From: Ondřej Surý Date: Sun, 11 Feb 2024 08:13:43 +0000 (+0100) Subject: Add a system test for mixed-case data for the same owner X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f9bbe1fe34b7a2c9765431e8a86b460afc9b323;p=thirdparty%2Fbind9.git Add a system test for mixed-case data for the same owner We were missing a test where a single owner name would have multiple types with a different case. The generated RRSIGs and NSEC records will then have different case than the signed records and message parser have to cope with that and treat everything as the same owner. (cherry picked from commit c8b623d87f0fb8f9cba8dea5c6a4b600953895e7) --- diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index a097227278b..be6b3f45b18 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -44,3 +44,8 @@ rrsigonly A 10.0.0.29 cnameandkey CNAME @ cnamenokey CNAME @ dnameandkey DNAME @ + +mixedcase A 10.0.0.30 +mixedCASE TXT "mixed case" +MIXEDcase AAAA 2002:: +mIxEdCaSe LOC 37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 7caf29c3b2f..9af0ca5a47a 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -15,39 +15,38 @@ SYSTEMTESTTOP=../.. echo_i "ns3/sign.sh" infile=key.db.in -for tld in managed trusted -do +for tld in managed trusted; do # A secure zone to test. zone=secure.${tld} zonefile=${zone}.db - keyname1=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` - cat $infile $keyname1.key > $zonefile - $SIGNER -z -P -3 - -o $zone -r $RANDFILE -O full -f ${zonefile}.signed $zonefile > /dev/null 2>&1 - DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP - $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE + keyname1=$($KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + cat $infile $keyname1.key >$zonefile + $SIGNER -z -P -3 - -o $zone -r $RANDFILE -O full -f ${zonefile}.signed $zonefile >/dev/null 2>&1 + DSFILE=dsset-$(echo ${zone} | sed -e "s/\.$//g")$TP + $DSFROMKEY -A -f ${zonefile}.signed $zone >$DSFILE # Zone to test trust anchor with unsupported algorithm. zone=unsupported.${tld} zonefile=${zone}.db - keyname2=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` - cat $infile $keyname2.key > $zonefile - $SIGNER -z -P -3 - -o $zone -r $RANDFILE -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 - awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed - DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP - $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE + keyname2=$($KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + cat $infile $keyname2.key >$zonefile + $SIGNER -z -P -3 - -o $zone -r $RANDFILE -O full -f ${zonefile}.tmp $zonefile >/dev/null 2>&1 + awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed + DSFILE=dsset-$(echo ${zone} | sed -e "s/\.$//g")$TP + $DSFROMKEY -A -f ${zonefile}.signed $zone >$DSFILE # Make trusted-keys and managed keys conf sections for ns8. mv ${keyname2}.key ${keyname2}.tmp - awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key + awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname2}.tmp >${keyname2}.key case $tld in "managed") - keyfile_to_managed_keys $keyname1 $keyname2 > ../ns8/managed.conf + keyfile_to_managed_keys $keyname1 $keyname2 >../ns8/managed.conf ;; "trusted") - keyfile_to_trusted_keys $keyname1 $keyname2 > ../ns8/trusted.conf + keyfile_to_trusted_keys $keyname1 $keyname2 >../ns8/trusted.conf ;; esac done @@ -58,49 +57,51 @@ zone=secure.example. infile=secure.example.db.in zonefile=secure.example.db -cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n host cnameandkey.$zone` -dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n host dnameandkey.$zone` -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +cnameandkey=$($KEYGEN -T KEY -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n host cnameandkey.$zone) +dnameandkey=$($KEYGEN -T KEY -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n host dnameandkey.$zone) +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -D -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 +cat "$zonefile" "$zonefile".signed >"$zonefile".tmp +mv "$zonefile".tmp "$zonefile".signed zone=bogus.example. infile=bogus.example.db.in zonefile=bogus.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 zone=dynamic.example. infile=dynamic.example.db.in zonefile=dynamic.example.db -keyname1=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` -keyname2=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b 1024 -n zone -f KSK $zone` +keyname1=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) +keyname2=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b 1024 -n zone -f KSK $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 zone=keyless.example. infile=generic.example.db.in zonefile=keyless.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # Change the signer field of the a.b.keyless.example SIG A # to point to a provably nonexistent KEY record. mv $zonefile.signed $zonefile.tmp -<$zonefile.tmp $PERL -p -e 's/ keyless.example/ b.keyless.example/ +$PERL <$zonefile.tmp -p -e 's/ keyless.example/ b.keyless.example/ if /^a.b.keyless.example/../NXT/;' >$zonefile.signed rm -f $zonefile.tmp @@ -111,11 +112,11 @@ zone=secure.nsec3.example. infile=secure.nsec3.example.db.in zonefile=secure.nsec3.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # NSEC3/NSEC3 test zone @@ -124,11 +125,11 @@ zone=nsec3.nsec3.example. infile=nsec3.nsec3.example.db.in zonefile=nsec3.nsec3.