From: Matthijs Mekking Date: Wed, 19 Dec 2018 17:45:43 +0000 (+0100) Subject: Add tests for mkeys with unsupported algorithm X-Git-Tag: v9.12.4rc1~5^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd6638e4c39e538c55c2a3684e287f203c5e4692;p=thirdparty%2Fbind9.git Add tests for mkeys with unsupported algorithm These tests check if a key with an unsupported algorithm in managed-keys is ignored and when seeing an algorithm rollover to an unsupported algorithm, the new key will be ignored too. (cherry picked from commit 144cb53d0ae3aa5e6e3123720b603f9ab2bd1fa9) --- diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README index 8e1b407664a..07910cbb6ea 100644 --- a/bin/tests/system/mkeys/README +++ b/bin/tests/system/mkeys/README @@ -19,3 +19,6 @@ managed-keys.jnl, causing RFC 5011 initialization to fail. ns5 is a validator which is prevented from getting a response from the root server, causing key refresh queries to fail. + +ns6 is a validator which has unsupported algorithms, one at start up, +one because of an algorithm rollover. diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh index f79c2ce1148..8c9c1d14f55 100644 --- a/bin/tests/system/mkeys/clean.sh +++ b/bin/tests/system/mkeys/clean.sh @@ -16,9 +16,10 @@ rm -f */named.conf rm -f */named.memstats */named.run */named.run.prev rm -f dig.out* delv.out* rndc.out* signer.out* rm -f dsset-. ns1/dsset-. +rm -f ns1/zone.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp rm -f ns5/named.args -rm -f ns6/view1.mkeys ns6/view2.mkeys +rm -f ns7/view1.mkeys ns7/view2.mkeys rm -rf ns4/nope diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db index 6ba922af09d..0070f139421 100644 --- a/bin/tests/system/mkeys/ns1/root.db +++ b/bin/tests/system/mkeys/ns1/root.db @@ -8,16 +8,16 @@ ; information regarding copyright ownership. $TTL 20 -. IN SOA gson.nominum.com. a.root.servers.nil. ( - 2000042100 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 2 ; minimum - ) -. NS a.root-servers.nil. -a.root-servers.nil. A 10.53.0.1 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 ; no delegation -example. TXT "This is a test." +example. TXT "This is a test." diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 502b5becc76..569194a1928 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -26,13 +26,18 @@ cp managed.conf ../ns2/managed.conf cp managed.conf ../ns4/managed.conf cp managed.conf ../ns5/managed.conf -# Configure a trusted key statement (used by delv) +# Configure a trusted key statement (used by delv). keyfile_to_trusted_keys $keyname > trusted.conf +# Prepare an unsupported algorithm key. +unsupportedkey=K.+003+28683 +cp unsupported.key "${unsupportedkey}.key" + # # Save keyname and keyid for managed key id test. # echo "$keyname" > managed.key +echo "$zskkeyname" > zone.key keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'` keyid=`expr $keyid + 0` echo "$keyid" > managed.key.id diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key new file mode 100644 index 00000000000..7435d03b63c --- /dev/null +++ b/bin/tests/system/mkeys/ns1/unsupported.key @@ -0,0 +1 @@ +. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args new file mode 100644 index 00000000000..02f8f670f69 --- /dev/null +++ b/bin/tests/system/mkeys/ns6/named.args @@ -0,0 +1 @@ +-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20 diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in index 37ddaa16ec4..8d76f7f2e76 100644 --- a/bin/tests/system/mkeys/ns6/named.conf.in +++ b/bin/tests/system/mkeys/ns6/named.conf.in @@ -22,8 +22,8 @@ options { recursion yes; notify no; dnssec-enable yes; - dnssec-validation auto; - bindkeys-file "managed.conf"; + dnssec-validation yes; + trust-anchor-telemetry no; }; key rndc_key { @@ -35,16 +35,9 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -view view1 { - zone "." { - type hint; - file "../../common/root.hint"; - }; +zone "." { + type hint; + file "../../common/root.hint"; }; -view view2 { - zone "." { - type hint; - file "../../common/root.hint"; - }; -}; +include "managed.conf"; diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh new file mode 100644 index 00000000000..5ba1647da58 --- /dev/null +++ b/bin/tests/system/mkeys/ns6/setup.sh @@ -0,0 +1,30 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +zonefile=root.db + +# an RSA key +rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.` + +# a key with unsupported algorithm +unsupportedkey=Kunknown.+255+00000 +cp unsupported-managed.key "${unsupportedkey}.key" + +# root key +rootkey=`cat ../ns1/managed.key` +cp "../ns1/${rootkey}.key" . + +# Configure the resolving server with a managed trusted key. +keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key new file mode 100644 index 00000000000..be872a00f09 --- /dev/null +++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key @@ -0,0 +1 @@ +unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6 diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in new file mode 100644 index 00000000000..a9aba007333 --- /dev/null +++ b/bin/tests/system/mkeys/ns7/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-enable yes; + dnssec-validation auto; + bindkeys-file "managed.