From: Matthijs Mekking Date: Thu, 11 May 2023 13:13:03 +0000 (+0200) Subject: Add test case for cdnskey no; X-Git-Tag: v9.19.14~58^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=af15e760d787fad41b644ad39bf1b0d0e51296b0;p=thirdparty%2Fbind9.git Add test case for cdnskey no; Change one of the test cases to disable publication of CDNSKEY. --- diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index 10511506cec..e120dcd95ce 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -217,6 +217,7 @@ set_policy() { CDS_DELETE="no" CDS_SHA256="yes" CDS_SHA384="no" + CDNSKEY="yes" } # By default policies are considered to be secure. # If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the @@ -969,21 +970,31 @@ response_has_cdnskey_for_key() ( check_cds_digests() { if [ "$CDS_SHA256" = "yes" ]; then - response_has_cds_for_key 2 $1 $2 || _log_error "missing CDS 2 record in response for key $(key_get $1 ID)" + response_has_cds_for_key 2 $1 "${2}.cds" || _log_error "missing CDS 2 record in response for key $(key_get $1 ID)" else - response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)" + response_has_cds_for_key 2 $1 "${2}.cds" && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)" fi if [ "$CDS_SHA384" = "yes" ]; then - response_has_cds_for_key 4 $1 $2 || _log_error "missing CDS 4 record in response for key $(key_get $1 ID)" + response_has_cds_for_key 4 $1 "${2}.cds" || _log_error "missing CDS 4 record in response for key $(key_get $1 ID)" else - response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)" + response_has_cds_for_key 4 $1 "${2}.cds" && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)" + fi + + if [ "$CDNSKEY" = "yes" ]; then + response_has_cdnskey_for_key $1 "${2}.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get $1 ID)" + else + response_has_cdnskey_for_key $1 "${2}.cdnskey" && _log_error "unexpected CDNSKEY record in response for key $(key_get $1 ID)" fi } check_cds_digests_invert() { - response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)" - response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)" + response_has_cds_for_key 2 $1 "${2}.cds" && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)" + response_has_cds_for_key 4 $1 "${2}.cds" && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)" + # The key should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. } # Test CDS and CDNSKEY publication. @@ -1011,55 +1022,38 @@ check_cds() { fi if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then - check_cds_digests KEY1 "dig.out.$DIR.test$n.cds" - response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)" + check_cds_digests KEY1 "dig.out.$DIR.test$n" _checksig=1 elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - check_cds_digests_invert KEY1 "dig.out.$DIR.test$n.cds" - # KEY1 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. + check_cds_digests_invert KEY1 "dig.out.$DIR.test$n" fi if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then - check_cds_digests KEY2 "dig.out.$DIR.test$n.cds" - response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)" + check_cds_digests KEY2 "dig.out.$DIR.test$n" _checksig=1 elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - check_cds_digests_invert KEY2 "dig.out.$DIR.test$n.cds" - # KEY2 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. + check_cds_digests_invert KEY2 "dig.out.$DIR.test$n" fi if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then - check_cds_digests KEY3 "dig.out.$DIR.test$n.cds" - response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)" + check_cds_digests KEY3 "dig.out.$DIR.test$n" _checksig=1 elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - check_cds_digests_invert KEY3 "dig.out.$DIR.test$n.cds" - # KEY3 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. + check_cds_digests_invert KEY3 "dig.out.$DIR.test$n" fi if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then - check_cds_digests KEY4 "dig.out.$DIR.test$n.cds" - response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)" + check_cds_digests KEY4 "dig.out.$DIR.test$n" _checksig=1 elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - check_cds_digests_invert KEY4 "dig.out.$DIR.test$n.cds" - # KEY4 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. + check_cds_digests_invert KEY4 "dig.out.$DIR.test$n" fi test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" - test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" + + if [ "$CDNSKEY" = "yes" ]; then + test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" + fi test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1199,7 +1193,9 @@ check_cdslog() { if [ "$CDS_SHA384" = "yes" ]; then grep "CDS (SHA-384) for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 fi - grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + if [ "$CDNSKEY" = "yes" ]; then + grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + fi test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf.in b/bin/tests/system/kasp/ns3/policies/autosign.conf.in index d50fcd0bd7e..bc3b7e11ddb 100644 --- a/bin/tests/system/kasp/ns3/policies/autosign.conf.in +++ b/bin/tests/system/kasp/ns3/policies/autosign.conf.in @@ -76,6 +76,7 @@ dnssec-policy "ksk-doubleksk" { retire-safety P2D; purge-keys PT1H; + cdnskey no; keys { ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index fddf026dbed..dff071ecbc0 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -613,7 +613,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$z $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to submit the introduce the new KSK. @@ -665,7 +665,7 @@ cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS. @@ -732,7 +732,7 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS should be swapped now. @@ -793,7 +793,7 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -832,7 +832,7 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -871,7 +871,7 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at csk-roll.autosign represent the various steps of a CSK rollover diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 962277fa063..9766c380c8f 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2651,6 +2651,7 @@ IretZSK=867600 # set_zone "step1.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "2" "7200" +CDNSKEY="no" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -2700,6 +2701,7 @@ check_next_key_event 5086800 # set_zone "step2.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" +CDNSKEY="no" set_server "ns3" "10.53.0.3" # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). key_clear "KEY3" @@ -2751,6 +2753,7 @@ check_next_key_event 97200 # set_zone "step3.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" +CDNSKEY="no" set_server "ns3" "10.53.0.3" # The DNSKEY RRset has become omnipresent. @@ -2801,6 +2804,7 @@ check_next_key_event 180000 # set_zone "step4.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" +CDNSKEY="no" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" @@ -2842,6 +2846,7 @@ check_next_key_event 10800 # set_zone "step5.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" +CDNSKEY="no" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY is now HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -2880,6 +2885,7 @@ check_next_key_event 4899600 # set_zone "step6.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "2" "7200" +CDNSKEY="no" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY is purged. key_clear "KEY1"