From: Philip Homburg Date: Tue, 31 Jan 2023 16:25:37 +0000 (+0100) Subject: Added gen-autotrust_addpend_2exceed (and gen-common) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fgen-autotrust;p=thirdparty%2Funbound.git Added gen-autotrust_addpend_2exceed (and gen-common) --- diff --git a/testdata/gen/autotrust_addpend_2exceed.rpl.in b/testdata/gen/autotrust_addpend_2exceed.rpl.in new file mode 100644 index 000000000..081b506bb --- /dev/null +++ b/testdata/gen/autotrust_addpend_2exceed.rpl.in @@ -0,0 +1,306 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + log-time-ascii: yes + fake-sha1: yes + trust-anchor-signaling: no +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +; initial content (say from dig example.com DNSKEY > example.com.key) +AUTOTRUST_FILE example.com +PUBKEY1 +PUBKEY2 +AUTOTRUST_END +CONFIG_END + +SCENARIO_BEGIN Test autotrust with ADDPEND twice and exceeded time +; should work even though not signed with old key at latest time. + +; K-ROOT +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id copy_query +REPLY QR AA +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS k.root-servers.net. +SECTION ADDITIONAL +k.root-servers.net IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. KSK PUBKEY1_ID +RANGE_BEGIN 0 10 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 3600 IN A 10.20.30.40 +SIG1a_PUBKEY2 +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +SIG1b_PUBKEY2 +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +SIG1c_PUBKEY2 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 1 +PUBKEY1 +; ZSK 1 +PUBKEY2 +; signatures +SIG2_PUBKEY2 +SIG2_PUBKEY1 +ENTRY_END +RANGE_END + +; ns.example.com. KSK PUBKEY1_ID and PUBKEY3_ID +RANGE_BEGIN 11 40 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 1 +PUBKEY1 +; KSK 2 +PUBKEY3 +; ZSK 1 +PUBKEY2 +; signatures +SIG3_PUBKEY2 +SIG3_PUBKEY1 +SIG3_PUBKEY3 +ENTRY_END +RANGE_END + +; ns.example.com. KSK PUBKEY3_ID +RANGE_BEGIN 41 50 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 2 +PUBKEY3 +; ZSK 1 +PUBKEY2 +; signatures +SIG4_PUBKEY2 +SIG4_PUBKEY3 +ENTRY_END +RANGE_END + +; ns.example.com. KSK PUBKEY1_ID-REVOKED and PUBKEY3_ID +RANGE_BEGIN 51 60 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 1 +PUBKEY4 +; KSK 2 +PUBKEY3 +; ZSK 1 +PUBKEY2 +; signatures +SIG5_PUBKEY2 +SIG5_PUBKEY4 +; wrong keytag: +SIG5_PUBKEY1 +SIG5_PUBKEY3 +ENTRY_END +RANGE_END + +; ns.example.com. KSK PUBKEY3_ID +RANGE_BEGIN 61 70 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 2 +PUBKEY3 +; ZSK 1 +PUBKEY2 +; signatures +SIG6_PUBKEY2 +SIG6_PUBKEY3 +ENTRY_END +RANGE_END + +; set date/time to Aug 24 07:46:40 (2009). +STEP 5 TIME_PASSES ELAPSE 1251100000 +STEP 6 TRAFFIC ; the initial probe +STEP 7 ASSIGN t0 = ${time} +STEP 8 ASSIGN probe0 = ${range 4800 ${timeout} 5400} + +; the auto probing should have been done now. +STEP 10 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t0} ;;${ctime $t0} +;;last_success: ${$t0} ;;${ctime $t0} +;;next_probe_time: ${$t0 + $probe0} ;;${ctime $t0 + $probe0} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +PUBKEY1 