From: Mark Andrews Date: Thu, 7 Jul 2022 08:12:44 +0000 (+1000) Subject: autosign: use $DEFAULT_ALGORITHM X-Git-Tag: v9.19.4~44^2~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bb810b0ac9a888e4bc37a0780512f7414c571e59;p=thirdparty%2Fbind9.git autosign: use $DEFAULT_ALGORITHM --- diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index f4ab636e8ea..a8118dd2f4d 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -49,7 +49,7 @@ rm -f ns3/kskonly.example.db rm -f ns3/named.ns3.prev rm -f ns3/noksk.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db -rm -f ns3/nsec.example.db +rm -f ns3/nsec-only.example.db rm -f ns3/nsec3-to-nsec.example.db rm -f ns3/nsec3.example.db rm -f ns3/nsec3.nsec3.example.db diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index 53f9477dd79..20d04e3bca1 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -21,18 +21,18 @@ infile=root.db.in cat $infile ../ns2/dsset-example. > $zonefile -zskact=`$KEYGEN -3 -a RSASHA1 -q $zone` -zskvanish=`$KEYGEN -3 -a RSASHA1 -q $zone` -zskdel=`$KEYGEN -3 -a RSASHA1 -q -D now $zone` -zskinact=`$KEYGEN -3 -a RSASHA1 -q -I now $zone` -zskunpub=`$KEYGEN -3 -a RSASHA1 -q -G $zone` -zsksby=`$KEYGEN -3 -a RSASHA1 -q -A none $zone` -zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -A now -P +1d $zone` -zsknopriv=`$KEYGEN -3 -a RSASHA1 -q $zone` +zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) +zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) +zskdel=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -D now $zone) +zskinact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -I now $zone) +zskunpub=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -G $zone) +zsksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A none $zone) +zskactnowpub1d=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A now -P +1d $zone) +zsknopriv=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) rm $zsknopriv.private -ksksby=`$KEYGEN -3 -a RSASHA1 -q -P now -A now+15s -fk $zone` -kskrev=`$KEYGEN -3 -a RSASHA1 -q -R now+15s -fk $zone` +ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone) +kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone) keyfile_to_static_ds $ksksby > trusted.conf cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index ddb94692773..761c6ee4a8e 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -29,16 +29,16 @@ zonefile="${zone}.db" infile="${zonefile}.in" cat $infile dsset-*.example. > $zonefile -kskname=`$KEYGEN -a RSASHA1 -3 -q -fk $zone` -$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null +kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null $DSFROMKEY $kskname.key > dsset-${zone}. # Create keys for a private secure zone. zone=private.secure.example zonefile="${zone}.db" infile="${zonefile}.in" -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone` -$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null keyfile_to_static_ds $ksk > private.conf cp private.conf ../ns4/private.conf $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null @@ -51,7 +51,7 @@ cat $infile > $zonefile for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \ Xbar.+005+30804.private do - cp $i `echo $i | sed s/X/K/` + cp $i $(echo $i | sed s/X/K/) done $KEYGEN -a RSASHA1 -q $zone > /dev/null $DSFROMKEY Kbar.+005+30804.key > dsset-bar. diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index bd1d16e06fc..505d559b6f6 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -26,12 +26,12 @@ setup () { zone="$1" zonefile="${zone}.db" infile="${zonefile}.in" - n=`expr ${n:-0} + 1` + n=$((${n:-0} + 1)) } setup secure.example cp $infile $zonefile -ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -40,7 +40,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup secure.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -49,7 +49,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup nsec3.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -62,7 +62,7 @@ count=1 while [ $count -le 1000 ] do echo "label${count} IN TXT label${count}" >> $zonefile - count=`expr $count + 1` + count=$((count + 1)) done # Don't create keys just yet, because the scenario we want to test # is an unsigned zone that has a NSEC3PARAM record added with @@ -73,7 +73,7 @@ done # setup optout.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -82,7 +82,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup nsec3.example cat $infile dsset-*.${zone}. > $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -91,9 +91,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup autonsec3.example cat $infile > $zonefile -ksk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out echo $ksk > ../autoksk.key -zsk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out echo $zsk > ../autozsk.key $DSFROMKEY $ksk.key > dsset-${zone}. @@ -102,7 +102,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup secure.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -111,7 +111,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup nsec3.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -120,7 +120,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup optout.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -129,7 +129,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup optout.example cat $infile dsset-*.${zone}. > $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -138,7 +138,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup rsasha256.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a RSASHA256 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -147,16 +147,16 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup rsasha512.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. # -# NSEC-only zone. +# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms. # -setup nsec.example +setup nsec-only.