From: Evan Hunt Date: Thu, 19 Sep 2019 02:41:40 +0000 (-0700) Subject: use DS style trust anchors in all system tests X-Git-Tag: v9.15.6~7^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54a682ea502b81f6c4f77fbebf0c9f8b4945bf54;p=thirdparty%2Fbind9.git use DS style trust anchors in all system tests this adds functions in conf.sh.common to create DS-style trust anchor files. those functions are then used to create nearly all of the trust anchors in the system tests. there are a few exceptions: - some tests in dnssec and mkeys rely on detection of unsupported algorithms, which only works with key-style trust anchors, so those are used for those tests in particular. - the mirror test had a problem with the use of a CSK without a SEP bit, which still needs addressing in the future, some of these tests should be changed back to using traditional trust anchors, so that both types will be exercised going forward. --- diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index 6ba8f95df9f..47d3eefe107 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -33,12 +33,12 @@ rm $zsknopriv.private ksksby=`$KEYGEN -3 -a RSASHA1 -q -P now -A now+15s -fk $zone` kskrev=`$KEYGEN -3 -a RSASHA1 -q -R now+15s -fk $zone` -keyfile_to_static_keys $ksksby > trusted.conf +keyfile_to_static_ds $ksksby > trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf -keyfile_to_static_keys $kskrev > trusted.conf +keyfile_to_static_ds $kskrev > trusted.conf cp trusted.conf ../ns5/trusted.conf echo $zskact > ../active.key diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index de557d76e2b..9d40b7fa348 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -37,7 +37,7 @@ zonefile="${zone}.db" infile="${zonefile}.in" ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone` $KEYGEN -a RSASHA1 -3 -q $zone > /dev/null -keyfile_to_static_keys $ksk > private.conf +keyfile_to_static_ds $ksk > private.conf cp private.conf ../ns4/private.conf $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index 51c0f399f55..f2bafa76ce2 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -221,9 +221,9 @@ assert_int_equal() { } # keyfile_to_keys_section: helper function for keyfile_to_*_keys() which -# converts keyfile data into a configuration section using the supplied -# parameters -keyfile_to_keys_section() { +# converts keyfile data into a key-style trust anchor configuration +# section using the supplied parameters +keyfile_to_keys() { section_name=$1 key_prefix=$2 shift @@ -241,18 +241,54 @@ keyfile_to_keys_section() { echo "};" } +# keyfile_to_dskeys_section: helper function for keyfile_to_*_dskeys() +# converts keyfile data into a DS-style trust anchor configuration +# section using the supplied parameters +keyfile_to_dskeys() { + section_name=$1 + key_prefix=$2 + shift + shift + echo "$section_name {" + for keyname in $*; do + $DSFROMKEY $keyname.key | \ + awk '!/^; /{ + printf "\t\""$1"\" " + printf "'"$key_prefix "'" + printf $4 " " $5 " " $6 " \"" + for (i=7; i<=NF; i++) printf $i + printf "\";\n" + }' + done + echo "};" +} + # keyfile_to_static_keys: convert key data contained in the keyfile(s) -# provided to a *static* "dnssec-keys" section suitable for including in a +# provided to a *static-key* "dnssec-keys" section suitable for including in a # resolver's configuration file keyfile_to_static_keys() { - keyfile_to_keys_section "dnssec-keys" "static-key" $* + keyfile_to_keys "dnssec-keys" "static-key" $* } # keyfile_to_initial_keys: convert key data contained in the keyfile(s) -# provided to an *initialzing* "dnssec-keys" section suitable for including +# provided to an *initial-key* "dnssec-keys" section suitable for including # in a resolver's configuration file keyfile_to_initial_keys() { - keyfile_to_keys_section "dnssec-keys" "initial-key" $* + keyfile_to_keys "dnssec-keys" "initial-key" $* +} + +# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s) +# provided to a *static-ds* "dnssec-keys" section suitable for including in a +# resolver's configuration file +keyfile_to_static_ds() { + keyfile_to_dskeys "dnssec-keys" "static-ds" $* +} + +# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s) +# provided to an *initial-ds* "dnssec-keys" section suitable for including +# in a resolver's configuration file +keyfile_to_initial_ds() { + keyfile_to_dskeys "dnssec-keys" "initial-ds" $* } # keyfile_to_key_id: convert a key file name to a key ID diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index fe8a432eebc..66254b7cfe3 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -38,7 +38,7 @@ cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" "$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 # Configure the resolving server with a staitc key. -keyfile_to_static_keys "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" > trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf @@ -47,7 +47,7 @@ cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf # ...or with an initializing key. -keyfile_to_initial_keys "$ksk" > managed.conf +keyfile_to_initial_ds "$ksk" > managed.conf cp managed.conf ../ns4/managed.conf # diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index 1c226d5f95f..54ae148e0ca 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -23,7 +23,7 @@ zonefile=root.