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} +FILE_END + +; key prepublished. First poll. 30 days later +STEP 11 TIME_PASSES EVAL ${30*24*3600} +STEP 12 TRAFFIC +STEP 13 ASSIGN t1 = ${time} +STEP 14 ASSIGN probe1 = ${range 4800 ${timeout} 5400} +STEP 15 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t1} ;;${ctime $t1} +;;last_success: ${$t1} ;;${ctime $t1} +;;next_probe_time: ${$t1 + $probe1} ;;${ctime $t1 + $probe1} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +PUBKEY3 ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1} +PUBKEY1 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} +FILE_END + +; Second poll. 10 days later +STEP 21 TIME_PASSES EVAL ${10*24*3600} +STEP 22 TRAFFIC +STEP 23 ASSIGN t2 = ${time} +STEP 24 ASSIGN probe2 = ${range 4800 ${timeout} 5400} +STEP 25 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t2} ;;${ctime $t2} +;;last_success: ${$t2} ;;${ctime $t2} +;;next_probe_time: ${$t2 + $probe2} ;;${ctime $t2 + $probe2} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +PUBKEY3 ;;state=1 [ ADDPEND ] ;;count=2 ;;lastchange=${$t1} ;;${ctime $t1} +PUBKEY1 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} +FILE_END + +; t3 is removed third poll time. + +; 21 days later, hold down has lapsed. +STEP 41 TIME_PASSES EVAL ${21*24*3600} +STEP 42 TRAFFIC +STEP 43 ASSIGN t4 = ${time} +STEP 44 ASSIGN probe4 = ${range 4800 ${timeout} 5400} +STEP 45 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t4} ;;${ctime $t4} +;;last_success: ${$t4} ;;${ctime $t4} +;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +PUBKEY3 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4} +PUBKEY1 ;;state=3 [ MISSING ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4} +FILE_END + +; 30 days later, the old key is revoked +STEP 51 TIME_PASSES EVAL ${30*24*3600} +STEP 52 TRAFFIC +STEP 53 ASSIGN t5 = ${time} +STEP 54 ASSIGN probe5 = ${range 4800 ${timeout} 5400} +STEP 55 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t5} ;;${ctime $t5} +;;last_success: ${$t5} ;;${ctime $t5} +;;next_probe_time: ${$t5 + $probe5} ;;${ctime $t5 + $probe5} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +PUBKEY3 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4} +PUBKEY4 ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=${$t5} ;;${ctime $t5} +FILE_END + +; 370 days later, the old key is removed from storage +STEP 61 TIME_PASSES EVAL ${370*24*3600} +STEP 62 TRAFFIC +STEP 63 ASSIGN t6 = ${time} +STEP 64 ASSIGN probe6 = ${range 4800 ${timeout} 5400} +STEP 65 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t6} ;;${ctime $t6} +;;last_success: ${$t6} ;;${ctime $t6} +;;next_probe_time: ${$t6 + $probe6} ;;${ctime $t6 + $probe6} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +PUBKEY3 ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4} +FILE_END + + +SCENARIO_END diff --git a/testdata/gen/gen-autotrust_10key b/testdata/gen/gen-autotrust_10key index 7c456fc13..5b7575de0 100755 --- a/testdata/gen/gen-autotrust_10key +++ b/testdata/gen/gen-autotrust_10key @@ -1,13 +1,8 @@ #!