From: Mark Andrews Date: Wed, 29 Jan 2020 08:02:01 +0000 (+1100) Subject: check kskonly key ids X-Git-Tag: v9.16.0~39^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=379949cce43be56ec3132cd1c1f4c9b24d9d04fb;p=thirdparty%2Fbind9.git check kskonly key ids --- diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 6745d436d27..568741063ec 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -24,9 +24,9 @@ rm -f ./canonical?.* rm -f ./delv.out* rm -f ./delve.out* rm -f ./dig.out.* +rm -f ./dnssectools.out* rm -f ./dsfromkey.out.* rm -f ./keygen.err -rm -f ./dnssectools.out* rm -f ./named.secroots.test* rm -f ./nosign.before rm -f ./ns*/*.nta @@ -37,19 +37,19 @@ rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db rm -f ./ns2/algroll.db rm -f ./ns2/badparam.db ./ns2/badparam.db.bad rm -f ./ns2/cdnskey-kskonly.secure.db +rm -f ./ns2/cdnskey-kskonly.secure.id rm -f ./ns2/cdnskey-update.secure.db rm -f ./ns2/cdnskey-x.secure.db rm -f ./ns2/cdnskey.secure.db rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl rm -f ./ns2/cds-kskonly.secure.db +rm -f ./ns2/cds-kskonly.secure.id rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db rm -f ./ns2/in-addr.arpa.db rm -f ./ns2/nsec3chain-test.db rm -f ./ns2/single-nsec3.db rm -f ./ns2/updatecheck-kskonly.secure.* -rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db -rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db rm -f ./ns3/badds.example.db rm -f ./ns3/dname-at-apex-nsec3.example.db @@ -57,10 +57,10 @@ rm -f ./ns3/dnskey-nsec3-unknown.example.db rm -f ./ns3/dnskey-nsec3-unknown.example.db.tmp rm -f ./ns3/dnskey-unknown.example.db rm -f ./ns3/dnskey-unknown.example.db.tmp -rm -f ./ns3/dnskey-unsupported.example.db -rm -f ./ns3/dnskey-unsupported.example.db.tmp rm -f ./ns3/dnskey-unsupported-2.example.db rm -f ./ns3/dnskey-unsupported-2.example.db.tmp +rm -f ./ns3/dnskey-unsupported.example.db +rm -f ./ns3/dnskey-unsupported.example.db.tmp rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db @@ -80,6 +80,7 @@ rm -f ./ns3/publish-inactive.example.db rm -f ./ns3/revkey.example.db rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db rm -f ./ns3/secure.below-cname.example.db +rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db rm -f ./ns3/secure.nsec3.example.db rm -f ./ns3/secure.optout.example.db rm -f ./ns3/siginterval.conf @@ -89,6 +90,7 @@ rm -f ./ns3/split-smart.example.db rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed rm -f ./ns3/ttlpatch.example.db.patched rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db +rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp rm -f ./ns4/managed-keys.bind* rm -f ./ns4/named_dump.db* rm -f ./ns6/optout-tld.db diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index ac6c4b3340b..8bb113cf39c 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -238,6 +238,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" "$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +keyfile_to_key_id "$key1" > cds-kskonly.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in @@ -281,6 +282,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" "$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 258afe23ced..58922e90dac 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3342,6 +3342,7 @@ status=$((status+ret)) echo_i "check that CDS records are signed only using KSK when added by" echo_i " nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 +keyid=$(cat ns2/cds-kskonly.secure.id) ( echo zone cds-kskonly.secure echo server 10.53.0.2 "$PORT" @@ -3356,6 +3357,8 @@ echo send dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 +lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 n=$((n+1)) @@ -3365,6 +3368,7 @@ status=$((status+ret)) echo_i "check that CDS deletion records are signed only using KSK when added by" echo_i " nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 +keyid=$(cat ns2/cds-kskonly.secure.id) ( echo zone cds-kskonly.secure echo server 10.53.0.2 "$PORT" @@ -3375,6 +3379,8 @@ echo send dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 +lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 n=$((n+1)) @@ -3565,6 +3571,7 @@ status=$((status+ret)) echo_i "check that CDNSKEY records are signed only using KSK when added by" echo_i " nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 +keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( echo zone cdnskey-kskonly.secure echo server 10.53.0.2 "$PORT" @@ -3576,6 +3583,8 @@ echo send dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 +lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 n=$((n+1))