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") # copy the KSK out first, then revoke it -keyfile_to_initial_keys "$keyname" > revoked.conf +keyfile_to_initial_ds "$keyname" > revoked.conf "$SETTIME" -R now "${keyname}.key" > /dev/null @@ -34,4 +34,4 @@ keyfile_to_initial_keys "$keyname" > revoked.conf keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") -keyfile_to_static_keys "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" > trusted.conf diff --git a/bin/tests/system/dsdigest/ns1/sign.sh b/bin/tests/system/dsdigest/ns1/sign.sh index dc893b16319..9f0ef6b036a 100644 --- a/bin/tests/system/dsdigest/ns1/sign.sh +++ b/bin/tests/system/dsdigest/ns1/sign.sh @@ -29,7 +29,7 @@ cat $infile $key1.key $key2.key > $zonefile $SIGNER -P -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. -keyfile_to_static_keys $key2 > trusted.conf +keyfile_to_static_ds $key2 > trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh index 518e01d8d10..673aac8ac09 100644 --- a/bin/tests/system/ecdsa/ns1/sign.sh +++ b/bin/tests/system/ecdsa/ns1/sign.sh @@ -25,5 +25,5 @@ cat $infile $key1.key $key2.key > $zonefile $SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err # Configure the resolving server with a static key. -keyfile_to_static_keys $key1 > trusted.conf +keyfile_to_static_ds $key1 > trusted.conf cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh index 6806db8c5ce..761ee134289 100644 --- a/bin/tests/system/eddsa/ns1/sign.sh +++ b/bin/tests/system/eddsa/ns1/sign.sh @@ -26,7 +26,7 @@ cat $infile $key1.key $key2.key > $zonefile $SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err # Configure the resolving server with a static key. -keyfile_to_static_keys $key1 > trusted.conf +keyfile_to_static_ds $key1 > trusted.conf cp trusted.conf ../ns2/trusted.conf cd ../ns2 && $SHELL sign.sh diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh index 44e27ed488e..3223ffd4fa4 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -24,7 +24,7 @@ $KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i keyname=`cat keygen.out` rm -f keygen.out -keyfile_to_static_keys $keyname > trusted.conf +keyfile_to_static_ds $keyname > trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns5/trusted.conf diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh index c14a83837eb..72fc52eb4bc 100644 --- a/bin/tests/system/inline/ns1/sign.sh +++ b/bin/tests/system/inline/ns1/sign.sh @@ -20,5 +20,5 @@ keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` $SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out [ $? = 0 ] || cat signer.out -keyfile_to_static_keys $keyname > trusted.conf +keyfile_to_static_ds $keyname > trusted.conf cp trusted.conf ../ns6/trusted.conf diff --git a/bin/tests/system/legacy/ns7/sign.sh b/bin/tests/system/legacy/ns7/sign.sh index 21ab3d1e5a4..51719c22c15 100755 --- a/bin/tests/system/legacy/ns7/sign.sh +++ b/bin/tests/system/legacy/ns7/sign.sh @@ -28,5 +28,5 @@ cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err -keyfile_to_static_keys $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 > trusted.conf cp trusted.conf ../ns1 diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 135080a4676..483ed4ed555 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -21,13 +21,13 @@ zskkeyname=`$KEYGEN -a rsasha256 -q $zone` $SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null # Configure the resolving server with an initializing key. -keyfile_to_initial_keys $keyname > managed.conf +keyfile_to_initial_ds $keyname > managed.conf cp managed.conf ../ns2/managed.conf cp managed.conf ../ns4/managed.conf cp managed.conf ../ns5/managed.conf # Configure a static key to be used by delv. -keyfile_to_static_keys $keyname > trusted.conf +keyfile_to_static_ds $keyname > trusted.conf # Prepare an unsupported algorithm key. unsupportedkey=Kunknown.+255+00000 diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh index 2e032e710ab..3fead4bcf78 100644 --- a/bin/tests/system/mkeys/ns6/setup.sh +++ b/bin/tests/system/mkeys/ns6/setup.sh @@ -27,4 +27,6 @@ rootkey=`cat ../ns1/managed.key` cp "../ns1/${rootkey}.key" . # Configure the resolving server with an initializing key. +# (We use key-format trust anchors here because otherwise the +# unsupported algorithm test won't work.) keyfile_to_initial_keys $unsupportedkey $rsakey $rootkey > managed.