/bin/sh -KEYDIR=keys -KEYNAME=autotrust_10key - -LDNS_KEYGEN=ldns-keygen -LDNS_SIGNZONE=ldns-signzone -SECALG=8 # RSA/SHA-256 +. ./gen-common -TMPZONE=tmpzone +KEYNAME=autotrust_10key replace_keys() { @@ -42,23 +37,10 @@ replace_keys() for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 do - if [ -f "$KEYDIR/$KEYNAME-$i.key" ] - then - continue # Key already exists, remove to regenerate - fi - mkdir -p "$KEYDIR" - keyname=$($LDNS_KEYGEN -a $SECALG -b 2048 -k example.com.) - < "$keyname".key sed 's/IN/3600 IN/' > "$KEYDIR/$KEYNAME-$i.key" - rm -f "$keyname".key - mv "$keyname".private "$KEYDIR/$KEYNAME-$i.private" - mv "$keyname".ds "$KEYDIR/$KEYNAME-$i.ds" + gen_key_ksk "$KEYDIR/$KEYNAME-$i" done -echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE -cat "$KEYDIR/$KEYNAME"-*.key >> $TMPZONE -$LDNS_SIGNZONE -e 20091124111500 -i 20091018111500 $TMPZONE "$KEYDIR/$KEYNAME-2" -sig1=$(grep 'RRSIG[ ]*DNSKEY' < $TMPZONE.signed ) -rm -f "$TMPZONE" "$TMPZONE.signed" +sig1=$(sig_keys 2 20091124111500 20091018111500 1 2 3 4 5 6 7 8 9 10 11 12 13) < autotrust_10key.rpl.in \ replace_keys | diff --git a/testdata/gen/gen-autotrust_addpend_2exceed b/testdata/gen/gen-autotrust_addpend_2exceed new file mode 100755 index 000000000..c3b7f591c --- /dev/null +++ b/testdata/gen/gen-autotrust_addpend_2exceed @@ -0,0 +1,78 @@ +#!/bin/sh + +. ./gen-common + +KEYNAME=autotrust_addpend_2exceed + +replace_keys() +{ + pubkey1=$(cat "$KEYDIR/$KEYNAME-1.key") + pubkey2=$(cat "$KEYDIR/$KEYNAME-2.key") + pubkey3=$(cat "$KEYDIR/$KEYNAME-3.key") + pubkey4=$(cat "$KEYDIR/$KEYNAME-4.key") + + pubkey1_id=$(key_id "$pubkey1") + pubkey3_id=$(key_id "$pubkey3") + + sed "s@PUBKEY1_ID@$pubkey1_id@ ; \ + s@PUBKEY3_ID@$pubkey3_id@ ; \ + s@PUBKEY1@$pubkey1@ ; \ + s@PUBKEY2@$pubkey2@ ; \ + s@PUBKEY3@$pubkey3@ ; \ + s@PUBKEY4@$pubkey4@" +} + +gen_key_ksk "$KEYDIR/$KEYNAME-1" +gen_key_zsk "$KEYDIR/$KEYNAME-2" +gen_key_ksk "$KEYDIR/$KEYNAME-3" +gen_key_ksk_revoked "$KEYDIR/$KEYNAME-1" "$KEYDIR/$KEYNAME-4" + + +echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE +echo 'www.example.com. 3600 IN A 10.20.30.40' >>$TMPZONE +echo 'example.com. 3600 IN NS ns.example.com.' >>$TMPZONE +echo 'ns.example.com. 3600 IN A 1.2.3.4' >>$TMPZONE +$LDNS_SIGNZONE -e 20090924111500 -i 20090821111500 $TMPZONE "$KEYDIR/$KEYNAME-2" +sig1a_pubkey2=$(grep 'www.example.com.*RRSIG[ ]*A' < $TMPZONE.signed ) +sig1b_pubkey2=$(grep 'IN[ ]*RRSIG[ ]*NS[ ]' < $TMPZONE.signed ) +sig1c_pubkey2=$(grep 'ns.example.com.*RRSIG[ ]*A' < $TMPZONE.signed ) +rm -f "$TMPZONE" "$TMPZONE.signed" + +sig2_pubkey2=$(sig_keys 2 20090924111500 20090821111500 1 2) +sig2_pubkey1=$(sig_keys 1 20090924111500 20090821111500 1 2) + +sig3_pubkey2=$(sig_keys 2 20091024111500 20090921111500 1 3 2) +sig3_pubkey1=$(sig_keys 1 20091024111500 20090921111500 1 3 2) +sig3_pubkey3=$(sig_keys 3 20091024111500 20090921111500 1 3 2) + +sig4_pubkey2=$(sig_keys 2 20091124111500 20091018111500 3 2) +sig4_pubkey3=$(sig_keys 3 20091124111500 20091018111500 3 2) + +sig5_pubkey2=$(sig_keys 2 20091224111500 20091118111500 4 3 2) +sig5_pubkey4=$(sig_keys 4 20091224111500 20091118111500 4 3 2) +sig5_pubkey1=$(sig_keys 1 20091224111500 20091118111500 4 3 