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # OPTOUT/NSEC3 test zone @@ -137,11 +138,11 @@ zone=optout.nsec3.example. infile=optout.nsec3.example.db.in zonefile=optout.nsec3.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A nsec3 zone (non-optout). @@ -150,11 +151,11 @@ zone=nsec3.example. infile=nsec3.example.db.in zonefile=nsec3.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # OPTOUT/NSEC test zone @@ -163,11 +164,11 @@ zone=secure.optout.example. infile=secure.optout.example.db.in zonefile=secure.optout.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # OPTOUT/NSEC3 test zone @@ -176,11 +177,11 @@ zone=nsec3.optout.example. infile=nsec3.optout.example.db.in zonefile=nsec3.optout.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # OPTOUT/OPTOUT test zone @@ -189,11 +190,11 @@ zone=optout.optout.example. infile=optout.optout.example.db.in zonefile=optout.optout.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A optout nsec3 zone. @@ -202,11 +203,11 @@ zone=optout.example. infile=optout.example.db.in zonefile=optout.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -215,11 +216,11 @@ zone=nsec3-unknown.example. infile=nsec3-unknown.example.db.in zonefile=nsec3-unknown.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -228,11 +229,11 @@ zone=optout-unknown.example. infile=optout-unknown.example.db.in zonefile=optout-unknown.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A zone that is signed with an unknown DNSKEY algorithm. @@ -242,16 +243,16 @@ zone=dnskey-unknown.example infile=dnskey-unknown.example.db.in zonefile=dnskey-unknown.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile >/dev/null 2>&1 -awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE=dsset-${zone}${TP} -$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE +$DSFROMKEY -A -f ${zonefile}.signed $zone >$DSFILE # # A zone that is signed with an unsupported DNSKEY algorithm (3). @@ -261,16 +262,16 @@ zone=dnskey-unsupported.example infile=dnskey-unsupported.example.db.in zonefile=dnskey-unsupported.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) -cat $infile $keyname.key > $zonefile +cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile >/dev/null 2>&1 -awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}${TP}" -$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE +$DSFROMKEY -A -f ${zonefile}.signed $zone >$DSFILE # # A zone with a published unsupported DNSKEY algorithm (Reserved). @@ -280,12 +281,12 @@ zone=dnskey-unsupported-2.example infile=dnskey-unsupported-2.example.db.in zonefile=dnskey-unsupported-2.example.db -ksk=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` -zsk=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +ksk=$($KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) +zsk=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) -cat $infile $ksk.key $zsk.key unsupported-algorithm.key > $zonefile +cat $infile $ksk.key $zsk.key unsupported-algorithm.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone -f ${zonefile}.signed $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone -f ${zonefile}.signed $zonefile >/dev/null 2>&1 # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -295,16 +296,16 @@ zone=dnskey-nsec3-unknown.example infile=dnskey-nsec3-unknown.example.db.in zonefile=dnskey-nsec3-unknown.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile >/dev/null 2>&1 -awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE=dsset-${zone}${TP} -$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE +$DSFROMKEY -A -f ${zonefile}.signed $zone >$DSFILE # # A multiple parameter nsec3 zone. @@ -313,21 +314,21 @@ zone=multiple.example. infile=multiple.example.db.in zonefile=multiple.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 mv $zonefile.signed $zonefile -$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A RSASHA256 zone. @@ -336,11 +337,11 @@ zone=rsasha256.example. infile=rsasha256.example.db.in zonefile=rsasha256.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A RSASHA512 zone. @@ -349,11 +350,11 @@ zone=rsasha512.example. infile=rsasha512.example.db.in zonefile=rsasha512.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A zone with the DNSKEY set only signed by the KSK @@ -362,10 +363,10 @@ zone=kskonly.example. infile=kskonly.example.db.in zonefile=kskonly.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=$($KEYGEN -q -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -r $RANDFILE $zone) cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -x -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A zone with the expired signatures @@ -374,10 +375,10 @@ zone=expired.example. infile=expired.example.db.in zonefile=expired.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=$($KEYGEN -q -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -r $RANDFILE $zone) cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile >/dev/null 2>&1 rm -f $kskname.* $zskname.* # @@ -387,10 +388,10 @@ zone=update-nsec3.example. infile=update-nsec3.example.db.in zonefile=update-nsec3.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=$($KEYGEN -q -3 -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -3 -r $RANDFILE $zone) cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A NSEC signed zone that will have auto-dnssec enabled and @@ -400,12 +401,12 @@ zone=auto-nsec.example. infile=auto-nsec.example.db.in zonefile=auto-nsec.