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -170,7 +170,7 @@ count=1 while [ $count -le 1000 ] do echo "label${count} IN TXT label${count}" >> $zonefile - count=`expr $count + 1` + count=$(expr $count + 1) done $KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out @@ -181,8 +181,8 @@ mv $zonefile.signed $zonefile # NSEC3->NSEC transition test zone. # setup nsec3-to-nsec.example -$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone > kg.out 2>&1 || dumpit kg.out $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out # @@ -199,9 +199,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out # removal of keys on schedule. # setup secure-to-insecure2.example -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out echo $ksk > ../del1.key -zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out echo $zsk > ../del2.key $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out @@ -246,9 +246,9 @@ $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out # A zone with a DNSKEY RRset that is published before it's activated # setup delay.example -ksk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out echo $ksk > ../delayksk.key -zsk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out echo $zsk > ../delayzsk.key # @@ -256,8 +256,8 @@ echo $zsk > ../delayzsk.key # is missing. # setup noksk.example -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out -zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out echo $ksk > ../noksk-ksk.key rm -f ${ksk}.private @@ -267,8 +267,8 @@ rm -f ${ksk}.private # is missing. # setup nozsk.example -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out -zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out echo $ksk > ../nozsk-ksk.key echo $zsk > ../nozsk-zsk.key @@ -279,8 +279,8 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out -zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out echo $ksk > ../inaczsk-ksk.key echo $zsk > ../inaczsk-zsk.key @@ -299,7 +299,7 @@ $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out # setup sync.example cp $infile $zonefile -ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. echo ns3/$ksk > ../sync.key @@ -309,7 +309,7 @@ echo ns3/$ksk > ../sync.key # setup kskonly.example cp $infile $zonefile -ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -318,7 +318,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup inacksk2.example cp $infile $zonefile -ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -327,7 +327,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup inaczsk2.example cp $infile $zonefile -ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -337,7 +337,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. setup inacksk3.example cp $infile $zonefile $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out -ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -346,7 +346,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup inaczsk3.example cp $infile $zonefile -ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -357,9 +357,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup delzsk.example cp $infile $zonefile -ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out +zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out echo $zsk > ../delzsk.key # @@ -367,7 +367,7 @@ echo $zsk > ../delzsk.key # setup dname-at-apex-nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -376,7 +376,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup cds-delete.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. @@ -386,6 +386,6 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup cdnskey-delete.example cp $infile $zonefile -ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 21d3191c9f7..64196a19113 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -156,9 +156,9 @@ zone "rsasha512.example" { auto-dnssec maintain; }; -zone "nsec.example" { +zone "nsec-only.example" { type primary; - file "nsec.example.db"; + file "nsec-only.example.db"; allow-update { any; }; auto-dnssec maintain; }; diff --git a/bin/tests/system/autosign/ns3/nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec-only.example.db.in similarity index 100% rename from bin/tests/system/autosign/ns3/nsec.example.db.in rename to bin/tests/system/autosign/ns3/nsec-only.example.db.in diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 1c5f8ee3d7f..b14e1c9cdcd 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -46,7 +46,7 @@ showprivate () { checkprivate () { _ret=0 expected="${3:-0}" - x=`showprivate "$@"` + x=$(showprivate "$@") echo $x | grep "(complete)" > /dev/null || _ret=2 echo $x | grep "(incomplete)" > /dev/null && _ret=1 @@ -171,14 +171,14 @@ do $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 done - i=`expr $i + 1` + i=$((i + 1)) if [ $ret = 0 ]; then break; fi echo_i "waiting ... ($i)" sleep 2 done -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "done"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" for z in . @@ -210,33 +210,33 @@ ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n -zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'` +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1 pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 -count=`awk 'BEGIN { count = 0 } +count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` + END {print count}' dig.out.ns3.test$n) test $count -eq 1 || ret=1 -count=`awk 'BEGIN { count = 0 } +count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` + END {print count}' dig.out.ns3.test$n) test $count -eq 3 || ret=1 awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }' -id=`awk "${awk}" dig.out.ns3.test$n` +id=$(awk "${awk}" dig.out.ns3.test$n) keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") $SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # Check that zone is initially signed with a ZSK and not a KSK. @@ -246,26 +246,26 @@ echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone" echo_ic "is initially signed with a ZSK and not a KSK. ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ` +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1 grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 -count=`awk 'BEGIN { count = 0 } +count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "CNAME" { count++ } - END {print count}' dig.out.ns3.test$n` + END {print count}' dig.out.ns3.test$n) test $count -eq 1 || ret=1 -count=`awk 'BEGIN { count = 0 } +count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` + END {print count}' dig.out.ns3.test$n) test $count -eq 3 || ret=1 -id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n` +id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n) keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") $SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)" ret=0 @@ -274,17 +274,17 @@ $DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3. grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1 $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion prerequisites ($n)" ret=0 $DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "converting zones from nsec to nsec3" $NSUPDATE > /dev/null 2>&1 < nsupdate.out 2>&1 < dig.out.ns3.test$n || ret=1 grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking for nsec3param signing record ($n)" ret=0 $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "resetting nsec3param via rndc signing ($n)" ret=0 @@ -345,19 +345,19 @@ for i in 0 1 2 3 4 5 6 7 8 9; do ret=0 $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 - num=`grep "Pending " signing.out.test$n | wc -l` + num=$(grep "Pending " signing.out.test$n | wc -l) [ $num -eq 1 ] || ret=1 [ $ret -eq 0 ] && break echo_i "waiting ... ($i)" sleep 2 done -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "signing preset nsec3 zone" -zsk=`cat autozsk.key` -ksk=`cat autoksk.key` +zsk=$(cat autozsk.key) +ksk=$(cat autoksk.key) $SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1 $SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 @@ -381,9 +381,9 @@ echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ( ret=0 $JOURNALPRINT ns3/noksk.example.db.jnl | \ awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)") ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)") @@ -393,9 +393,9 @@ $JOURNALPRINT ns3/nozsk.example.db.jnl | \ awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1 $JOURNALPRINT ns3/nozsk.example.db.jnl | \ awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)") ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)") @@ -405,25 +405,25 @@ $JOURNALPRINT ns3/inaczsk.example.db.jnl | \ awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1 $JOURNALPRINT ns3/inaczsk.example.db.jnl | \ awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)" ret=0 -loglines=`grep "Key nozsk.example/$DEFAULT_ALGORITHM/$missing .* retaining signatures" ns3/named.run | wc -l` +loglines=$(grep "Key nozsk.example/$DEFAULT_ALGORITHM/$missing .* retaining signatures" ns3/named.run | wc -l) [ "$loglines" -eq 0 ] || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)" ret=0 -loglines=`grep "Key inaczsk.example/$DEFAULT_ALGORITHM/$inactive .* retaining signatures" ns3/named.run | wc -l` +loglines=$(grep "Key inaczsk.example/$DEFAULT_ALGORITHM/$inactive .* retaining signatures" ns3/named.run | wc -l) [ "$loglines" -eq 0 ] || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Send rndc sync command to ns1, ns2 and ns3, to force the dynamically # signed zones to be dumped to their zone files @@ -448,18 +448,18 @@ $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || re $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check jitter distribution. echo_i "checking expired signatures were jittered correctly ($n)" ret=0 $DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 checkjitter dig.out.ns3.test$n || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" ret=0 @@ -470,9 +470,9 @@ $DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret= digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking direct NSEC3 autosigning succeeded ($n)" ret=0 @@ -484,16 +484,16 @@ $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" ret=0 grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion succeeded ($n)" ret=0 @@ -505,9 +505,9 @@ $DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" ret=0 @@ -524,45 +524,45 @@ $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (no default) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (with default) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 @@ -570,9 +570,9 @@ $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 @@ -582,9 +582,9 @@ $DIG $DIGOPTS +noauth a.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 @@ -594,9 +594,9 @@ $DIG $DIGOPTS +noauth a.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 @@ -605,9 +605,9 @@ $DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 @@ -618,9 +618,9 @@ $DIG $DIGOPTS +noauth q.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 @@ -632,9 +632,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NODATA NSEC ($n)" ret=0 @@ -644,9 +644,9 @@ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 @@ -658,9 +658,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 @@ -672,9 +672,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the insecure.example domain @@ -686,9 +686,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 @@ -700,9 +700,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the secure.example domain @@ -715,9 +715,9 @@ $DIG $DIGOPTS +noauth a.secure.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 @@ -728,9 +728,9 @@ $DIG $DIGOPTS +noauth a.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 @@ -741,9 +741,9 @@ $DIG $DIGOPTS +noauth a.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 @@ -754,9 +754,9 @@ $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 @@ -767,9 +767,9 @@ $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 @@ -780,9 +780,9 @@ $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 @@ -793,9 +793,9 @@ $DIG $DIGOPTS +noauth a.secure.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 @@ -806,9 +806,9 @@ $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 @@ -819,9 +819,9 @@ $DIG $DIGOPTS +noauth a.optout.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 @@ -832,9 +832,9 @@ $DIG $DIGOPTS +noauth empty.