From: Evan Hunt Date: Fri, 27 Jun 2025 22:35:11 +0000 (-0700) Subject: move some test cases to different system tests X-Git-Tag: v9.21.11~13^2~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1fa6f089b422d686b5a1c56709ed3f487036638;p=thirdparty%2Fbind9.git move some test cases to different system tests - dnssec tool tests (i.e., dnssec-signzone, dnssec-keygen, etc) that don't require interaction with a running server have been moved to a new 'dnssectools' system test directory. - a dig formatting test has been moved to digdelv. - a named-rrchecker test has been moved to rrchecker --- diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index c8d060161b1..4f97c62106b 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -1430,6 +1430,18 @@ if [ -x "$DIG" ]; then grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) + + n=$((n + 1)) + echo_i "check dig's +nocrypto flag ($n)" + ret=0 + dig_with_opts +dnssec +norec +nocrypto DNSKEY . @10.53.0.1 >dig.out.dnskey.test$n || ret=1 + grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.test$n >/dev/null || ret=1 + grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.test$n >/dev/null || ret=1 + dig_with_opts +norec +nocrypto DS example \ + @10.53.0.1 >dig.out.ds.test$n || ret=1 + grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.test$n >/dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else echo_i "$DIG is needed, so skipping these dig tests" fi diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index d61dbcc7369..6bfd910da73 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -79,24 +79,6 @@ checkprivate() { return 1 } -# check that a zone file is raw format, version 0 -israw0() { - # shellcheck disable=SC2016 - $PERL <"$1" -e 'binmode STDIN; - read(STDIN, $input, 8); - ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version != 0);' || return $? -} - -# check that a zone file is raw format, version 1 -israw1() { - # shellcheck disable=SC2016 - $PERL <"$1" -e 'binmode STDIN; - read(STDIN, $input, 8); - ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version != 1);' || return $? -} - # strip NS and RRSIG NS from input stripns() { awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" @@ -1382,770 +1364,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "basic dnssec-signzone checks:" -echo_ic "two DNSKEYs ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)" -ret=0 -( - cd signer/general || exit 1 - cp signed.zone signed.expect - grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1 - mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline - $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n - mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private - grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1 -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "one non-KSK DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "one KSK DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "three DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "three DNSKEY, one private key missing ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "four DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEY, both private keys missing ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEY, one private key missing ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)" -ret=0 -if $FEATURETEST --fips-provider; then - ( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -F -f signed.zone -o example.com. test1.zone >signer.out.$n - test -f signed.zone - ) || ret=1 -else - echo_i "skipped no FIPS provider available" -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)" -ret=0 -if ! $FEATURETEST --fips-provider; then - echo_i "skipped no FIPS provider available" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - ( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -F -f signed.zone -o example.com. test11.zone >signer.out.$n 2>&1 && exit 1 - grep -F -e "fatal: No signing keys specified or found" \ - -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n >/dev/null - ) || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "revoked KSK ID collides with ZSK ($n)" -ret=0 -# signing should fail, but should not coredump -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -S -f signed.zone -o . test12.zone >signer.out.$n -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone -J loads journal files ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl - $SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone >signer.out.$n - grep -q extra signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -get_default_algorithm_key_ids_from_sigs() { - zone=$1 - - awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' - NF < 8 { next } - $(NF-5) != "RRSIG" { next } - $(NF-3) != alg { next } - $NF != "(" { next } - { - getline; - print $3; - } - ' signer/$zone.db.signed | sort -u -} - -# Test dnssec-signzone ZSK prepublish smooth rollover. -echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)" -ret=0 -zone=prepub -# Generate keys. -ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone") -zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") -zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") -zskid1=$(keyfile_to_key_id "$zsk1") -zskid2=$(keyfile_to_key_id "$zsk2") -( - cd signer || exit 1 - # Set times such that the current set of keys are introduced 60 days ago and - # start signing now. The successor key is prepublished now and will be active - # next day. - $SETTIME -P now-60d -A now $ksk >/dev/null - $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null - $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null - $SETTIME -P now -A now+1d $zsk2.key >/dev/null - # Sign the zone with initial keys and prepublish successor. The zone signatures - # are valid for 30 days and the DNSKEY signature is valid for 60 days. - cp -f $zone.db.in $zone.db - $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null - echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" -status=$((status + ret)) - -echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" -ret=0 -zone=prepub -( - cd signer || exit 1 - # Roll the ZSK. The predecessor is inactive from now on and the successor is - # activated. The zone signatures are valid for 30 days and the DNSKEY - # signature is valid for 60 days. Because of the predecessor/successor - # relationship, the signatures of the predecessor are retained and no new - # signatures with the successor should be generated. - $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null - $SETTIME -A now $zsk2 >/dev/null - $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" -ret=0 -zone=prepub -( - cd signer || exit 1 - # After some time the signatures should be replaced. When signing, set the - # interval to 30 days plus one second, meaning all predecessor signatures - # are within the refresh interval and should be replaced with successor - # signatures. - $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null - $SETTIME -A now-20d $zsk2 >/dev/null - $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" -ret=0 -zone=example -# If dnssec-keygen fails, the test script will exit immediately. Prevent that -# from happening, and also trigger a test failure if dnssec-keygen unexpectedly -# succeeds, by using "&& ret=1". -$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" -ret=0 -zone=example -# Fake an unsupported algorithm key -unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp -mv ${unsupportedkey}.tmp ${unsupportedkey}.key -# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent -# that from happening, and also trigger a test failure if dnssec-dsfromkey -# unexpectedly succeeds, by using "&& ret=1". -$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" -ret=0 -ret=0 -cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db -# If dnssec-signzone fails, the test script will exit immediately. Prevent that -# from happening, and also trigger a test failure if dnssec-signzone -# unexpectedly succeeds, by using "&& ret=1". -$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can sign a zone with out-of-zone records ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -o example -f example.db example.db >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null - awk '/^IQF9LQTLK/ { - printf("%s", $0); - while (!index($0, ")")) { - if (getline <= 0) - break; - printf (" %s", $0); - } - printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out - - grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example3.db - echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db - $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null - awk '/^IQF9LQTLK/ { - printf("%s", $0); - while (!index($0, ")")) { - if (getline <= 0) - break; - printf (" %s", $0); - } - printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out - - grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -o example -f example.db.before example.db >/dev/null - sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed - $SIGNER -o example -f example.db.after example.db.changed >/dev/null -) -grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -keyid2=$(keyfile_to_key_id "$key2") -key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -keyid3=$(keyfile_to_key_id "$key3") -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -D -o example example.db >/dev/null - - # now switch out key2 for key3 and resign the zone - cat example.db.in "$key1.key" "$key3.key" >example.db - echo "\$INCLUDE \"example.db.signed\"" >>example.db - $SIGNER -D -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -RD -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" -ret=0 -zone=example -( - cd signer || exit 1 - cp -f example.db.in example.db - $SIGNER -SD -o example example.db >/dev/null - echo "\$INCLUDE \"example.db.signed\"" >>example.db - # now retire key2 and resign the zone - $SETTIME -I now "$key2" >/dev/null 2>&1 - $SIGNER -SD -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -SDQ -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone retains unexpired signatures ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -Sxt -o example example.db >signer.out.1 - $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 -) || ret=1 -gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) -retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) -gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) -retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) -drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) -[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 -[ "$gen2" -eq 0 ] || ret=1 -[ "$drop2" -eq 0 ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" -ret=0 -( - cd signer || exit 1 - # remove NSEC-only keys - rm -f Kexample.+005* - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN A 10.53.0.1 -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - touch example2.db.signed - $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -( - cd signer || exit 1 - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN NS sub1.example. -sub1.example. IN A 10.53.0.1 -sub2.example. IN NS ns.sub2.example. -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" -ret=0 -( - cd signer || exit 1 - rm -f example2.db.signed - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN A 10.53.0.1 -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - touch example2.db.signed - $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -( - cd signer || exit 1 - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN NS sub1.example. -sub1.example. IN A 10.53.0.1 -sub2.example. IN NS ns.sub2.example. -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone output format ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null - $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null - $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null - $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null - $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null -) || ret=1 -awk 'BEGIN { found = 0; } - $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } - END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 -awk 'BEGIN { found = 0; } - $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } - END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 -israw1 signer/signer.out.5 || ret=1 -israw0 signer/signer.out.6 || ret=1 -israw1 signer/signer.out.7 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null -) || ret=1 -awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -N date ($n)" -ret=0 -( - cd signer || exit 1 - TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null -) || ret=1 -# shellcheck disable=SC2016 -now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') -serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) -[ "$now" -eq "$serial" ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G ($n)" -ret=0 -( - cd signer || exit 1 - $SETTIME -P ds now -P sync now "$key1" >/dev/null - $SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (default) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (empty) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (no CDS) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad argument) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "digest must specify cds:algorithm ('foobar')" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad digest - name) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "bad digest 'cds:foobar'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad digest - number) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "bad digest 'cds:256': out of range" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "unsupported digest 'cds:gost'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "unsupported digest 'cds:200'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking validated data are not cached longer than originalttl ($n)" -ret=0 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "3600.IN" dig.out.ns3.test$n >/dev/null || ret=1 -grep "300.IN" dig.out.ns3.test$n >/dev/null && ret=1 -grep "300.IN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "3600.IN" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - # Test that "rndc secroots" is able to dump trusted keys echo_i "checking rndc secroots ($n)" ret=0 @@ -2842,19 +2060,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check dig's +nocrypto flag ($n)" -ret=0 -dig_with_opts +norec +nocrypto DNSKEY . \ - @10.53.0.1 >dig.out.dnskey.ns1.test$n || ret=1 -grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 -grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 -dig_with_opts +norec +nocrypto DS example \ - @10.53.0.1 >dig.out.ds.ns1.test$n || ret=1 -grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)" ret=0 before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) @@ -2918,18 +2123,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check the acceptance of seconds as inception and expiration times ($n)" -ret=0 -in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo=" - -exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo=" - -out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') -[ "$out" = "$exp" ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check the correct resigning time is reported in zonestatus ($n)" ret=0 rndccmd 10.53.0.3 \ @@ -2967,95 +2160,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" -ret=0 -alg=1 -until test $alg -eq 258; do - zone="keygen-$alg." - case $alg in - 2) # Diffie Helman - alg=$((alg + 1)) - continue - ;; - 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard - alg=$((alg + 1)) - continue - ;; - 1 | 5 | 7 | 8 | 10) # RSA algorithms - key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true) - ;; - 15 | 16) - key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) - ;; - 256) - key1=$($KEYGEN -a "RSASHA256OID" "$zone" 2>"keygen-$alg.err" || true) - ;; - 257) - key1=$($KEYGEN -a "RSASHA512OID" "$zone" 2>"keygen-$alg.err" || true) - ;; - *) - key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) - ;; - esac - if grep "unknown algorithm" "keygen-$alg.err" >/dev/null; then - alg=$((alg + 1)) - continue - fi - if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then - alg=$((alg + 1)) - continue - fi - if test -z "$key1"; then - echo_i "'$KEYGEN -a $alg': failed" - cat "keygen-$alg.err" - ret=1 - alg=$((alg + 1)) - continue - fi - $SETTIME -I now+4d "$key1.private" >/dev/null - key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) - test -f "$key2.key" -a -f "$key2.private" || { - ret=1 - echo_i "'dnssec-keygen -S' failed for algorithm: $alg" - } - alg=$((alg + 1)) -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)" -ret=0 -if $FEATURETEST --have-fips-mode; then - echo_i "skipped: already in FIPS mode" -elif ! $FEATURETEST --fips-provider; then - echo_i "skipped no FIPS provider available" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - $KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true - grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" >/dev/null || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)" -ret=0 -if $FEATURETEST --have-fips-mode; then - echo_i "skipped: already in FIPS mode" -elif ! $FEATURETEST --fips-provider; then - echo_i "skipped: cannot switch to FIPS mode" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - $KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true - grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" >/dev/null || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n @@ -3397,58 +2501,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" -ret=0 -# generate signed zone with MX and AAAA records at apex. -( - cd signer || exit 1 - $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null - $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null - echo >remove.db.signed - $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null || { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.pre$n -} -# re-generate signed zone without MX and AAAA records at apex. -( - cd signer || exit 1 - $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null && { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.post$n -} -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" -ret=0 -# generate signed zone with MX and AAAA records at apex. -( - cd signer || exit 1 - echo >remove.db.signed - $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null || { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.pre$n -} -# re-generate signed zone without MX and AAAA records at apex. -( - cd signer || exit 1 - $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null && { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.post$n -} -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" ret=0 dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 @@ -4103,25 +3155,6 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "check that dnssec-keygen honours key tag ranges ($n)" -ret=0 -zone=settagrange -ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone") -zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone") -kid=$(keyfile_to_key_id "$ksk") -zid=$(keyfile_to_key_id "$zsk") -[ $kid -ge 0 -a $kid -le 32767 ] || ret=1 -[ $zid -ge 32768 -a $zid -le 65535 ] || ret=1 -rksk=$($REVOKE -R $ksk) -rzsk=$($REVOKE -R $zsk) -krid=$(keyfile_to_key_id "$rksk") -zrid=$(keyfile_to_key_id "$rzsk") -[ $krid -ge 0 -a $krid -le 32767 ] || ret=1 -[ $zrid -ge 32768 -a $zrid -le 65535 ] || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "checking NSEC3 nxdomain response closest encloser with 0 ENT ($n)" ret=0 dig_with_opts @10.53.0.4 b.b.b.b.b.a.nsec3.example. >dig.out.ns4.test$n @@ -4173,35 +3206,6 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)" -ret=0 -( - cd signer || exit 0 - key1=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) - key2=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) - key3=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" revoke.example) - rkey=$(${REVOKE} "$key2") - cat >>revoke.example.db <>revoke.example.db - "${SIGNER}" -o revoke.example revoke.example.db >signer.out.$n -) || ret=1 -keycount=$(grep -c "RRSIG.DNSKEY ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -cdscount=$(grep -c "RRSIG.CDS ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -soacount=$(grep -c "RRSIG.SOA ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -[ $keycount -eq 3 ] || ret=1 -[ $cdscount -eq 2 ] || ret=1 -[ $soacount -eq 1 ] || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "checking validator behavior with mismatching NS ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index bf1108518e1..854c15424d3 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -18,9 +18,7 @@ pytestmark = pytest.mark.extra_artifacts( "canonical*", "delv.out*", "dig.out.*", - "dnssectools.out.*", "dsfromkey.out.*", - "keygen*.err*", "named.secroots.*", "nsupdate.out.*", "python.out.*", @@ -171,23 +169,6 @@ pytestmark = pytest.mark.extra_artifacts( "ns7/split-rrsig.db", "ns7/split-rrsig.db.unsplit", "ns9/trusted-localkey.conf", - "signer/example.db", - "signer/example.db.after", - "signer/example.db.before", - "signer/example.db.changed", - "signer/example2.db", - "signer/example3.db", - "signer/general/*.jnl", - "signer/general/dnskey.expect", - "signer/general/dsset-*", - "signer/general/signed.expect", - "signer/general/signed.zone", - "signer/general/signer.out.*", - "signer/nsec3param.out", - "signer/prepub.db", - "signer/revoke.example.db", - "signer/signer.err.*", - "signer/signer.out.*", ] ) diff --git a/bin/tests/system/dnssectools/algroll.dnskey b/bin/tests/system/dnssectools/algroll.dnskey new file mode 100644 index 00000000000..a249180bb97 --- /dev/null +++ b/bin/tests/system/dnssectools/algroll.dnskey @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12263 +;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 +;; WARNING: recursion requested but not available + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags: do; udp: 1232 +; COOKIE: d70bfeeee608e7490100000068630120672a49b90d12287f (good) +;; QUESTION SECTION: +;algroll. IN DNSKEY + +;; ANSWER SECTION: +algroll. 30 IN DNSKEY 257 3 13 8ZsRCWjcBidh4U5O2xldz97ZODaXz9FzeNxQVcpf2bOlKE6QOSEgkvuG IYNnOuHwekp4wpC4x8aqEsULsO1p4w== +algroll. 30 IN DNSKEY 256 3 13 w6cJYtYydN0OL+N64KM75NtWtl+KUzPCqGD9TE9vO+cCtb5qILojunGr jjxT3LzGVjgwhyLReJwVJkIDMWvHXw== +algroll. 30 IN RRSIG DNSKEY 8 1 30 20250730202512 20250630202512 47525 algroll. vDuABgFYmjaw9ehT+lb4KDDnOiFu/Ts3LqAFLLRDU9CpPGIY0eH5c00P seEpRaapEF8N55t8/MRQpMxWaQCd67ERenUn3DFuSDACYoftyAdXsFvi 56giRNDziVhWJXKaQDQ/DIfLJ3W7F8BFSVZCFKq5Gv4MiS92+uvdQUkl 7cIgmJEWpcZ7PQB55r0vQizBP8rXrpcMXMtsojTFXQjF0uomW7/o1RIv KOQTcUnqfT1X4nRkQghhJQNJMftVrjVRkxPu+zq2AST+s2XQD9DBntA3 LFd1Yy1+X3OypjY9ZuD6Y5tC+5e1+IEY2CG/fbrqywMo/4pQ3DZ4ZbWC KATW1g== +algroll. 30 IN RRSIG DNSKEY 8 1 30 20250730202512 20250630202512 60676 algroll. fMZaKG2IwwFMoglH5UxZBVjtT0XGwGokdmO+mA6EJxnBBpKXwhBpv24r Mn61ZXN+pmpn4yUDIsMc1Mb6Irwnak7REfsVO/CKmhNmx/hjmoC2y6B5 +xkoUxCDml8hn/nAFftNVpaFq//1UcPyaXvvALN73hgyuE/Cnrl8DTLL kXfqPzHi7sbEgJf2Fkk0crc+gb4E+Wdrz3D354ogRZ2sguvnOfBZvzA/ uQ5UqKtVx2/44C/nW9Wbnkdi+Z1RuRKJOOoJBHIE0f1dTYnbyUOEMEIW AOAUzoKStDnNom0aWfDs6CGQmPcc9vHp2j63D+h2PkfzmyvHI2K3T9ep HbDCMw== +algroll. 30 IN RRSIG DNSKEY 13 1 30 20250730202512 20250630202512 13162 algroll. otMMLO7OiYbMvZsYDKBzJrJKsN5E5WCfQLP2KWo5/V0c88U/PJHY9kEa ysChyPRLDM5VN5WnRzzPxgT/KMnqWw== +algroll. 30 IN RRSIG DNSKEY 13 1 30 20250730202512 20250630202512 54661 algroll. nHj9WTm112HMVGpcg3BsBb4s12R3pLl/mVYnz8snFDBuLrRS0dERMQSp PuNmd3D9WDbLyFBClrjzG+BDHBSILQ== + diff --git a/bin/tests/system/dnssectools/dsset-algroll. b/bin/tests/system/dnssectools/dsset-algroll. new file mode 100644 index 00000000000..f5480969bfd --- /dev/null +++ b/bin/tests/system/dnssectools/dsset-algroll. @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +algroll. IN DS 54661 13 2 56CE829B928999965B985F77B8725A553B87FDB4B5241AAA1B306959 5621764F diff --git a/bin/tests/system/dnssectools/revkey.dnskey b/bin/tests/system/dnssectools/revkey.dnskey new file mode 100644 index 00000000000..36f660a8b54 --- /dev/null +++ b/bin/tests/system/dnssectools/revkey.dnskey @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51808 +;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags: do; udp: 1232 +; COOKIE: e2c7e750ed266cde0100000068630121f863ce122f5ef67e (good) +;; QUESTION SECTION: +;revkey.example. IN DNSKEY + +;; ANSWER SECTION: +revkey.example. 300 IN DNSKEY 385 3 13 8dtsAwGIpEVKQMxW/Oyf+aoUU6keQ3+q7jeKcXc1GZf9O/wb5a93ghI9 mnmJSMKNPOXUZlz8XuwNu0kuIU/f+g== +revkey.example. 300 IN DNSKEY 256 3 13 E+r2vT9F+V/dV2RALkjYSFyZGSv2FMjzNSgscold+M6tT7HRlWU5dOSF BhJfHF1AwyzWjsn2AjdhU15VZQxb7g== +revkey.example. 