From: Matthijs Mekking Date: Wed, 9 Oct 2019 16:09:27 +0000 (+0200) Subject: Test jitter distribution X-Git-Tag: v9.15.6~30^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=540b90fd6cd8283254f9c861f7569010c78ffa40;p=thirdparty%2Fbind9.git Test jitter distribution Test jitter distribution in NSEC3 dynamic zone and for a zone that has old signatures. In both cases the generated signatures should be spread nicely. --- diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 35a4ca55834..afad4d3884e 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -39,6 +39,7 @@ rm -f ns3/inacksk2.example.db rm -f ns3/inacksk3.example.db rm -f ns3/inaczsk2.example.db rm -f ns3/inaczsk3.example.db +rm -f ns3/jitter.nsec3.example.db rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kskonly.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db diff --git a/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in b/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in new file mode 100644 index 00000000000..aa08c7764dd --- /dev/null +++ b/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 70103b07a54..fd7a7224903 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -52,6 +52,21 @@ ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out $KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP +# +# Jitter/NSEC3 test zone +# +setup jitter.nsec3.example +cp $infile $zonefile +count=1 +while [ $count -le 100 ] +do + echo "label${count} IN TXT label${count}" >> $zonefile + count=`expr $count + 1` +done +# Don't create keys just yet, because the scenario we want to test +# is an unsigned zone that has a NSEC3PARAM record added with +# dynamic update before the keys are generated. + # # OPTOUT/NSEC3 test zone # @@ -150,9 +165,16 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup oldsigs.example cp $infile $zonefile +count=1 +while [ $count -le 100 ] +do + echo "label${count} IN TXT label${count}" >> $zonefile + count=`expr $count + 1` +done $KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out || dumpit s.out +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +mv $zonefile.signed $zonefile # # NSEC3->NSEC transition test zone. diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 7f491fef9c2..6382e941868 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -95,6 +95,14 @@ zone "nsec3.nsec3.example" { auto-dnssec maintain; }; +zone "jitter.nsec3.example" { + type master; + file "jitter.nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; + sig-validity-interval 10 2; +}; + zone "secure.nsec3.example" { type master; file "secure.nsec3.example.db"; @@ -178,6 +186,7 @@ zone "oldsigs.example" { file "oldsigs.example.db"; allow-update { any; }; auto-dnssec maintain; + sig-validity-interval 10 2; }; zone "prepub.example" { diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 8b8e5ae8a39..a5fba84ab97 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -50,6 +50,43 @@ checkprivate () { return 1 } +# Check the signatures expiration times. First check how many signatures +# there are in total ($rrsigs). Then see what the distribution of signature +# expiration times is ($expiretimes). Ignore the time part for a better +# modelled distribution. +checkjitter () { + _file=$1 + _ret=0 + + cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | cat_i + _rrsigs=$(cat $_file | awk '$4 == "RRSIG" {print $4}' | cat_i | wc -l) + _expiretimes=$(cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | awk '{print $1}') + _count=0 + _total=0 + for _num in $_expiretimes + do + _total=$(($_total + $_num)) + done + # Make sure the total number of numbers matches the number of RRSIGs. + test $_total -eq $_rrsigs || _ret=1 + # Calculate mean: The number of signatures divided over 8 days. + _mean=$(($_total / 8)) + # We expect the number of signatures not to exceed twice the mean. + _limit=$(($_mean * 2)) + # Add an additional margin. + _limit=$(($_limit + 10)) + # Find outliers. + for _num in $_expiretimes + do + if [ $_num -gt $_limit ]; then + echo_i "error: too many RRSIG records ($_num) with the same expiration time" + _ret=1 + fi + done + + return $_ret +} + # # The NSEC record at the apex of the zone and its RRSIG records are # added as part of the last step in signing a zone. We wait for the @@ -334,6 +371,15 @@ do sleep 1 done n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +# Check jitter distribution. +echo_i "checking expired signatures were jittered correctly ($n)" +ret=0 +$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +checkjitter dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" @@ -938,6 +984,36 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking jitter in a newly signed NSEC3 zone ($n)" +ret=0 +# Use DNS UPDATE to add an NSEC3PARAM record into the zone. +$NSUPDATE > nsupdate.out.test$n 2>&1 < /dev/null +# Trigger zone signing. +$RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i +# Wait until zone has been signed. +for i in 0 1 2 3 4 5 6 7 8 9; do + failed=0 + $DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1 + grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1 + [ $failed -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 +done +[ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1 +# Check jitter distribution. +checkjitter dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)" ret=0 oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`