $probe1}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1}
+PUBKEY1 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
+FILE_END
+
+; Second poll. 10 days later
+STEP 21 TIME_PASSES EVAL ${10*24*3600}
+STEP 22 TRAFFIC
+STEP 23 ASSIGN t2 = ${time}
+STEP 24 ASSIGN probe2 = ${range 4800 ${timeout} 5400}
+STEP 25 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t2} ;;${ctime $t2}
+;;last_success: ${$t2} ;;${ctime $t2}
+;;next_probe_time: ${$t2 + $probe2} ;;${ctime $t2 + $probe2}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=1 [ ADDPEND ] ;;count=2 ;;lastchange=${$t1} ;;${ctime $t1}
+PUBKEY1 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
+FILE_END
+
+; t3 is removed third poll time.
+
+; 21 days later, hold down has lapsed.
+STEP 41 TIME_PASSES EVAL ${21*24*3600}
+STEP 42 TRAFFIC
+STEP 43 ASSIGN t4 = ${time}
+STEP 44 ASSIGN probe4 = ${range 4800 ${timeout} 5400}
+STEP 45 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t4} ;;${ctime $t4}
+;;last_success: ${$t4} ;;${ctime $t4}
+;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
+PUBKEY1 ;;state=3 [ MISSING ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
+FILE_END
+
+; 30 days later, the old key is revoked
+STEP 51 TIME_PASSES EVAL ${30*24*3600}
+STEP 52 TRAFFIC
+STEP 53 ASSIGN t5 = ${time}
+STEP 54 ASSIGN probe5 = ${range 4800 ${timeout} 5400}
+STEP 55 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t5} ;;${ctime $t5}
+;;last_success: ${$t5} ;;${ctime $t5}
+;;next_probe_time: ${$t5 + $probe5} ;;${ctime $t5 + $probe5}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
+PUBKEY4 ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=${$t5} ;;${ctime $t5}
+FILE_END
+
+; 370 days later, the old key is removed from storage
+STEP 61 TIME_PASSES EVAL ${370*24*3600}
+STEP 62 TRAFFIC
+STEP 63 ASSIGN t6 = ${time}
+STEP 64 ASSIGN probe6 = ${range 4800 ${timeout} 5400}
+STEP 65 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t6} ;;${ctime $t6}
+;;last_success: ${$t6} ;;${ctime $t6}
+;;next_probe_time: ${$t6 + $probe6} ;;${ctime $t6 + $probe6}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
+FILE_END
+
+
+SCENARIO_END
#!/bin/sh
-KEYDIR=keys
-KEYNAME=autotrust_10key
-
-LDNS_KEYGEN=ldns-keygen
-LDNS_SIGNZONE=ldns-signzone
-SECALG=8 # RSA/SHA-256
+. ./gen-common
-TMPZONE=tmpzone
+KEYNAME=autotrust_10key
replace_keys()
{
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13
do
- if [ -f "$KEYDIR/$KEYNAME-$i.key" ]
- then
- continue # Key already exists, remove to regenerate
- fi
- mkdir -p "$KEYDIR"
- keyname=$($LDNS_KEYGEN -a $SECALG -b 2048 -k example.com.)