300 IN DNSKEY 257 3 13 utSQOEBp4zNV8AnNC+aEU+Pf+zXcutD863bKWhWQRVB/+yBUmtS/q26H ke68j35nLAywm+7/OS+x7Iryhlnh/w== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 25492 revkey.example. p+D2U3RHcdklSeehdbPP1aoZSRYD0rjbQW1cR8PqygCFaWX3M88D5aKS m8L2t6kl5w6ks529zWkpZWsBSj2Vnw== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 54617 revkey.example. fCB4AYrdcceLW5MeDpGim5ItqGOCyw0/M1WYNsbj5D0G4P7lACRISJng plg/H3n1EZUN69H7suKcYo/fn+VT0Q== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 57467 revkey.example. lZLA4ik9SoF4+nyQlBoA/Haj8OO/sBpYQ3e597StgSKX2Cq3apfXGcB2 jLIu0raNQ6OjqI2WtwHhKauPlJZloA== + diff --git a/bin/tests/system/dnssectools/signer/example.db.in b/bin/tests/system/dnssectools/signer/example.db.in new file mode 100644 index 00000000000..3ab6aa2fc5d --- /dev/null +++ b/bin/tests/system/dnssectools/signer/example.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +example. 60 IN SOA example. . 0 0 0 0 0 +example. 60 IN NS example. +example. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23640.key b/bin/tests/system/dnssectools/signer/general/K.+013+23640.key new file mode 100644 index 00000000000..df4ff32c111 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23640.key @@ -0,0 +1,6 @@ +; This is a key-signing key, keyid 23640, for . +; Created: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Publish: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Activate: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Revoke: 20250310185208 (Mon Mar 10 18:52:08 2025) +. IN DNSKEY 257 3 13 uKwpRtMH+9iuUk/Xj6LciIP5ZckaBtXaUqxUxzJYexXjvxGZGX4470Jv hq2NCI3HBZQNaCCP/h9sluhIzRGPTA== diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23640.private b/bin/tests/system/dnssectools/signer/general/K.+013+23640.private new file mode 100644 index 00000000000..36f932fd3c4 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23640.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: m5udfGNSijISQ8Tfp4kx09O1em4PErLUw/mCj3SKmqw= +Created: 20250310185208 +Publish: 20250310185208 +Activate: 20250310185208 +Revoke: 20250310185208 diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23768.key b/bin/tests/system/dnssectools/signer/general/K.+013+23768.key new file mode 100644 index 00000000000..85e460a5bc4 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23768.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 23768, for . +; Created: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Publish: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Activate: 20250310185208 (Mon Mar 10 18:52:08 2025) +. IN DNSKEY 256 3 13 TFelYtTRBWeA9A307vvuWIcaNwW4txW4RgSELtsi46ZQs24ncRxmxtFf uJuPyVXePNiE4HNI9CIowGUsn5WuBw== diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key new file mode 100644 index 00000000000..104face02c6 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 19857, for example.com. +; Created: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Publish: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Activate: 20220902075244 (Fri Sep 2 17:52:44 2022) +example.com. IN DNSKEY 256 3 5 AwEAAaUr14RTAa2dr/JPoMv5QM32IbLMNUZFPAM9M2Zm6Ef9S3/UsRk9 W+P08Dx5Xte/PMuZK8ejWUyou37LowmVbahkP2kcS7Z552btsLnGK2+5 me5Y/GgnodhMVN7phkEQNPRKSUQQyLdQC6Ltzt0JVp48q4PmgCta22et rgq1YEoj2E8Po53bn5eQXCUsnkBFhkql9/17Ls2ckWNBkHWiItMDaWk7 qkM4ZJu7C/jq3ybBjn0bi4Svlt7PNiuuo3h5WaJYJHXd2M7PIN14rUDE cas/b+iy4eF7VC3CRUgt1spFinW/G4wSro55e6phstc3I1BE6B+pC4pq eGlAfQqWWcs= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private new file mode 100644 index 00000000000..91171b032bc --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: pSvXhFMBrZ2v8k+gy/lAzfYhssw1RkU8Az0zZmboR/1Lf9SxGT1b4/TwPHle1788y5krx6NZTKi7fsujCZVtqGQ/aRxLtnnnZu2wucYrb7mZ7lj8aCeh2ExU3umGQRA09EpJRBDIt1ALou3O3QlWnjyrg+aAK1rbZ62uCrVgSiPYTw+jndufl5BcJSyeQEWGSqX3/XsuzZyRY0GQdaIi0wNpaTuqQzhkm7sL+OrfJsGOfRuLhK+W3s82K66jeHlZolgkdd3Yzs8g3XitQMRxqz9v6LLh4XtULcJFSC3WykWKdb8bjBKujnl7qmGy1zcjUEToH6kLimp4aUB9CpZZyw== +PublicExponent: AQAB +PrivateExponent: HzQaIgCAd6krnS5X5VDwYjiWgy26/syDmuUL+dOFHFyIz9yBnJAP9Q/H9tTDCyUwuhH0yGFetHHIAhs8cMoPDlnp9NSIpS+AfNx4n5AFkrTQlMuw24hpNfCts/MQDuid6GzETJyTHrZ7jEs64l0qRPiXOnLoUch3XK3eDF3ZlAfFkoPBFA5KIbiK8dcCahUmV4WReyE80X2N2dUloE8vLzy/j7yY2z1/HjhAu74S264wQMxNmJ0MsHeu78y7n8SKEJxncbgAciCNoamiQFiBGYYrs72B6BGHc19fhD5G7ldjpXukes9bHJSgj5ohseRJ27hkK7sKnqzOx/5Se6F5EQ== +Prime1: vNcFqw4Gu/gsEcte00YXSGGkOWlsEAOEARMy+l7yYVC9GMR41YuINydu42Bj+D/Qq1ifYk9ok26VnXsJ6GFWK9DdFFtSElCzq1Crb7/7yuRR86cM9UBr3045g9tvlH6sL+yeH1ESr8vNZtmlytDifw2Xp2kg0xoJnlnV0ZXphOk= +Prime2: 3+nmSodd/lDzVvn3uGMKux2B1mI2iApKM6bbwMwrzobN5bFkLkW1y1PuOYJytX1Sm39ecLCPYEmSf56kCitAquj7B98sblg05Y1QKvTTyX4uUsKFx3YAjvgp+acuI0Rq5J5GeSFCvdttgqAWdvvjoI8ic44K3sT1XTexaoLByJM= +Exponent1: jUmr2gHSlAzonB+3QQfuH5++iZ4Q1iJrP4qn15/2ZU1NThyh89REBFAirUjPQ0wryieyiJG1Qqm4k20dSpqZKItK/hIdY8qxwvnGawQPVgxiLJTOIykiDJ+wdLFX2Ji2J903qWK1QoaPleY+H3MOI9V9pCoJ/yg6DhpU2kz5vRE= +Exponent2: 04rLQ0Y4ivg3rchjPRR1Iupxq/UFx+jQyZOusaszB99bztGU8BJz+jDFNBgF/2jzDm1678Qe8L0RZvidye2rHs0VvQ4fj/BNqUGkp7C+FfLcGNwmP5dAV9Ik9fP4JuGQi4Ts16uQvoX8JBjSoH7BQwN3bOyZYHV7yiG/v/zgz3k= +Coefficient: l8vCrMMiS8eWYQNM/SPa4/swn1/EZtcgPcBqMa3zia+9rOJ4/mzRcQTKz6B7c7Z9BVoTzMWGlgd94PTDeLN9fbTNmRs/8JwwgzJ8FeJeisvZquvarFtq2PdVVZQSxTwt7N6DUMVcA8Vbdq+uGjJghs22/sJ23MS3key+PUHtwFI= +Created: 20220902075244 +Publish: 20220902075244 +Activate: 20220902075244 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key new file mode 100644 index 00000000000..717d65f2565 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 45884, for example.com. +; Created: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Publish: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Activate: 20220902075336 (Fri Sep 2 17:53:36 2022) +example.com. IN DNSKEY 257 3 5 AwEAAZ6aTwNhgMDJ8AObT38LEX4nZe0CFXKkFv8fzBhEJEWgJRplhEhx laqGc47NoXChBiz5qdX2qAC0zi4CRydmV8TdG9shpED9kapIl7KVM3wj +irX36R9TpFT7Otmvsh7/RbRfpKz4I0pCC01hRHyj7EodMC4j3LMF9sc GWNmiOTQI1PTxbvIEDeDfoTUDMFzvOwVmH1Bq+SzA9Ikm2VADZO4vIIO J/07lWT+LDQ/g1qiCNaSDyNhGfNVf8xYvmB8OXomGFLqDuSpUkwdL5kB 2gGmnUbIH+Pn+pcN9fxVniKH3mzYEGCxIspePbhvwDfB30gTmE8uaFMa 7McouGKW3Ps= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private new file mode 100644 index 00000000000..891c6c3831f --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: nppPA2GAwMnwA5tPfwsRfidl7QIVcqQW/x/MGEQkRaAlGmWESHGVqoZzjs2hcKEGLPmp1faoALTOLgJHJ2ZXxN0b2yGkQP2RqkiXspUzfCP6KtffpH1OkVPs62a+yHv9FtF+krPgjSkILTWFEfKPsSh0wLiPcswX2xwZY2aI5NAjU9PFu8gQN4N+hNQMwXO87BWYfUGr5LMD0iSbZUANk7i8gg4n/TuVZP4sND+DWqII1pIPI2EZ81V/zFi+YHw5eiYYUuoO5KlSTB0vmQHaAaadRsgf4+f6lw31/FWeIofebNgQYLEiyl49uG/AN8HfSBOYTy5oUxrsxyi4Ypbc+w== +PublicExponent: AQAB +PrivateExponent: SSWu0kbaPFAGH4u2NsgSicW+5vfCj4xpRMHT/c8TkX8CDbILN+QW3D5FNnPVBJ5nPD/rGdC3/BdnTeXkDiJP0W4Ohlp2KDkqQMhZGlZgl9z56F+GeBUIstLrnkfVLp6sg6UcBKnsIv5tFHiuBjCCH/kiG64jDpVdXUMQ3HyyHyC67sB1gIqpZdhQxFliVIaebwXHlv4uWi31DxTUj0mmutmpTD1r4z+43DlU3JL07WBBpIoOmG/GoFoDr+JNWWwArnhHDZFl6XL1Z2u5ojdIOcgLTXcU1SdvFwBHIAH9PIwvow0gVcZTIHwDYJ41CL6YExXF8ymVpIPspZPaFwSxvQ== +Prime1: 2iWvbJTRrJuceM1CgOTMMoi/qMN/GtthmbL5V0w+hyFE6UzCWYQXED5YTPtoXk9tZ/YpnD7i5i7ru8VbLx0DAIrLkAFP3Xpxa7dvdRGzyPGuYARsjgNnj57M5Sl1tTTsZpkXaKEeiONCA6+vcSuc2l1NxqdDbhC/TwlpjOAbPRc= +Prime2: uh+ZuRel3T3qvD7acXm2UyF2BdeEEwwIvzqZVi3uxwUTd/TxFA7+3xuX6LNM+HK5fNxuB3exVC8OzALFzUOOJECVFUfhKi/1+VrVfBuJnyLlqQ14RncbZvsn+ScfGZpgYuacvq0zWiP2scxmXSQxchxcFVRCKFRCCVGVuOLzNb0= +Exponent1: coA7TrPiRkY7YBDk6kCtiYzLhKpwaclitkkBpTeozkbBI++dR10UufrvYCDJzE7Gbz3+4zsC360bIKjbTqRcsgkoBcMah3bAV7ilsP4EruFkFJPd4sCYuAKzK0mStfU8bDHI3qtLGrCmMschQDaTEu7MZwveUcRKlhKrqzzqLys= +Exponent2: jlnU7KeViBzvB4La96crN3GEHvuyXA78MaXT2QHQeg770OdZ6wl9DY7BJIzd9bdo/oJo9PUqf0RugMIuHsvoTvnGDDypjeaYrlo2pXE6VKgQFrfioaI/Jwg4jmrJcn+L8JiIkZ1OhUa0S1AVim9AEhJ2qymCX+3xg8cOSBXsBdE= +Coefficient: xotWVi9P/9Xr1FlKANoKVviBZaoT0xqbrVJLdmSLvyca+OipgxDilaPq+To7nAujkwtH/qdR14CHbkFSjxzzEp3jhOOSeh1HysCDlk5N7dCz2X+FHv977IYeC9vuGPG75Vbz18D7FUEy0huXgq003zJdd0e7djNca9a/GAp3gvc= +Created: 20220902075336 +Publish: 20220902075336 +Activate: 20220902075336 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key new file mode 100644 index 00000000000..d4b8efbe612 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 15002, for example.com. +; Created: 20210423012926 (Fri Apr 23 11:29:26 2021) +; Publish: 20210423012926 (Fri Apr 23 11:29:26 2021) +; Activate: 20210423012926 (Fri Apr 23 11:29:26 2021) +example.com. IN DNSKEY 257 3 8 AwEAAdp+oCXl7vpKA3Mmyndx6/iA+wLrtxeMUiWL7uWJ9ZF24EdS8Dye 63p0lGlyvjvM9T5dTiyEpTAdutEBr79H0MlDqIBqpadrCdJRI2S4kC+0 nq5+Aj2CEyiAamPGujwWeXwtfLAvVPfBqs42PBr6wPQIJOByFYDaZBU3 enUEWgHYy/7OnJDrt0QlswKphR6SvYtyuixiUR8J/WouWXglUY5qlC7Z vVDxs9E4q7B1mfKCyoqcFMKPh9lzEBH+IfUZ543xXEYf2BEztKB1SZ2R