2) +sig5_pubkey3=$(sig_keys 3 20091224111500 20091118111500 4 3 2) + +sig6_pubkey2=$(sig_keys 2 20101224111500 20101118111500 3 2) +sig6_pubkey3=$(sig_keys 3 20101224111500 20101118111500 3 2) + +< $KEYNAME.rpl.in \ + sed "s@SIG1a_PUBKEY2@$sig1a_pubkey2@ ; \ + s@SIG1b_PUBKEY2@$sig1b_pubkey2@ ; \ + s@SIG1c_PUBKEY2@$sig1c_pubkey2@ ; \ + s@SIG2_PUBKEY2@$sig2_pubkey2@ ; \ + s@SIG2_PUBKEY1@$sig2_pubkey1@ ; \ + s@SIG3_PUBKEY2@$sig3_pubkey2@ ; \ + s@SIG3_PUBKEY1@$sig3_pubkey1@ ; \ + s@SIG3_PUBKEY3@$sig3_pubkey3@ ; \ + s@SIG4_PUBKEY2@$sig4_pubkey2@ ; \ + s@SIG4_PUBKEY3@$sig4_pubkey3@ ; \ + s@SIG5_PUBKEY2@$sig5_pubkey2@ ; \ + s@SIG5_PUBKEY4@$sig5_pubkey4@ ; \ + s@SIG5_PUBKEY1@$sig5_pubkey1@ ; \ + s@SIG5_PUBKEY3@$sig5_pubkey3@ ; \ + s@SIG6_PUBKEY2@$sig6_pubkey2@ ; \ + s@SIG6_PUBKEY3@$sig6_pubkey3@ ; \ + " | + replace_keys \ + > ../$KEYNAME.rpl diff --git a/testdata/gen/gen-common b/testdata/gen/gen-common new file mode 100644 index 000000000..e7b402ca3 --- /dev/null +++ b/testdata/gen/gen-common @@ -0,0 +1,107 @@ +#!/bin/sh + +KEYDIR=keys + +LDNS_KEYGEN=ldns-keygen +LDNS_SIGNZONE=ldns-signzone +SECALG=8 # RSA/SHA-256 +SECBITS=2048 + +TMPZONE=tmpzone + +key_id() +{ + expr "$1" : '.*{id = \([0-9]*\).*' +} + +gen_key_ksk() +{ + if [ $# -ne 1 ]; then + echo >&2 "Usage: gen_key_ksk " + exit 1 + fi + + key_file="$1" + + + if [ -f "$key_file.key" ] + then + return # Key already exists, remove to regenerate + fi + mkdir -p "$KEYDIR" + tmp_keyname=$($LDNS_KEYGEN -a $SECALG -b $SECBITS -k example.com.) + sed 's/IN/10800 IN/' < "$tmp_keyname".key > "$key_file.key" + rm -f "$tmp_keyname".key + mv "$tmp_keyname".private "$key_file.private" + mv "$tmp_keyname".ds "$key_file.ds" +} + +gen_key_ksk_revoked() +{ + if [ $# -ne 2 ]; then + echo >&2 "Usage: gen_key_ksk_revoked " + exit 1 + fi + + orig_key_file="$1" + key_file="$2" + + + if [ -f "$key_file.key" ] + then + return # Key already exists, remove to regenerate + fi + cp "$orig_key_file".key "$key_file".key + cp "$orig_key_file".private "$key_file.private" + mv "$orig_key_file".ds "$key_file.ds" + ldns-revoke "$key_file.key" +} + +gen_key_zsk() +{ + if [ $# -ne 1 ]; then + echo >&2 "Usage: gen_key_zsk " + exit 1 + fi + + key_file="$1" + + + if [ -f "$key_file.key" ] + then + return # Key already exists, remove to regenerate + fi + mkdir -p "$KEYDIR" + tmp_keyname=$($LDNS_KEYGEN -a $SECALG -b $SECBITS example.com.) + sed 's/IN/10800 IN/' < "$tmp_keyname".key > "$key_file.key" + rm -f "$tmp_keyname".key + mv "$tmp_keyname".private "$key_file.private" +} + +sig_keys() +{ + if [ $# -lt 4 ]; then + echo >&2 'Usage: sig_keys ...' + exit 1 + fi + sig_key_nr="$1" + shift + endtime="$1" + shift + starttime="$1" + shift + echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE + while [ "$1" != "" ] + do + cat "$KEYDIR/$KEYNAME"-$1.key >> $TMPZONE + shift + done + $LDNS_SIGNZONE -e $endtime -i $starttime $TMPZONE "$KEYDIR/$KEYNAME-$sig_key_nr" + #echo '--- signed zone ---' >&2 + #cat $TMPZONE.signed >&2 + #echo '--- end signed zone ---' >&2 + sig=$(grep 'RRSIG[ ]*DNSKEY' < $TMPZONE.signed ) + rm -f "$TMPZONE" "$TMPZONE.signed" + echo "$sig" +} +