- < "$keyname".key sed 's/IN/3600 IN/' > "$KEYDIR/$KEYNAME-$i.key"
- rm -f "$keyname".key
- mv "$keyname".private "$KEYDIR/$KEYNAME-$i.private"
- mv "$keyname".ds "$KEYDIR/$KEYNAME-$i.ds"
+ gen_key_ksk "$KEYDIR/$KEYNAME-$i"
done
-echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE
-cat "$KEYDIR/$KEYNAME"-*.key >> $TMPZONE
-$LDNS_SIGNZONE -e 20091124111500 -i 20091018111500 $TMPZONE "$KEYDIR/$KEYNAME-2"
-sig1=$(grep 'RRSIG[ ]*DNSKEY' < $TMPZONE.signed )
-rm -f "$TMPZONE" "$TMPZONE.signed"
+sig1=$(sig_keys 2 20091124111500 20091018111500 1 2 3 4 5 6 7 8 9 10 11 12 13)
< autotrust_10key.rpl.in \
replace_keys |
--- /dev/null
+#!/bin/sh
+
+. ./gen-common
+
+KEYNAME=autotrust_addpend_2exceed
+
+replace_keys()
+{
+ pubkey1=$(cat "$KEYDIR/$KEYNAME-1.key")
+ pubkey2=$(cat "$KEYDIR/$KEYNAME-2.key")
+ pubkey3=$(cat "$KEYDIR/$KEYNAME-3.key")
+ pubkey4=$(cat "$KEYDIR/$KEYNAME-4.key")
+
+ pubkey1_id=$(key_id "$pubkey1")
+ pubkey3_id=$(key_id "$pubkey3")
+
+ sed "s@PUBKEY1_ID@$pubkey1_id@ ; \
+ s@PUBKEY3_ID@$pubkey3_id@ ; \
+ s@PUBKEY1@$pubkey1@ ; \
+ s@PUBKEY2@$pubkey2@ ; \
+ s@PUBKEY3@$pubkey3@ ; \
+ s@PUBKEY4@$pubkey4@"
+}
+
+gen_key_ksk "$KEYDIR/$KEYNAME-1"
+gen_key_zsk "$KEYDIR/$KEYNAME-2"
+gen_key_ksk "$KEYDIR/$KEYNAME-3"
+gen_key_ksk_revoked "$KEYDIR/$KEYNAME-1" "$KEYDIR/$KEYNAME-4"
+
+
+echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE
+echo 'www.example.com. 3600 IN A 10.20.30.40' >>$TMPZONE
+echo 'example.com. 3600 IN NS ns.example.com.' >>$TMPZONE
+echo 'ns.example.com. 3600 IN A 1.2.3.4' >>$TMPZONE
+$LDNS_SIGNZONE -e 20090924111500 -i 20090821111500 $TMPZONE "$KEYDIR/$KEYNAME-2"
+sig1a_pubkey2=$(grep 'www.example.com.*RRSIG[ ]*A' < $TMPZONE.signed )
+sig1b_pubkey2=$(grep 'IN[ ]*RRSIG[ ]*NS[ ]' < $TMPZONE.signed )
+sig1c_pubkey2=$(grep 'ns.example.com.*RRSIG[ ]*A' < $TMPZONE.signed )
+rm -f "$TMPZONE" "$TMPZONE.signed"
+
+sig2_pubkey2=$(sig_keys 2 20090924111500 20090821111500 1 2)
+sig2_pubkey1=$(sig_keys 1 20090924111500 20090821111500 1 2)
+
+sig3_pubkey2=$(sig_keys 2 20091024111500 20090921111500 1 3 2)
+sig3_pubkey1=$(sig_keys 1 20091024111500 20090921111500 1 3 2)
+sig3_pubkey3=$(sig_keys 3 20091024111500 20090921111500 1 3 2)
+
+sig4_pubkey2=$(sig_keys 2 20091124111500 20091018111500 3 2)
+sig4_pubkey3=$(sig_keys 3 20091124111500 20091018111500 3 2)
+
+sig5_pubkey2=$(sig_keys 2 20091224111500 20091118111500 4 3 2)
+sig5_pubkey4=$(sig_keys 4 20091224111500 20091118111500 4 3 2)
+sig5_pubkey1=$(sig_keys 1 20091224111500 20091118111500 4 3 2)
+sig5_pubkey3=$(sig_keys 3 20091224111500 20091118111500 4 3 2)
+
+sig6_pubkey2=$(sig_keys 2 20101224111500 20101118111500 3 2)
+sig6_pubkey3=$(sig_keys 3 20101224111500 20101118111500 3 2)
+
+< $KEYNAME.rpl.in \
+ sed "s@SIG1a_PUBKEY2@$sig1a_pubkey2@ ; \
+ s@SIG1b_PUBKEY2@$sig1b_pubkey2@ ; \