QnpYedjATGDcgPis46uA2gHMfvDYJTQ5UqTBtveGb3Wsqc0oRXVPMEoY 3WnWhaKDzkk= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private new file mode 100644 index 00000000000..72b8e2e0c1d --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 2n6gJeXu+koDcybKd3Hr+ID7Auu3F4xSJYvu5Yn1kXbgR1LwPJ7renSUaXK+O8z1Pl1OLISlMB260QGvv0fQyUOogGqlp2sJ0lEjZLiQL7Sern4CPYITKIBqY8a6PBZ5fC18sC9U98GqzjY8GvrA9Agk4HIVgNpkFTd6dQRaAdjL/s6ckOu3RCWzAqmFHpK9i3K6LGJRHwn9ai5ZeCVRjmqULtm9UPGz0TirsHWZ8oLKipwUwo+H2XMQEf4h9RnnjfFcRh/YETO0oHVJnZFCelh52MBMYNyA+Kzjq4DaAcx+8NglNDlSpMG294ZvdaypzShFdU8wShjdadaFooPOSQ== +PublicExponent: AQAB +PrivateExponent: SD4X64/0DTONonRP+2Biej8DP7r6RcHyo1F6QtDzrg4VJ+AHaLPO/iUvsRHsTk99QwqMv3F4QMmDrHmXR3KSWQmS3Crm7M0aaTzErBfOLMfWs7EcQoQQm5KiGq1phFaWAnXzxTlRKb4SIK6T/wOr6sQKlV+DNqB++Pjn92rh67vLM8kZBUzWI14Vl9N0ib+xOOFH1oYFo7ynDgMfJhpnQSkuRfyQls3aD1eKQsNazRtZ7lFi2S0HR/V0AKYH2AQi7SdL5wH6hYba5cHfpKSw7PebI0lYkUJ4PAg3Xw7DPMkg8O0hkpLICpU8x7MPqQQ74eKDaEY+fjbL0KLL0Dy9UQ== +Prime1: /IDRb7WzMY6wp14LqDORULoUnmiQOqkRjOQnCoEXT2KVpYwPmGMG+GR40hrMFgqqAZFVmi56VBoasWpYbSBEqM4aJv1JVimMPREk23v5i+TY93kxICO/ee9/v0hXgLmrKUkS1Kwu4a1PxLX5U/LAzXPR6zF+EHP9OKFjDRWHqN0= +Prime2: 3YU9QdtsXofjNmlDETRwemKv45pa0oVNPmNvS1vtzIpQ3m/QSuhJxzyTgSP9x1XMiIsg63er3LOCtkRifXVE1IBrfIUgchp8YD5LsyesRl2ielE8Hw8PwSA1YjUVu90yRHcVfbZJ8lm2KyRKHgDWXz94t2Xnm/9M5XjUGuNW7l0= +Exponent1: 7KIkpJYZyvW4ZAFk10sMgiUBMbs4f2D2i509YUC9ga4YJD7wVpVncN1nxS9L19RCopl7KbUo+yxDm8TX/dzhu3j7VVLFqbPiM1Cfw/mZUhszoii3ezFFPpbOl4rKRl66I0TSGvEKNoDfYrBPavby7Rf/wHRveifZRXspgpeMvRk= +Exponent2: yvvtjuxW2CRiopg/+YL40lyd2cy2DpRRnKqW8BHzzGquAbWpwwopmOS8MSjewgqv2irK5pmJJTpku0nciiOsB6EJXVfLzGLSt4o96ZOf+/aPDNBla/xsLkaqRCxqlvPwvOX2DnS8O9PS5qNhOy7/QNYzcrJxUfPV7awTh/Pr040= +Coefficient: PHxU1tqPKTpI/8nABvso0SRerc1m+RPWGRk7s/SVcADSBvEW7fUDcwiZeRfK9MdlwPvLiVozbYnRbgRQl8GuKSqAD1+Cnvn2yOQk81AgNKbuKPwF7UvKIdq/c/xnhj2bvZUVSavJ91ux/RlZNP50378Ks8bj5HJl1xzAMVHXB5o= +Created: 20210423012926 +Publish: 20210423012926 +Activate: 20210423012926 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key new file mode 100644 index 00000000000..990b837003d --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 63613, for example.com. +; Created: 20210423012810 (Fri Apr 23 11:28:10 2021) +; Publish: 20210423012810 (Fri Apr 23 11:28:10 2021) +; Activate: 20210423012810 (Fri Apr 23 11:28:10 2021) +example.com. IN DNSKEY 256 3 8 AwEAAZzun7bYfjmGDwUEn4pyJG34vsiawRMW6pEdoNMH87ozxriOzgG6 /4zTjEv8JyYjGQz2k2vcoWWcD+86xD5IUqfa1pdXXUU8bdhG9DBtW/K1 mc4P6g8heU+0f++mq/L4TPlWVZUG8lVH4H8mD6r8PsVK7v/QR7wMeg9b JpCYyxon2A9rZ4zS0J9kX9bfciQVh6ODGVENctwEK5FNp5u0VonPEIx3 5Kj+IVn/mHpfbz4LaC02s7C6Kgvn3ToFFSJczwbOaexl/d+/ai8FLJi7 8UgiAq5/178bcVLItMeY6aD5eQGkRtr2c3JZ/JR4Nf+TQAWFBnl9NSDa RH4Qa55ZNqs= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private new file mode 100644 index 00000000000..1765d3f0f63 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: nO6ftth+OYYPBQSfinIkbfi+yJrBExbqkR2g0wfzujPGuI7OAbr/jNOMS/wnJiMZDPaTa9yhZZwP7zrEPkhSp9rWl1ddRTxt2Eb0MG1b8rWZzg/qDyF5T7R/76ar8vhM+VZVlQbyVUfgfyYPqvw+xUru/9BHvAx6D1smkJjLGifYD2tnjNLQn2Rf1t9yJBWHo4MZUQ1y3AQrkU2nm7RWic8QjHfkqP4hWf+Yel9vPgtoLTazsLoqC+fdOgUVIlzPBs5p7GX9379qLwUsmLvxSCICrn/XvxtxUsi0x5jpoPl5AaRG2vZzcln8lHg1/5NABYUGeX01INpEfhBrnlk2qw== +PublicExponent: AQAB +PrivateExponent: N4egcDzO/V/YdLgcFAsrpNY9/BH2e+DCA7NuMv4/WgX0LV4quyYGQzigDksdNzt4I8Qkiig53BCK+uXahwdkaAzhng/F6zfkzoDc6z3nKUzlLasn8U6w9Gk0VAKwGXuPETNheShKG68hWxyGssQrGfjX9SEoIPxxPHnOfZ/zTj95KAnVV5qPz90xVAb0+FUrLXAt72KuRwepOTlsETsMFDKe17uUCqCCdX98Ko0u14wrO6zGRQtNhUsfvNB/pY8fvbHD1GcCTbFSx4FxsUsZMrNtMsvMe3HN9ggC0Y9htbH9HV0hS0w9SKCUyoeOVwf/JZL4hlfoe8+jglsyJpAgoQ== +Prime1: zeXvO3PT4iXv9GlGeebl39pF1sXs8tXY4B9VHUJGGSYlyOlyCEy4URQJIPfuL6VjFKCErSxUJSrGz0HyQuKr8l9qP/0MGxGRH7wxvUR7YTmai84yyQ4fFENRmn8bzxGwj0MVHIW7cKC59j7nWT24gseT21/NP5m8EnPsjz/K40M= +Prime2: wx5vVFSydUfr8HtOHNS1kRrTjhnQOfjmj8SxGi72Hk+mgi9fBCTC5fRLifd80wGbgyFk1vZOXeStOC8L3IlnBGLX0O9MNip+vVX3hRzIRhLwHhL1ygN3xEd04qwVH0XJ8+4A0XCzh/FJgW59F62geN6gwedo7GmZAOSZUBAyRHk= +Exponent1: IlkqeLuQ7Fgx2I87b5iiXp62Keco6TXdkT4I3/GvagCgKw0utc2+rd/uye4ycQZhKg7BM3aCrxScx/STaq8PykY6nmQjgdyDXkzx60YiYwzOCGakuD+/1YyJb4Gm7PthffTN780rgNV/UGIcDBoszrxmoSExR1vpMRbfruIQgas= +Exponent2: or0Os/KUibc79W6Snv9WlLkgPAQRpViQzNaLtD/47R0Xzrs975HNsMgJ/P+bb86Ga1994MC8ahmh1BuBNCax8nmScWQ1V3QoEzjRYoe4DqIa/aposF4mFWJX/fry/wtRPo+CxSzPwJGh8j86PHaHQmjFAhVFcPE+OP1xVdK8alk= +Coefficient: r5wPmPXUF5pVC0Y7La3jVkL4w/3wvq9LBz91tH9gA8OUNLpDDBuFZISiJdhOZ4JVw+qSSoHcEa+3Phd+BqxmXzwZDU1Fqta9mLDDGCqCWjVQOopeeJgrvkv9P0TIzEuoGmW50cQhyqHYCtuUxjOnHfiQSc53p7rfD4Vom1VQ3Ok= +Created: 20210423012810 +Publish: 20210423012810 +Activate: 20210423012810 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key new file mode 100644 index 00000000000..47003a44c22 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 18240, for example.com. +; Created: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Publish: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Activate: 20211221062121 (Tue Dec 21 17:21:21 2021) +example.com. IN DNSKEY 256 3 10 AwEAAe5GunnuJFyzmKiGUknSQY3aPtR5UR8vNLLyMCJswffRzoYwY14/ 60ZTsqzh7N+lJV3KAOraocFSsTnmWIM7D7DPpqtaJMQw90ypBG0cnUP1 wKX9L/gdOH/ITlluBiZpCv9Aux3FRECHBO4Gx8Rse8ST2Vag3UuOPW+q HkLsWQt22K/hYuDhEtUWWx2dTIaXUVXNSNbk2zPL+lhC9PaRV+//1Fjo UX4qXCUuUN4TiqlkK2v4UkcIyld1n2R7qTQAkoN9amGFtPu8z5Zw7CxC San03yUSNuKub3fGys11gQRFuEHRX7FxKxvJjmcngG9qCh8AyfHZ8zYb VstTy1unFoM= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private new file mode 100644 index 00000000000..f16b62708a2 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: 7ka6ee4kXLOYqIZSSdJBjdo+1HlRHy80svIwImzB99HOhjBjXj/rRlOyrOHs36UlXcoA6tqhwVKxOeZYgzsPsM+mq1okxDD3TKkEbRydQ/XApf0v+B04f8hOWW4GJmkK/0C7HcVEQIcE7gbHxGx7xJPZVqDdS449b6oeQuxZC3bYr+Fi4OES1RZbHZ1MhpdRVc1I1uTbM8v6WEL09pFX7//UWOhRfipcJS5Q3hOKqWQra/hSRwjKV3WfZHupNACSg31qYYW0+7zPlnDsLEJJqfTfJRI24q5vd8bKzXWBBEW4QdFfsXErG8mOZyeAb2oKHwDJ8dnzNhtWy1PLW6cWgw== +PublicExponent: AQAB +PrivateExponent: U/ipDv9V4TWJvxpXNZzbbVpUehym8g54y/d97yPU17kgxzmWS0jLaWVluneEOuzAVmUyHZIfHzo9KuJ6nwTZar5DRm/mNR3siR+nZ6yF38VjtxubJB1oI+A7fFjB4hdywLHXP46dlv/+RMQu8pIorAZOubDHTDE8hXW2ZG9WkisJ5P7KoaL4KFHHHXi5vsXAMph4Zphd/zPxVL2tHD3l5c3QXRpQWfTNZNQcZ1f/4yVCuMRibg5LCvpia0ZwRrlygfZdAHUUd0VJDfRO45J5nlIJSAHQtjYtVTL+xNISWOHXovVlInkVyluACqfX94I7qPXTu41yg3SxrrtHE6RTwQ== +Prime1: +/YsRxmUxgvHKUh4SxdjzqNDDEi8b2BtM5IpctjVG3oYsL6J9xJB3U5/lbrGEPgl/1ndBUSXMQ6zQ5WcDE1qBAdW8t0eyniyuiexcgQ9f04Ds7p7oUiSHGLRn8YqQOzmiASXoZmkzfJZ+42pGhT3RZ+aYKtWQGMHqXabwV3zZl0= +Prime2: 8hhnKzPzExy6wv/MV0aYKo1g4azrRjug6743/ctTC7zjnMmDW7RMFTXmq5Tu3pFaIL4N4C4m1b7P3abfTrjm+DwHnrlRIvLWS3zJnvUEM22i4BwqqTLRiJpoT5Bfp4pVsdOPT7Iyx1q5UsJZ7Q4qMpg2TFpGiQyieRB5Xwpu4l8= +Exponent1: ZFPx7Z3SD8pA0793pu75Xx7DY/DSl8bdtNtOhdyxfu9vRXGZnjg24diQFR76H2ewOa2exKo7Sd2ApDi+mmd4/4Gsrag+yoClKlsD3VKy6i42ayqmb+Jly8fNkMFnsdKjOSYa+s4jQZ5vFiuiWjBfBeo3nqabAahtNJ12B9lRQkE= +Exponent2: tNz4TnVsFo4zFLVHsrghvECM7WxjBMBNc3FToT6CV1WRcjO1+A/Ve08eenc0kYBjpex2r1GrX6pC3uPpFoXav/8Q7kqiTArBf/nFIwUHU2iH8wf38xntIjHA1hgU7jTR2p0kBrUpbHfh1esuhYQ8kDnY7ufOpFqVEv70vcUsm98= +Coefficient: 3acDCJ9jCnHAP1km7jRO388mOpiI8U6SMv0PBD8l2UoB4CYwujrFxy6PhgUa486bbm5xZEaOwhYZcbw/g1qyC6Qt5kYOb2fVWOob/lEQmyqbDvHMQWTJoIbqaDTKQN/szI4xVdb/xZ6QR4Bq7JgbJpUACgweS540Y7Lf8Dry8C0= +Created: 20211221062121 +Publish: 20211221062121 +Activate: 20211221062121 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key new file mode 100644 index 00000000000..37bd259f6bf --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 28633, for example.com. +; Created: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Publish: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Activate: 20211221062130 (Tue Dec 21 17:21:30 2021) +example.com. IN DNSKEY 257 3 10 AwEAAc4lt8fDsdCzMCLHxXm8Ok/dw6XDiqx06Rf47LTeLmo6b64xm1Fs 0zloNMrcZDgwS5IxjQ3Breqc5aEc+jehueqCXa/fJXMdIt1VpUG0H7GP 4B+1IVmEiziHfmOozktdkuAyLqcsNhsf+J1+bCoHJSffgz6KbjBks/jR 12uyUnZCDrKGE/KfiR0gpT3watqGqqChO0KXq2N2PsnYfyRDea5FMUjM oPgOOyAT8LIMsM8x4f+EbU6m9Zc3Esafek9iLCS9R1333Pm1EEh5ghQT BsZ7omc5aSvrKUaIneojU3RdofceZouCliIDXmqscfY0y6bivGcmCQI/ LM4XUh7GWlM= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private new file mode 100644 index 00000000000..6d7f72e48ba --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: ziW3x8Ox0LMwIsfFebw6T93DpcOKrHTpF/jstN4uajpvrjGbUWzTOWg0ytxkODBLkjGNDcGt6pzloRz6N6G56oJdr98lcx0i3VWlQbQfsY/gH7UhWYSLOId+Y6jOS12S4DIupyw2Gx/4nX5sKgclJ9+DPopuMGSz+NHXa7JSdkIOsoYT8p+JHSClPfBq2oaqoKE7QperY3Y+ydh/JEN5rkUxSMyg+A47IBPwsgywzzHh/4RtTqb1lzcSxp96T2IsJL1HXffc+bUQSHmCFBMGxnuiZzlpK+spRoid6iNTdF2h9x5mi4KWIgNeaqxx9jTLpuK8ZyYJAj8szhdSHsZaUw== +PublicExponent: AQAB +PrivateExponent: Wr3fl99cdjFqDuVA18UzJdTIOj9I24Da2eKIz1S9uaTfZB4R8FWm5K4qDuHUe6dGnKOTI2sN0ygdLD5FJhfabo/UDYZ8RZ+dqS/5/mH7UX2zekGQ3Iargcaiq9uycxpNfMKaJpwfdPEtzqXHlvhuMo8AhpcIyeSKFAzKdm2YPtUqIrum4RARHyfRLfLyWlkIotPdyiaKCVGQxiRbFsTcmIB2Bizmt7zRjlB+Hxf8MooXmaKUFRQtMCLnFGK0ecFI1CWAxmLSanvYVKQ0HxcFkFKzRiZAz1au7ZfMgYDZj0jF72WAGU3Edcmdc0QIQRTWjb/3wcBfwlr9s6lKoF3ngQ== +Prime1: 1EIziKhz7dF41rb/hckdr2qeY8eM7tLrT5jIMPLISHCCuKm5IK2u7PY6m6NjMdhx1ilm7K2RGTt+TTFZaqDIEd8qpzRCxAGcfTVOmB9iHwmi9i9RoPSlY6o+iShft68ZnvPiGJWUF2huRYVK2F0cIWErwSqaBGsFd79mXmlkn98= +Prime2: +KEdNtZj9JyCCR2xbLAw3tnAYxHvJ3skVMjxV3cyUupMWi12NWxGhHH1nnetXxDR2LBBuqIl4pE/4MeXe3sClMHTL3Z9XG+pzQAsHS7yvsfZERdyuWZYYy0ya/7XY2auvRVO6LxN7d47VWjYxAGfoCsbCEivgDxmt1dTZhAtRA0= +Exponent1: d5TcZ69PsLoEtCLhDkRh/wO4PEqeMaaOf4d5sWn2QCly3Apyi+CN3l5SYoDIT7q7V4Z3v/uA9ZA49dBJqfLvBHKQGycsPjUSLtAreTSlGQtazguWl3F9BAtTs/4U/u0dKBoKVQNgLVfeWDhiFEdQo9WUyvzvTHHm4LHqQGJsGE0= +Exponent2: EU2dK+DVygNOZXYEkAzfCdNbuUlZPIUsbR4i9bRc8zpNIAWD8YncioEn1+R6U2BnSk5R9LwuKMt1B568YyKXdmTa3rW/WbyHs7WsXEeVK0PbTn40RMTjp9tQZAWzVb6isJQYDsh0H/bUaEhItbNrOYlmczgjxqftehsAudysWc0= +Coefficient: sl2u/8vttxpiTbspGV4SsaDmKUNdzQH7BgJ5rl3mXPp/aUpLw0Sr7FuARy8W8tq3yVNi9qCOnvGwVl6aQzZP7b8N04KiH8gewlAVdSfxG24yFKJIQNbWGKFZYZFYyjtLVlpK6NYF0f0I1KpAjn58XR0qIBvRFZYWBAkggU9C7ro= +Created: 20211221062130 +Publish: 20211221062130 +Activate: 20211221062130 diff --git a/bin/tests/system/dnssectools/signer/general/bogus-ksk.key b/bin/tests/system/dnssectools/signer/general/bogus-ksk.key new file mode 100644 index 00000000000..e4685741ffe --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/bogus-ksk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 23221 +; +example.com. IN DNSKEY 257 3 10 AwEAAbcyptpM++pVjhpYQW2fVtyOw04IBSw4X0SYi/Ke4wVkmDNW2vBm AFkgiVVKmmNbb0IHDYQiIY7seXk0fjEwjzeY2bmeOAZxDdv2KT9VQpoY Matk2y4NTi6F/V04x0lL/CBvyifTeNbZKvY+S1eKFuWHeS5Ss8tiagz9 zdYWUe/msvmin+Hbs2tlLwXVl4hOmABCL9uK9H8R6GPL5VdEXYyFOh/v 71CNhRU5ufrARti69YYkfzH6NpWhlJWyJvDjqAdt2L3H8V71C2vcXbBu S5NscEYl+8JQfwUvOTN553I5IQrG+NQEusW36UM/Rkad8mMnUVM9Vzqk GH86GHKtLMc= diff --git a/bin/tests/system/dnssectools/signer/general/bogus-zsk.key b/bin/tests/system/dnssectools/signer/general/bogus-zsk.key new file mode 100644 index 00000000000..aa459384262 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/bogus-zsk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 48930 +; +example.com. IN DNSKEY 256 3 10 AwEAAa/0IcnbGutPVkrz04tw5ZIYx6rU+FprB2rlKS8cTK/wiBOqbOC6 QIDdegDpZG1fOdj04ZQGa3pIizqC2CnlIWfxpfR6W+qSLRBuQ8gmwTmS c/Jy/0vAGB3fv3oVIqKslLNqIXZb3CKNiA2kGcut3aUgfeOW970Jga6z PAGKqPpPZTelW1Qy9N5BO4cRTuYo4uvbZveJv1W/2n5RN+UaeqU0f+AE DP0+wqSWNUfZsi6HygLwk08x3eO8PzTBlqBlAMfvNAygrmXqccMREyyH KEc5dVJ1qOXfj8BAdJUPmunyJhIwC9PxzOW7mn1lW7mZO2D5U/Jaxw2k eX2KblmVk8s= diff --git a/bin/tests/system/dnssectools/signer/general/test1.zone b/bin/tests/system/dnssectools/signer/general/test1.zone new file mode 100644 index 00000000000..98c9f0233c3 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test1.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssectools/signer/general/test10.zone b/bin/tests/system/dnssectools/signer/general/test10.zone new file mode 100644 index 00000000000..10a8bc97e1e --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test10.zone @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00100000 1200 3600 604800 300 +extra.example.com. IN A 1.2.3.4 +$include Kexample.com.+008+63613.key +$include Kexample.com.+008+15002.key diff --git a/bin/tests/system/dnssectools/signer/general/test11.zone b/bin/tests/system/dnssectools/signer/general/test11.zone new file mode 100644 index 00000000000..538305fc144 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test11.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+19857.key +$include Kexample.com.+005+45884.key diff --git a/bin/tests/system/dnssectools/signer/general/test12.zone b/bin/tests/system/dnssectools/signer/general/test12.zone new file mode 100644 index 00000000000..4e4c9baef6a --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test12.zone @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 30 ; 30 seconds +. IN SOA a.root.servers.nil. each.isc.org. ( + 2000042101 ; serial + 600 ; refresh (10 minutes) + 600 ; retry (10 minutes) + 1200 ; expire (20 minutes) + 600 ; minimum (10 minutes) + ) + NS a.root-servers.nil. + DNSKEY 256 3 13 ( + TFelYtTRBWeA9A307vvuWIcaNwW4txW4RgSELtsi46ZQ + s24ncRxmxtFfuJuPyVXePNiE4HNI9CIowGUsn5WuBw== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 23768 + DNSKEY 257 3 13 ( + OSmhpULEDCUzHCBeDU5uJXzkCcGuW2qrkQznKRPGhRZN + j7ZUIGInGzM5Um5m02ULWt8tKbi55NJUeifKWegQ0g== + ) ; KSK; alg = ECDSAP256SHA256 ; key id = 22255 + DNSKEY 385 3 13 ( + uKwpRtMH+9iuUk/Xj6LciIP5ZckaBtXaUqxUxzJYexXj + vxGZGX4470Jvhq2NCI3HBZQNaCCP/h9sluhIzRGPTA== + ) ; revoked KSK; alg = ECDSAP256SHA256 ; key id = 23768 +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/dnssectools/signer/general/test2.zone b/bin/tests/system/dnssectools/signer/general/test2.zone new file mode 100644 index 00000000000..97c0d3d8dc2 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test2.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one non-KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically and the zone +; correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key diff --git a/bin/tests/system/dnssectools/signer/general/test3.zone b/bin/tests/system/dnssectools/signer/general/test3.zone new file mode 100644 index 00000000000..bf9bc66c56f --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test3.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically. As there +; is no non-KSK DNSKEY the resulting zone should be rejected. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssectools/signer/general/test4.zone b/bin/tests/system/dnssectools/signer/general/test4.zone new file mode 100644 index 00000000000..9f05de50fb1 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test4.zone @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK + ZSK) of +; which have existing private key files available. The third is a +; pre-published ZSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test5.zone b/bin/tests/system/dnssectools/signer/general/test5.zone new file mode 100644 index 00000000000..d61504fbf91 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test5.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which +; have existing private key files available. The third is a KSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-ksk.key diff --git a/bin/tests/system/dnssectools/signer/general/test6.zone b/bin/tests/system/dnssectools/signer/general/test6.zone new file mode 100644 index 00000000000..fcfb1ec2607 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test6.zone @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has four DNSKEY records, two (KK + ZSK) of which +; have existing private key files available. There are also a KSK and ZSK +; for which there will be no signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test7.zone b/bin/tests/system/dnssectools/signer/general/test7.zone new file mode 100644 index 00000000000..e52c5355275 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test7.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, none of which have +; existing private key files available. The resulting zone should fail +; the consistency tests. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test8.zone b/bin/tests/system/dnssectools/signer/general/test8.zone new file mode 100644 index 00000000000..893d32da10b --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test8.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, one of which, +; the KSK, has a private key. The resulting zone should be rejected as +; it has no ZSK signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+28633.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test9.zone b/bin/tests/system/dnssectools/signer/general/test9.zone new file mode 100644 index 00000000000..14c47d040cd --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test9.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+008+63613.key +$include Kexample.com.