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index 80c19beb03e..da19c202645 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -301,7 +301,7 @@ status=`expr $status + $ret` echo_i "reinitialize trust anchors, add second key to bind.keys" $PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2 rm -f ns2/managed-keys.bind* -keyfile_to_initial_keys ns1/$original ns1/$standby1 > ns2/managed.conf +keyfile_to_initial_ds ns1/$original ns1/$standby1 > ns2/managed.conf nextpart ns2/named.run > /dev/null $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2 diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh index 284eb4f680f..aa6bf6ee327 100644 --- a/bin/tests/system/pending/ns1/sign.sh +++ b/bin/tests/system/pending/ns1/sign.sh @@ -28,7 +28,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile $SIGNER -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. -keyfile_to_static_keys $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 > trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh index a6c5c5b176c..34ca7dc01a4 100644 --- a/bin/tests/system/resolver/ns6/keygen.sh +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -31,4 +31,4 @@ cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile $SIGNER -P -o $zone $zonefile > /dev/null # Configure a static key to be used by delv -keyfile_to_static_keys $ksk > ../ns5/trusted.conf +keyfile_to_static_ds $ksk > ../ns5/trusted.conf diff --git a/bin/tests/system/rootkeysentinel/ns1/sign.sh b/bin/tests/system/rootkeysentinel/ns1/sign.sh index 50eb5627634..cfbed026bae 100644 --- a/bin/tests/system/rootkeysentinel/ns1/sign.sh +++ b/bin/tests/system/rootkeysentinel/ns1/sign.sh @@ -28,7 +28,7 @@ cat $infile $keyname.key > $zonefile $SIGNER -P -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. -keyfile_to_static_keys $keyname > trusted.conf +keyfile_to_static_ds $keyname > trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh index 3b8d4adf69f..cdc61327b85 100755 --- a/bin/tests/system/rsabigexponent/ns1/sign.sh +++ b/bin/tests/system/rsabigexponent/ns1/sign.sh @@ -25,7 +25,7 @@ cat $infile $keyname.key > $zonefile $SIGNER -P -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. -keyfile_to_static_keys $keyname > trusted.conf +keyfile_to_static_ds $keyname > trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh index c1acdce5009..7e5b2b3beda 100644 --- a/bin/tests/system/sfcache/ns1/sign.sh +++ b/bin/tests/system/sfcache/ns1/sign.sh @@ -29,8 +29,8 @@ cat "$infile" "$keyname.key" > "$zonefile" $SIGNER -P -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. -keyfile_to_static_keys "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" > trusted.conf cp trusted.conf ../ns2/trusted.conf # ...or with an initializing key. -keyfile_to_initial_keys "$keyname" > managed.conf +keyfile_to_initial_ds "$keyname" > managed.conf diff --git a/bin/tests/system/sfcache/ns5/sign.sh b/bin/tests/system/sfcache/ns5/sign.sh index c369e545eb7..82b43018045 100644 --- a/bin/tests/system/sfcache/ns5/sign.sh +++ b/bin/tests/system/sfcache/ns5/sign.sh @@ -16,4 +16,4 @@ set -e keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") -keyfile_to_static_keys "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" > trusted.conf diff --git a/bin/tests/system/staticstub/ns3/sign.sh b/bin/tests/system/staticstub/ns3/sign.sh index ce7a0f7d131..0fe84ff66d6 100755 --- a/bin/tests/system/staticstub/ns3/sign.sh +++ b/bin/tests/system/staticstub/ns3/sign.sh @@ -27,7 +27,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile $SIGNER -g -o $zone $zonefile > /dev/null # Configure the resolving server with a trusted key. -keyfile_to_static_keys $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 > trusted.conf zone=undelegated infile=undelegated.db.in @@ -38,5 +38,5 @@ cat $infile $keyname1.key $keyname2.key > $zonefile $SIGNER -g -o $zone $zonefile > /dev/null -keyfile_to_static_keys $keyname2 >> trusted.conf +keyfile_to_static_ds $keyname2 >> trusted.conf cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh index 710d9f4633b..b45c577fd45 100644 --- a/bin/tests/system/synthfromdnssec/ns1/sign.sh +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -40,4 +40,4 @@ cat "$infile" "$keyname.key" > "$zonefile" $SIGNER -P -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. -keyfile_to_static_keys "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" > trusted.conf diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh index b89331ce3e9..497e2759a48 100755 --- a/bin/tests/system/wildcard/ns1/sign.sh +++ b/bin/tests/system/wildcard/ns1/sign.sh @@ -43,7 +43,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile $SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_keys $keyname2 > private.nsec.conf +keyfile_to_static_ds $keyname2 > private.nsec.conf zone=nsec3 infile=nsec3.db.in @@ -72,7 +72,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile $SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_keys $keyname2 > private.nsec3.conf +keyfile_to_static_ds $keyname2 > private.nsec3.conf zone=. infile=root.db.in @@ -87,4 +87,4 @@ cat $infile $keyname1.key $keyname2.key $dssets >$zonefile $SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_keys $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 > trusted.conf