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view view1 { + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +view view2 { + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh index 91a024a4a95..e3319ee47e7 100644 --- a/bin/tests/system/mkeys/setup.sh +++ b/bin/tests/system/mkeys/setup.sh @@ -27,6 +27,7 @@ copy_setports ns6/named.conf.in ns6/named.conf cp ns5/named1.args ns5/named.args ( cd ns1 && $SHELL sign.sh ) +( cd ns6 && $SHELL setup.sh ) cp ns2/managed.conf ns2/managed1.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index a3d86848b9e..0c7a4f0a277 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -745,7 +745,7 @@ nextpart ns5/named.run > /dev/null mkeys_reconfig_on 1 wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run mkeys_secroots_on 5 -grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 +grep '; managed' ns5/named.secroots > /dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be # correctly refreshed and resolving should succeed $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 @@ -756,16 +756,69 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` +echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" +ret=0 +$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6 +rm -f ns6/managed-keys.bind* +nextpart ns6/named.run > /dev/null +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6 +# log when an unsupported algorithm is encountered during startup +wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "skipping unsupported algorithm in managed-keys ($n)" +ret=0 +mkeys_status_on 6 > rndc.out.$n 2>&1 +# there should still be only two keys listed (for . and rsasha256.) +count=`grep -c "keyid: " rndc.out.$n` +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=`grep -c "trust" rndc.out.$n` +[ "$count" -eq 2 ] || ret=1 + +n=`expr $n + 1` +echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" +ret=0 +cp ns1/root.db ns1/root.db.orig +ksk=`cat ns1/managed.key` +zsk=`cat ns1/zone.key` +cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db +grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1 +$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1 +grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 +cp ns1/root.db.orig ns1/root.db +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "skipping unsupported algorithm in rollover ($n)" +ret=0 +mkeys_reload_on 1 +mkeys_refresh_on 6 +mkeys_status_on 6 > rndc.out.$n 2>&1 +# there should still be only two keys listed (for . and rsasha256.) +count=`grep -c "keyid: " rndc.out.$n` +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=`grep -c "trust" rndc.out.$n` +[ "$count" -eq 2 ] || ret=1 +# log when an unsupported algorithm is encountered during rollover +wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "check 'rndc managed-keys' and views ($n)" ret=0 -$RNDCCMD 10.53.0.6 managed-keys refresh in view1 > rndc.out.ns6.view1.test$n || ret=1 -grep "refreshing managed keys for 'view1'" rndc.out.ns6.view1.test$n > /dev/null || ret=1 -lines=`wc -l < rndc.out.ns6.view1.test$n` +$RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1 +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1 +lines=`wc -l < rndc.out.ns7.view1.test$n` [ $lines -eq 1 ] || ret=1 -$RNDCCMD 10.53.0.6 managed-keys refresh > rndc.out.ns6.view2.test$n || ret=1 -lines=`wc -l < rndc.out.ns6.view2.test$n` -grep "refreshing managed keys for 'view1'" rndc.out.ns6.view2.test$n > /dev/null || ret=1 -grep "refreshing managed keys for 'view2'" rndc.out.ns6.view2.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1 +lines=`wc -l < rndc.out.ns7.view2.test$n` +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 +grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 [ $lines -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/util/copyrights b/util/copyrights index 3c29be99b0a..3c61e74800f 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1600,6 +1600,7 @@ ./bin/tests/system/mkeys/ns1/named3.conf.in CONF-C 2017,2018,2019 ./bin/tests/system/mkeys/ns1/root.db ZONE 2015,2016,2017,2018,2019 ./bin/tests/system/mkeys/ns1/sign.sh SH 2015,2016,2017,2018,2019 +./bin/tests/system/mkeys/ns1/unsupported.key X 2018,2019 ./bin/tests/system/mkeys/ns2/named.args X 2015,2016,2017,2018,2019 ./bin/tests/system/mkeys/ns2/named.conf.in CONF-C 2015,2016,2018,2019 ./bin/tests/system/mkeys/ns3/named.args X 2015,2016,2017,2018,2019 @@ -1608,7 +1609,11 @@ ./bin/tests/system/mkeys/ns5/named.conf.in CONF-C 2017,2018,2019 ./bin/tests/system/mkeys/ns5/named1.args X 2017,2018,2019 ./bin/tests/system/mkeys/ns5/named2.args X 2017,2018,2019 -./bin/tests/system/mkeys/ns6/named.conf.in CONF-C 2019 +./bin/tests/system/mkeys/ns6/named.args X 2018,2019 +./bin/tests/system/mkeys/ns6/named.conf.in CONF-C 2018,2019 +./bin/tests/system/mkeys/ns6/setup.sh SH 2018,2019 +./bin/tests/system/mkeys/ns6/unsupported-managed.key X 2018,2019 +./bin/tests/system/mkeys/ns7/named.conf.in CONF-C 2019 ./bin/tests/system/mkeys/prereq.sh SH 2015,2016,2018,2019 ./bin/tests/system/mkeys/setup.sh SH 2015,2016,2017,2018,2019 ./bin/tests/system/mkeys/tests.sh SH 2015,2016,2017,2018,2019