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=$($KEYGEN -q -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -r $RANDFILE $zone) +kskname=$($KEYGEN -q -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -r $RANDFILE $zone) cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A NSEC3 signed zone that will have auto-dnssec enabled and @@ -415,12 +416,12 @@ zone=auto-nsec3.example. infile=auto-nsec3.example.db.in zonefile=auto-nsec3.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=$($KEYGEN -q -3 -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -3 -r $RANDFILE $zone) +kskname=$($KEYGEN -q -3 -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -3 -r $RANDFILE $zone) cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # Secure below cname test zone. @@ -428,9 +429,9 @@ $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=secure.below-cname.example. infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # Patched TTL test zone. @@ -441,12 +442,12 @@ zonefile=ttlpatch.example.db signedfile=ttlpatch.example.db.signed patchedfile=ttlpatch.example.db.patched -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 -$CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \ - awk '{$2 = "3600"; print}' > $patchedfile +$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile >/dev/null 2>&1 +$CHECKZONE -D -s full $zone $signedfile 2>/dev/null | + awk '{$2 = "3600"; print}' >$patchedfile # # Separate DNSSEC records. @@ -456,11 +457,11 @@ infile=split-dnssec.example.db.in zonefile=split-dnssec.example.db signedfile=split-dnssec.example.db.signed -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -echo '$INCLUDE "'"$signedfile"'"' >> $zonefile -: > $signedfile -$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 +echo '$INCLUDE "'"$signedfile"'"' >>$zonefile +: >$signedfile +$SIGNER -P -r $RANDFILE -D -o $zone $zonefile >/dev/null 2>&1 # # Separate DNSSEC records smart signing. @@ -470,11 +471,11 @@ infile=split-smart.example.db.in zonefile=split-smart.example.db signedfile=split-smart.example.db.signed -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cp $infile $zonefile -echo '$INCLUDE "'"$signedfile"'"' >> $zonefile -: > $signedfile -$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 +echo '$INCLUDE "'"$signedfile"'"' >>$zonefile +: >$signedfile +$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile >/dev/null 2>&1 # # Zone with signatures about to expire, but no private key to replace them @@ -483,10 +484,10 @@ zone="expiring.example." infile="expiring.example.db.in" zonefile="expiring.example.db" signedfile="expiring.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=$($KEYGEN -q -r $RANDFILE $zone) +zskname=$($KEYGEN -q -r $RANDFILE -f KSK $zone) cp $infile $zonefile -$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile >/dev/null 2>&1 mv -f ${zskname}.private ${zskname}.private.moved mv -f ${kskname}.private ${kskname}.private.moved @@ -498,12 +499,12 @@ infile="upper.example.db.in" zonefile="upper.example.db" lower="upper.example.db.lower" signedfile="upper.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=$($KEYGEN -q -r $RANDFILE $zone) +zskname=$($KEYGEN -q -r $RANDFILE -f KSK $zone) cp $infile $zonefile -$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>/dev/null -$CHECKZONE -D upper.example $lower 2>/dev/null | \ - sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile +$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile >/dev/null 2>/dev/null +$CHECKZONE -D upper.example $lower 2>/dev/null | + sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile # # Check that the signer's name is in lower case when zone name is in @@ -513,10 +514,10 @@ zone="LOWER.EXAMPLE." infile="lower.example.db.in" zonefile="lower.example.db" signedfile="lower.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=$($KEYGEN -q -r $RANDFILE $zone) +zskname=$($KEYGEN -q -r $RANDFILE -f KSK $zone) cp $infile $zonefile -$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -S -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # Zone with signatures about to expire, and dynamic, but configured @@ -526,21 +527,21 @@ zone="nosign.example." infile="nosign.example.db.in" zonefile="nosign.example.db" signedfile="nosign.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=$($KEYGEN -q -r $RANDFILE $zone) +zskname=$($KEYGEN -q -r $RANDFILE -f KSK $zone) cp $infile $zonefile -$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile >/dev/null 2>&1 # preserve a normalized copy of the NS RRSIG for comparison later -$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ - awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ - sed 's/[ ][ ]*/ /g'> ../nosign.before +$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | + awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | + sed 's/[ ][ ]*/ /g' >../nosign.before # # An inline signing zone # zone=inline.example. -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=$($KEYGEN -q -3 -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -3 -r $RANDFILE $zone) # # publish a new key while deactivating another key at the same time. @@ -548,13 +549,13 @@ zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` zone=publish-inactive.example infile=publish-inactive.example.db.in zonefile=publish-inactive.example.db -now=`date -u +%Y%m%d%H%M%S` -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone` -kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +now=$(date -u +%Y%m%d%H%M%S) +kskname=$($KEYGEN -q -r $RANDFILE -f KSK $zone) +kskname=$($KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone) +kskname=$($KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone) +zskname=$($KEYGEN -q -r $RANDFILE $zone) cp $infile $zonefile -$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -S -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A zone which will change its sig-validity-interval @@ -562,8 +563,8 @@ $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=siginterval.example infile=siginterval.example.db.in zonefile=siginterval.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=$($KEYGEN -q -3 -r $RANDFILE -fk $zone) +zskname=$($KEYGEN -q -3 -r $RANDFILE $zone) cp $infile $zonefile # @@ -574,12 +575,12 @@ zone=badds.example. infile=bogus.example.db.in zonefile=badds.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 -sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 +sed -e 's/bogus/badds/g' dsset-badds.example$TP # # A zone with future signatures. @@ -587,10 +588,10 @@ sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP zone=future.example infile=future.example.db.in zonefile=future.example.db -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=$($KEYGEN -q -r $RANDFILE -f KSK $zone) +zskname=$($KEYGEN -q -r $RANDFILE $zone) cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 cp -f $kskname.key trusted-future.key # @@ -599,10 +600,10 @@ cp -f $kskname.key trusted-future.key zone=managed-future.example infile=managed-future.example.db.in zonefile=managed-future.example.db -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=$($KEYGEN -q -r $RANDFILE -f KSK $zone) +zskname=$($KEYGEN -q -r $RANDFILE $zone) cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # A zone with a revoked key @@ -611,14 +612,14 @@ zone=revkey.example. infile=generic.example.db.in zonefile=revkey.example.db -ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone` -ksk1=`$REVOKE $ksk1` -ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone` -zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone` +ksk1=$($KEYGEN -q -r $RANDFILE -3fk $zone) +ksk1=$($REVOKE $ksk1) +ksk2=$($KEYGEN -q -r $RANDFILE -3fk $zone) +zsk1=$($KEYGEN -q -r $RANDFILE -3 $zone) cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile -$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -o $zone $zonefile >/dev/null 2>&1 # # Check that NSEC3 are correctly signed and returned from below a DNAME @@ -626,10 +627,10 @@ $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=dname-at-apex-nsec3.example infile=dname-at-apex-nsec3.example.db.in zonefile=dname-at-apex-nsec3.example.db -kskname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -3fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -3 $zone` +kskname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -3fk $zone) +zskname=$($KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -3 $zone) cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile >/dev/null 2>&1 # # A NSEC zone with occuded data at the delegation @@ -637,11 +638,11 @@ $SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile > /dev/null 2>&1 zone=occluded.example infile=occluded.example.db.in zonefile=occluded.example.db -kskname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk "$zone"` -zskname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS "$zone"` -dnskeyname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk "delegation.$zone"` -keyname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n ENTITY -T KEY "delegation.$zone"` -$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP" +kskname=$("$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk "$zone") +zskname=$("$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS "$zone") +dnskeyname=$("$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk "delegation.$zone") +keyname=$("$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n ENTITY -T KEY "delegation.$zone") +$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}$TP" cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ - "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" -"$SIGNER" -P -r $RANDFILE -o "$zone" "$zonefile" > /dev/null 2>&1 + "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" +"$SIGNER" -P -r $RANDFILE -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 30f7fc5ec0c..428fb6bbef0 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -743,6 +743,21 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking mixed-case positive validation ($n)" +ret=0 +for type in a txt aaaa loc; do + $DIG $DIGOPTS +noauth mixedcase.secure.example. \ + @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1 + $DIG $DIGOPTS +noauth mixedcase.secure.example. \ + @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1 + digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1 + grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1 + grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1 +done +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \