ns5 is a validator which is prevented from getting a response from the
root server, causing key refresh queries to fail.
+
+ns6 is a validator which has unsupported algorithms, one at start up,
+one because of an algorithm rollover.
rm -f */named.memstats */named.run */named.run.prev
rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f dsset-. ns1/dsset-.
+rm -f ns1/zone.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns5/named.args
-rm -f ns6/view1.mkeys ns6/view2.mkeys
+rm -f ns7/view1.mkeys ns7/view2.mkeys
rm -rf ns4/nope
; information regarding copyright ownership.
$TTL 20
-. IN SOA gson.nominum.com. a.root.servers.nil. (
- 2000042100 ; serial
- 600 ; refresh
- 600 ; retry
- 1200 ; expire
- 2 ; minimum
- )
-. NS a.root-servers.nil.
-a.root-servers.nil. A 10.53.0.1
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 2 ; minimum
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
; no delegation
-example. TXT "This is a test."
+example. TXT "This is a test."
cp managed.conf ../ns4/managed.conf
cp managed.conf ../ns5/managed.conf
-# Configure a trusted key statement (used by delv)
+# Configure a trusted key statement (used by delv).
keyfile_to_trusted_keys $keyname > trusted.conf
+# Prepare an unsupported algorithm key.
+unsupportedkey=K.+003+28683
+cp unsupported.key "${unsupportedkey}.key"
+
#
# Save keyname and keyid for managed key id test.
#
echo "$keyname" > managed.key
+echo "$zskkeyname" > zone.key
keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
keyid=`expr $keyid + 0`
echo "$keyid" > managed.key.id
--- /dev/null
+. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB
--- /dev/null
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20
recursion yes;
notify no;
dnssec-enable yes;
- dnssec-validation auto;
- bindkeys-file "managed.conf";
+ dnssec-validation yes;
+ trust-anchor-telemetry no;
};
key rndc_key {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-view view1 {
- zone "." {
- type hint;
- file "../../common/root.hint";
- };
+zone "." {
+ type hint;
+ file "../../common/root.hint";
};
-view view2 {
- zone "." {
- type hint;
- file "../../common/root.hint";
- };
-};
+include "managed.conf";
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+zonefile=root.db
+
+# an RSA key
+rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
+
+# a key with unsupported algorithm
+unsupportedkey=Kunknown.+255+00000
+cp unsupported-managed.key "${unsupportedkey}.key"
+
+# root key
+rootkey=`cat ../ns1/managed.key`
+cp "../ns1/${rootkey}.key" .
+
+# Configure the resolving server with a managed trusted key.
+keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf
--- /dev/null
+unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS7
+
+options {
+ query-source address 10.53.0.7;
+ notify-source 10.53.0.7;
+ transfer-source 10.53.0.7;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.7; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify no;
+ dnssec-enable yes;
+ dnssec-validation auto;
+ bindkeys-file "managed.conf";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view view1 {
+ zone "." {
+ type hint;
+ file "../../common/root.hint";
+ };
+};
+
+view view2 {
+ zone "." {
+ type hint;
+ file "../../common/root.hint";
+ };
+};
cp ns5/named1.args ns5/named.args
( cd ns1 && $SHELL sign.sh )
+( cd ns6 && $SHELL setup.sh )
cp ns2/managed.conf ns2/managed1.conf
mkeys_reconfig_on 1
wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
mkeys_secroots_on 5
-grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
+grep '; managed' ns5/named.secroots > /dev/null || ret=1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
# correctly refreshed and resolving should succeed
$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
status=`expr $status + $ret`
n=`expr $n + 1`
+echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
+ret=0
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
+rm -f ns6/managed-keys.bind*
+nextpart ns6/named.run > /dev/null
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
+# log when an unsupported algorithm is encountered during startup
+wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "skipping unsupported algorithm in managed-keys ($n)"
+ret=0
+mkeys_status_on 6 > rndc.out.$n 2>&1
+# there should still be only two keys listed (for . and rsasha256.)
+count=`grep -c "keyid: " rndc.out.$n`
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=`grep -c "trust" rndc.out.$n`
+[ "$count" -eq 2 ] || ret=1
+
+n=`expr $n + 1`
+echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
+ret=0
+cp ns1/root.db ns1/root.db.orig
+ksk=`cat ns1/managed.key`
+zsk=`cat ns1/zone.key`
+cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
+grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
+$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
+grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
+cp ns1/root.db.orig ns1/root.db
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "skipping unsupported algorithm in rollover ($n)"
+ret=0
+mkeys_reload_on 1
+mkeys_refresh_on 6
+mkeys_status_on 6 > rndc.out.$n 2>&1
+# there should still be only two keys listed (for . and rsasha256.)
+count=`grep -c "keyid: " rndc.out.$n`
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=`grep -c "trust" rndc.out.$n`
+[ "$count" -eq 2 ] || ret=1
+# log when an unsupported algorithm is encountered during rollover
+wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
echo_i "check 'rndc managed-keys' and views ($n)"
ret=0
-$RNDCCMD 10.53.0.6 managed-keys refresh in view1 > rndc.out.ns6.view1.test$n || ret=1
-grep "refreshing managed keys for 'view1'" rndc.out.ns6.view1.test$n > /dev/null || ret=1
-lines=`wc -l < rndc.out.ns6.view1.test$n`
+$RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1
+grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1
+lines=`wc -l < rndc.out.ns7.view1.test$n`
[ $lines -eq 1 ] || ret=1
-$RNDCCMD 10.53.0.6 managed-keys refresh > rndc.out.ns6.view2.test$n || ret=1
-lines=`wc -l < rndc.out.ns6.view2.test$n`
-grep "refreshing managed keys for 'view1'" rndc.out.ns6.view2.test$n > /dev/null || ret=1
-grep "refreshing managed keys for 'view2'" rndc.out.ns6.view2.test$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1
+lines=`wc -l < rndc.out.ns7.view2.test$n`
+grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
+grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
[ $lines -eq 2 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
./bin/tests/system/mkeys/ns1/named3.conf.in CONF-C 2017,2018,2019
./bin/tests/system/mkeys/ns1/root.db ZONE 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/ns1/sign.sh SH 2015,2016,2017,2018,2019
+./bin/tests/system/mkeys/ns1/unsupported.key X 2018,2019
./bin/tests/system/mkeys/ns2/named.args X 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/ns2/named.conf.in CONF-C 2015,2016,2018,2019
./bin/tests/system/mkeys/ns3/named.args X 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/ns5/named.conf.in CONF-C 2017,2018,2019
./bin/tests/system/mkeys/ns5/named1.args X 2017,2018,2019
./bin/tests/system/mkeys/ns5/named2.args X 2017,2018,2019
-./bin/tests/system/mkeys/ns6/named.conf.in CONF-C 2019
+./bin/tests/system/mkeys/ns6/named.args X 2018,2019
+./bin/tests/system/mkeys/ns6/named.conf.in CONF-C 2018,2019
+./bin/tests/system/mkeys/ns6/setup.sh SH 2018,2019
+./bin/tests/system/mkeys/ns6/unsupported-managed.key X 2018,2019
+./bin/tests/system/mkeys/ns7/named.conf.in CONF-C 2019
./bin/tests/system/mkeys/prereq.sh SH 2015,2016,2018,2019
./bin/tests/system/mkeys/setup.sh SH 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/tests.sh SH 2015,2016,2017,2018,2019
projects / thirdparty / bind9.git / commitdiff