+ s@SIG1c_PUBKEY2@$sig1c_pubkey2@ ; \
+ s@SIG2_PUBKEY2@$sig2_pubkey2@ ; \
+ s@SIG2_PUBKEY1@$sig2_pubkey1@ ; \
+ s@SIG3_PUBKEY2@$sig3_pubkey2@ ; \
+ s@SIG3_PUBKEY1@$sig3_pubkey1@ ; \
+ s@SIG3_PUBKEY3@$sig3_pubkey3@ ; \
+ s@SIG4_PUBKEY2@$sig4_pubkey2@ ; \
+ s@SIG4_PUBKEY3@$sig4_pubkey3@ ; \
+ s@SIG5_PUBKEY2@$sig5_pubkey2@ ; \
+ s@SIG5_PUBKEY4@$sig5_pubkey4@ ; \
+ s@SIG5_PUBKEY1@$sig5_pubkey1@ ; \
+ s@SIG5_PUBKEY3@$sig5_pubkey3@ ; \
+ s@SIG6_PUBKEY2@$sig6_pubkey2@ ; \
+ s@SIG6_PUBKEY3@$sig6_pubkey3@ ; \
+ " |
+ replace_keys \
+ > ../$KEYNAME.rpl
--- /dev/null
+#!/bin/sh
+
+KEYDIR=keys
+
+LDNS_KEYGEN=ldns-keygen
+LDNS_SIGNZONE=ldns-signzone
+SECALG=8 # RSA/SHA-256
+SECBITS=2048
+
+TMPZONE=tmpzone
+
+key_id()
+{
+ expr "$1" : '.*{id = \([0-9]*\).*'
+}
+
+gen_key_ksk()
+{
+ if [ $# -ne 1 ]; then
+ echo >&2 "Usage: gen_key_ksk <file-name>"
+ exit 1
+ fi
+
+ key_file="$1"
+
+
+ if [ -f "$key_file.key" ]
+ then
+ return # Key already exists, remove to regenerate
+ fi
+ mkdir -p "$KEYDIR"
+ tmp_keyname=$($LDNS_KEYGEN -a $SECALG -b $SECBITS -k example.com.)
+ sed 's/IN/10800 IN/' < "$tmp_keyname".key > "$key_file.key"
+ rm -f "$tmp_keyname".key
+ mv "$tmp_keyname".private "$key_file.private"
+ mv "$tmp_keyname".ds "$key_file.ds"
+}
+
+gen_key_ksk_revoked()
+{
+ if [ $# -ne 2 ]; then
+ echo >&2 "Usage: gen_key_ksk_revoked <orig-file-name> <file-name>"
+ exit 1
+ fi
+
+ orig_key_file="$1"
+ key_file="$2"
+
+
+ if [ -f "$key_file.key" ]
+ then
+ return # Key already exists, remove to regenerate
+ fi
+ cp "$orig_key_file".key "$key_file".key
+ cp "$orig_key_file".private "$key_file.private"
+ mv "$orig_key_file".ds "$key_file.ds"
+ ldns-revoke "$key_file.key"
+}
+
+gen_key_zsk()
+{
+ if [ $# -ne 1 ]; then
+ echo >&2 "Usage: gen_key_zsk <file-name>"
+ exit 1
+ fi
+
+ key_file="$1"
+
+
+ if [ -f "$key_file.key" ]
+ then
+ return # Key already exists, remove to regenerate
+ fi
+ mkdir -p "$KEYDIR"
+ tmp_keyname=$($LDNS_KEYGEN -a $SECALG -b $SECBITS example.com.)
+ sed 's/IN/10800 IN/' < "$tmp_keyname".key > "$key_file.key"
+ rm -f "$tmp_keyname".key
+ mv "$tmp_keyname".private "$key_file.private"
+}
+
+sig_keys()
+{
+ if [ $# -lt 4 ]; then
+ echo >&2 'Usage: sig_keys <sig-key-nr> <endtime> <starttime> <key-nr>...'
+ exit 1
+ fi
+ sig_key_nr="$1"
+ shift
+ endtime="$1"
+ shift
+ starttime="$1"
+ shift
+ echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE
+ while [ "$1" != "" ]
+ do
+ cat "$KEYDIR/$KEYNAME"-$1.key >> $TMPZONE
+ shift
+ done
+ $LDNS_SIGNZONE -e $endtime -i $starttime $TMPZONE "$KEYDIR/$KEYNAME-$sig_key_nr"
+ #echo '--- signed zone ---' >&2
+ #cat $TMPZONE.signed >&2
+ #echo '--- end signed zone ---' >&2
+ sig=$(grep 'RRSIG[ ]*DNSKEY' < $TMPZONE.signed )
+ rm -f "$TMPZONE" "$TMPZONE.signed"
+ echo "$sig"
+}
+
projects / thirdparty / unbound.git / commitdiff