+008+15002.key diff --git a/bin/tests/system/dnssectools/signer/prepub.db.in b/bin/tests/system/dnssectools/signer/prepub.db.in new file mode 100644 index 00000000000..946aac1bf52 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/prepub.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +prepub. 60 IN SOA prepub. . 0 0 0 0 0 +prepub. 60 IN NS prepub. +prepub. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssectools/signer/remove.db.in b/bin/tests/system/dnssectools/signer/remove.db.in new file mode 100644 index 00000000000..5629a426aee --- /dev/null +++ b/bin/tests/system/dnssectools/signer/remove.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +remove. 60 IN AAAA ::ffff:1.2.3.4 +remove. 60 IN MX 0 remove. +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssectools/signer/remove2.db.in b/bin/tests/system/dnssectools/signer/remove2.db.in new file mode 100644 index 00000000000..b2962b9ff1f --- /dev/null +++ b/bin/tests/system/dnssectools/signer/remove2.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssectools/tests.sh b/bin/tests/system/dnssectools/tests.sh new file mode 100644 index 00000000000..85cd1ac2a65 --- /dev/null +++ b/bin/tests/system/dnssectools/tests.sh @@ -0,0 +1,1022 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# shellcheck source=conf.sh +. ../conf.sh + +status=0 +n=1 + +# check that a zone file is raw format, version 0 +israw0() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 0);' || return $? +} + +# check that a zone file is raw format, version 1 +israw1() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 1);' || return $? +} + +echo_i "basic dnssec-signzone checks:" +echo_ic "two DNSKEYs ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)" +ret=0 +( + cd signer/general || exit 1 + cp signed.zone signed.expect + grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1 + mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline + $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n 2>/dev/null + mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private + grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1 +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "one non-KSK DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "one KSK DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "three DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "three DNSKEY, one private key missing ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "four DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEY, both private keys missing ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEY, one private key missing ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)" +ret=0 +if $FEATURETEST --fips-provider; then + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone + ) || ret=1 +else + echo_i "skipped no FIPS provider available" +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)" +ret=0 +if ! $FEATURETEST --fips-provider; then + echo_i "skipped no FIPS provider available" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test11.zone >signer.out.$n 2>&1 && exit 1 + grep -F -e "fatal: No signing keys specified or found" \ + -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n >/dev/null + ) || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "revoked KSK ID collides with ZSK ($n)" +ret=0 +# signing should fail, but should not coredump +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -S -f signed.zone -o . test12.zone >signer.out.$n 2>/dev/null +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone -J loads journal files ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl + $SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone >signer.out.$n + grep -q extra signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +get_default_algorithm_key_ids_from_sigs() { + zone=$1 + + awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + NF < 8 { next } + $(NF-5) != "RRSIG" { next } + $(NF-3) != alg { next } + $NF != "(" { next } + { + getline; + print $3; + } + ' signer/$zone.db.signed | sort -u +} + +# Test dnssec-signzone ZSK prepublish smooth rollover. +echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)" +ret=0 +zone=prepub +# Generate keys. +ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone") +zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") +zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") +zskid1=$(keyfile_to_key_id "$zsk1") +zskid2=$(keyfile_to_key_id "$zsk2") +( + cd signer || exit 1 + # Set times such that the current set of keys are introduced 60 days ago and + # start signing now. The successor key is prepublished now and will be active + # next day. + $SETTIME -P now-60d -A now $ksk >/dev/null + $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null + $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null + $SETTIME -P now -A now+1d $zsk2.key >/dev/null + # Sign the zone with initial keys and prepublish successor. The zone signatures + # are valid for 30 days and the DNSKEY signature is valid for 60 days. + cp -f $zone.db.in $zone.db + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null + echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" +status=$((status + ret)) + +echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" +ret=0 +zone=prepub +( + cd signer || exit 1 + # Roll the ZSK. The predecessor is inactive from now on and the successor is + # activated. The zone signatures are valid for 30 days and the DNSKEY + # signature is valid for 60 days. Because of the predecessor/successor + # relationship, the signatures of the predecessor are retained and no new + # signatures with the successor should be generated. + $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null + $SETTIME -A now $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" +ret=0 +zone=prepub +( + cd signer || exit 1 + # After some time the signatures should be replaced. When signing, set the + # interval to 30 days plus one second, meaning all predecessor signatures + # are within the refresh interval and should be replaced with successor + # signatures. + $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null + $SETTIME -A now-20d $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" +ret=0 +zone=example +# If dnssec-keygen fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-keygen unexpectedly +# succeeds, by using "&& ret=1". +$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" +ret=0 +zone=example +# Fake an unsupported algorithm key +unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp +mv ${unsupportedkey}.tmp ${unsupportedkey}.key +# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent +# that from happening, and also trigger a test failure if dnssec-dsfromkey +# unexpectedly succeeds, by using "&& ret=1". +$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" +ret=0 +ret=0 +cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db +# If dnssec-signzone fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-signzone +# unexpectedly succeeds, by using "&& ret=1". +$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that we can sign a zone with out-of-zone records ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db example.db >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null + awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out + + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example3.db + echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db + $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null + awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out + + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db.before example.db >/dev/null + sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed + $SIGNER -o example -f example.db.after example.db.changed >/dev/null +) +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +keyid2=$(keyfile_to_key_id "$key2") +key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +keyid3=$(keyfile_to_key_id "$key3") +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -D -o example example.db >/dev/null + + # now switch out key2 for key3 and resign the zone + cat example.db.in "$key1.key" "$key3.key" >example.db + echo "\$INCLUDE \"example.db.signed\"" >>example.db + $SIGNER -D -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -RD -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" +ret=0 +zone=example +( + cd signer || exit 1 + cp -f example.db.in example.db + $SIGNER -SD -o example example.db >/dev/null + echo "\$INCLUDE \"example.db.signed\"" >>example.db + # now retire key2 and resign the zone + $SETTIME -I now "$key2" >/dev/null 2>&1 + $SIGNER -SD -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -SDQ -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone retains unexpired signatures ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -Sxt -o example example.db >signer.out.1 + $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 +) || ret=1 +gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) +retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) +gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) +retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) +drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) +[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 +[ "$gen2" -eq 0 ] || ret=1 +[ "$drop2" -eq 0 ] || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" +ret=0 +( + cd signer || exit 1 + # remove NSEC-only keys + rm -f Kexample.