From: Matthijs Mekking Date: Wed, 5 Oct 2022 15:11:50 +0000 (+0200) Subject: Add more multisigner tests X-Git-Tag: v9.19.14~32^2~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a565cb9c31085634dfb52105b9503d9c38e196b7;p=thirdparty%2Fbind9.git Add more multisigner tests A zone in multisigner model 2 should also be possible to publish the CDS and CDNSKEY records from their KSK into the zone operated by the other provider. --- diff --git a/bin/tests/system/multisigner/clean.sh b/bin/tests/system/multisigner/clean.sh index 0cd0a18f7d4..fb75cfe4077 100644 --- a/bin/tests/system/multisigner/clean.sh +++ b/bin/tests/system/multisigner/clean.sh @@ -14,6 +14,8 @@ set -e rm -f *.created +rm -f cdnskey.ns* +rm -f cds.ns* rm -f created.key-* rm -f dig.out.* rm -f python.out.* diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh index f1a477f100a..6c1ac20b8fa 100644 --- a/bin/tests/system/multisigner/tests.sh +++ b/bin/tests/system/multisigner/tests.sh @@ -74,6 +74,19 @@ check_keytimes check_apex dnssec_verify +set_server "ns4" "10.53.0.4" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_model2 +check_keytimes +check_apex +dnssec_verify + + +# +# Update DNSKEY RRset. +# + # Check that the ZSKs from the other provider are published. zsks_are_published() { dig_with_opts "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 @@ -88,9 +101,10 @@ zsks_are_published() { n=$((n+1)) echo_i "update zone ${ZONE} at ns3 with ZSK from provider ns4" ret=0 +set_server "ns3" "10.53.0.3" ( -echo zone ${ZONE} -echo server 10.53.0.3 "$PORT" +echo zone "${ZONE}" +echo server "${SERVER}" "${PORT}" echo update add $(cat "ns4/${ZONE}.zsk") echo send ) | $NSUPDATE @@ -101,20 +115,14 @@ status=$((status+ret)) # Verify again. dnssec_verify -set_server "ns4" "10.53.0.4" -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_model2 -check_keytimes -check_apex -dnssec_verify n=$((n+1)) echo_i "update zone ${ZONE} at ns4 with ZSK from provider ns3" ret=0 +set_server "ns4" "10.53.0.4" ( -echo zone ${ZONE} -echo server 10.53.0.4 "$PORT" +echo zone "${ZONE}" +echo server "${SERVER}" "${PORT}" echo update add $(cat "ns3/${ZONE}.zsk") echo send ) | $NSUPDATE @@ -125,5 +133,115 @@ status=$((status+ret)) # Verify again. dnssec_verify + +# +# Update CDNSKEY RRset. +# + +# Check that the CDNSKEY from both providers are published. +records_published() { + _rrtype=$1 + _expect=$2 + + dig_with_opts "$ZONE" "@${SERVER}" "${_rrtype}" > "dig.out.$DIR.test$n" || return 1 + lines=$(awk -v rt="${_rrtype}" '$4 == rt {print}' dig.out.$DIR.test$n | wc -l) + test "$lines" -eq "$_expect" || return 1 +} + +# Retrieve CDNSKEY records from the other provider. +dig_with_opts ${ZONE} @10.53.0.3 CDNSKEY > dig.out.ns3.cdnskey +awk '$4 == "CDNSKEY" {print}' dig.out.ns3.cdnskey > cdnskey.ns3 +dig_with_opts ${ZONE} @10.53.0.4 CDNSKEY > dig.out.ns4.cdnskey +awk '$4 == "CDNSKEY" {print}' dig.out.ns4.cdnskey > cdnskey.ns4 + +n=$((n+1)) +echo_i "update zone ${ZONE} at ns3 with CDNSKEY from provider ns4" +ret=0 +set_server "ns3" "10.53.0.3" +# Initially there should be one CDNSKEY. +retry_quiet 10 records_published CDNSKEY 1 || ret=1 +( +echo zone "${ZONE}" +echo server "${SERVER}" "${PORT}" +echo update add $(cat "cdnskey.ns4") +echo send +) | $NSUPDATE +# Now there should be two CDNSKEY records (we test that BIND does not +# skip it during DNSSEC maintenance). +echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)" +retry_quiet 10 records_published CDNSKEY 2 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + + +n=$((n+1)) +echo_i "update zone ${ZONE} at ns4 with CDNSKEY from provider ns3" +ret=0 +set_server "ns4" "10.53.0.4" +# Initially there should be one CDNSKEY. +retry_quiet 10 records_published CDNSKEY 1 || ret=1 +( +echo zone "${ZONE}" +echo server "${SERVER}" "${PORT}" +echo update add $(cat "cdnskey.ns3") +echo send +) | $NSUPDATE +# Now there should be two CDNSKEY records (we test that BIND does not +# skip it during DNSSEC maintenance). +echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)" +retry_quiet 10 records_published CDNSKEY 2 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + + +# +# Update CDS RRset. +# + +# Retrieve CDS records from the other provider. +dig_with_opts ${ZONE} @10.53.0.3 CDS > dig.out.ns3.cds +awk '$4 == "CDS" {print}' dig.out.ns3.cds > cds.ns3 +dig_with_opts ${ZONE} @10.53.0.4 CDS > dig.out.ns4.cds +awk '$4 == "CDS" {print}' dig.out.ns4.cds > cds.ns4 + +n=$((n+1)) +echo_i "update zone ${ZONE} at ns3 with CDS from provider ns4" +ret=0 +set_server "ns3" "10.53.0.3" +# Initially there should be one CDS. +retry_quiet 10 records_published CDS 1 || ret=1 +( +echo zone "${ZONE}" +echo server "${SERVER}" "${PORT}" +echo update add $(cat "cds.ns4") +echo send +) | $NSUPDATE +# Now there should be two CDS records (we test that BIND does not +# skip it during DNSSEC maintenance). +echo_i "check zone ${ZONE} CDS RRset after update ($n)" +retry_quiet 10 records_published CDS 2 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + + +n=$((n+1)) +echo_i "update zone ${ZONE} at ns4 with CDS from provider ns3" +ret=0 +set_server "ns4" "10.53.0.4" +# Initially there should be one CDS. +retry_quiet 10 records_published CDS 1 || ret=1 +( +echo zone "${ZONE}" +echo server "${SERVER}" "${PORT}" +echo update add $(cat "cds.ns3") +echo send +) | $NSUPDATE +# Now there should be two CDS records (we test that BIND does not +# skip it during DNSSEC maintenance). +echo_i "check zone ${ZONE} CDS RRset after update ($n)" +retry_quiet 10 records_published CDS 2 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1