+005* + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +( + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" +ret=0 +( + cd signer || exit 1 + rm -f example2.db.signed + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +( + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone output format ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null + $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null + $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null + $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null + $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null +) || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 +israw1 signer/signer.out.5 || ret=1 +israw0 signer/signer.out.6 || ret=1 +israw1 signer/signer.out.7 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null +) || ret=1 +awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -N date ($n)" +ret=0 +( + cd signer || exit 1 + TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null +) || ret=1 +# shellcheck disable=SC2016 +now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') +serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) +[ "$now" -eq "$serial" ] || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G ($n)" +ret=0 +( + cd signer || exit 1 + $SETTIME -P ds now -P sync now "$key1" >/dev/null + $SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (default) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (empty) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (no CDS) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad argument) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "digest must specify cds:algorithm ('foobar')" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad digest - name) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "bad digest 'cds:foobar'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad digest - number) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "bad digest 'cds:256': out of range" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "unsupported digest 'cds:gost'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "unsupported digest 'cds:200'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( + cd signer || exit 1 + $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null + $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null + echo >remove.db.signed + $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n +} +# re-generate signed zone without MX and AAAA records at apex. +( + cd signer || exit 1 + $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n +} +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( + cd signer || exit 1 + echo >remove.db.signed + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n +} +# re-generate signed zone without MX and AAAA records at apex. +( + cd signer || exit 1 + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n +} +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)" +ret=0 +( + cd signer || exit 0 + key1=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) + key2=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) + key3=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" revoke.example) + rkey=$(${REVOKE} "$key2") + cat >>revoke.example.db <>revoke.example.db + "${SIGNER}" -o revoke.example revoke.example.db >signer.out.$n +) || ret=1 +keycount=$(grep -c "RRSIG.DNSKEY ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +cdscount=$(grep -c "RRSIG.CDS ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +soacount=$(grep -c "RRSIG.SOA ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +[ $keycount -eq 3 ] || ret=1 +[ $cdscount -eq 2 ] || ret=1 +[ $soacount -eq 1 ] || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" +ret=0 +alg=1 +until test $alg -eq 258; do + zone="keygen-$alg." + case $alg in + 2) # Diffie Helman + alg=$((alg + 1)) + continue + ;; + 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard + alg=$((alg + 1)) + continue + ;; + 1 | 5 | 7 | 8 | 10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true) + ;; + 15 | 16) + key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) + ;; + 256) + key1=$($KEYGEN -a "RSASHA256OID" "$zone" 2>"keygen-$alg.err" || true) + ;; + 257) + key1=$($KEYGEN -a "RSASHA512OID" "$zone" 2>"keygen-$alg.err" || true) + ;; + *) + key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) + ;; + esac + if grep "unknown algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if test -z "$key1"; then + echo_i "'$KEYGEN -a $alg': failed" + cat "keygen-$alg.err" + ret=1 + alg=$((alg + 1)) + continue + fi + $SETTIME -I now+4d "$key1.private" >/dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg + 1)) +done +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)" +ret=0 +if $FEATURETEST --have-fips-mode; then + echo_i "skipped: already in FIPS mode" +elif ! $FEATURETEST --fips-provider; then + echo_i "skipped no FIPS provider available" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + $KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true + grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" >/dev/null || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)" +ret=0 +if $FEATURETEST --have-fips-mode; then + echo_i "skipped: already in FIPS mode" +elif ! $FEATURETEST --fips-provider; then + echo_i "skipped: cannot switch to FIPS mode" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + $KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true + grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" >/dev/null || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that dnssec-keygen honours key tag ranges ($n)" +ret=0 +zone=settagrange +ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone") +zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone") +kid=$(keyfile_to_key_id "$ksk") +zid=$(keyfile_to_key_id "$zsk") +[ $kid -ge 0 -a $kid -le 32767 ] || ret=1 +[ $zid -ge 32768 -a $zid -le 65535 ] || ret=1 +rksk=$($REVOKE -R $ksk) +rzsk=$($REVOKE -R $zsk) +krid=$(keyfile_to_key_id "$rksk") +zrid=$(keyfile_to_key_id "$rzsk") +[ $krid -ge 0 -a $krid -le 32767 ] || ret=1 +[ $zrid -ge 32768 -a $zrid -le 65535 ] || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check dnssec-dsfromkey from stdin ($n)" +ret=0 +cat algroll.dnskey | $DSFROMKEY -f - algroll. >dsfromkey.out.test$n +NF=$(awk '{print NF}' dsfromkey.out.test$n | sort -u) +[ "${NF}" = 7 ] || ret=1 +# make canonical +awk '/^algroll/ { + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' canonical1.$n || ret=1 +awk '/^algroll/ { + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' canonical2.$n || ret=1 +diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Intentionally strip ".key" from keyfile name to ensure the error message +# includes it anyway to avoid confusion (RT #21731) +echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" +ret=0 +key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example. 2>/dev/null) || ret=1 +mv "$key.key" "$key" +$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check dnssec-dsfromkey with revoked key ($n)" +ret=0 +$DSFROMKEY -f revkey.dnskey revkey.example. >dsfromkey.out.test$n || ret=1 +test $(wc -l