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the insecure.secure.example domain (insecurity proof) @@ -848,9 +848,9 @@ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check a negative response in insecure.secure.example @@ -864,18 +864,18 @@ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking security root query ($n)" ret=0 $DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 @@ -883,9 +883,9 @@ $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 @@ -893,9 +893,9 @@ $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that positive validation in a privately secure zone works ($n)" ret=0 @@ -906,9 +906,9 @@ $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that negative validation in a privately secure zone works ($n)" ret=0 @@ -920,18 +920,18 @@ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking privately secure to nxdomain works ($n)" ret=0 $DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Try validating with a revoked trusted key. # This should fail. @@ -941,69 +941,69 @@ ret=0 $DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1 grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that revoked key is present ($n)" ret=0 -id=`cat rev.key` +id=$(cat rev.key) $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that revoked key self-signs ($n)" ret=0 -id=`cat rev.key` +id=$(cat rev.key) $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking for unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat unpub.key)") $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking for activated but unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)") $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that standby key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat standby.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that deactivated key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat inact.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking insertion of public-only key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat nopriv.key)") -file="ns1/`cat nopriv.key`.key" -keydata=`grep DNSKEY $file` +file="ns1/$(cat nopriv.key).key" +keydata=$(grep DNSKEY $file) $NSUPDATE > /dev/null 2>&1 < dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking key deletion ($n)" ret=0 id=$(keyfile_to_key_id "$(cat del.key)") $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking secure-to-insecure transition, nsupdate ($n)" ret=0 @@ -1043,15 +1043,15 @@ for i in 0 1 2 3 4 5 6 7 8 9; do echo_i "waiting ... ($i)" sleep 2 done -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking secure-to-insecure transition, scheduled ($n)" ret=0 -file="ns3/`cat del1.key`.key" +file="ns3/$(cat del1.key).key" $SETTIME -I now -D now $file > settime.out.test$n.1 || ret=1 -file="ns3/`cat del2.key`.key" +file="ns3/$(cat del2.key).key" $SETTIME -I now -D now $file > settime.out.test$n.2 || ret=1 ($RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do @@ -1062,9 +1062,9 @@ for i in 0 1 2 3 4 5 6 7 8 9; do echo_i "waiting ... ($i)" sleep 2 done -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking jitter in a newly signed NSEC3 zone ($n)" ret=0 @@ -1092,14 +1092,14 @@ retry_quiet 40 check_if_nsec3param_exists || { $DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 # Check jitter distribution. checkjitter dig.out.ns3.2.test$n || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)" ret=0 -oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` -oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u` +oldserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}') +oldinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null @@ -1108,37 +1108,37 @@ newserial=$oldserial try=0 while [ $oldserial -eq $newserial -a $try -lt 42 ] do - newserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | - awk '$0 !~ /SOA/ {print $3}'` + newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | + awk '$0 !~ /SOA/ {print $3}') sleep 1 - try=`expr $try + 1` + try=$((try + 1)) done -newinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u` +newinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) #echo "$oldserial : $newserial" #echo "$oldinception : $newinception" [ "$oldserial" = "$newserial" ] && ret=1 [ "$oldinception" = "$newinception" ] && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "preparing to test key change corner cases" echo_i "removing a private key file" -file="ns1/`cat vanishing.key`.private" +file="ns1/$(cat vanishing.key).private" rm -f $file echo_i "preparing ZSK roll" -starttime=`$PERL -e 'print time(), "\n";'` -oldfile=`cat active.key` +starttime=$($PERL -e 'print time(), "\n";') +oldfile=$(cat active.key) oldid=$(keyfile_to_key_id "$(cat active.key)") -newfile=`cat standby.key` +newfile=$(cat standby.key) newid=$(keyfile_to_key_id "$(cat standby.key)") $SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1 $SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1 # note previous zone serial number -oldserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'` +oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') ($RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 sleep 4 @@ -1155,18 +1155,18 @@ echo_i "checking former standby key $newid is now active ($n)" ret=0 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking former standby key has only signed incrementally ($n)" ret=0 $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 @@ -1178,7 +1178,7 @@ checkprivate nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.optout.example 10.53.0.3 || ret=1 checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed -checkprivate nsec.example 10.53.0.3 || ret=1 +checkprivate nsec-only.example 10.53.0.3 || ret=1 checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate optout.example 10.53.0.3 || ret=1 checkprivate optout.nsec3.example 10.53.0.3 || ret=1 @@ -1195,8 +1195,8 @@ checkprivate ttl1.example 10.53.0.3 || ret=1 checkprivate ttl2.example 10.53.0.3 || ret=1 checkprivate ttl3.example 10.53.0.3 || ret=1 checkprivate ttl4.example 10.53.0.3 || ret=1 -n=`expr $n + 1` -status=`expr $status + $ret` +n=$((n + 1)) +status=$((status + ret)) echo_i "forcing full sign" ($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 @@ -1208,22 +1208,22 @@ echo_i "checking former standby key has now signed fully ($n)" ret=0 $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking SOA serial number has been incremented ($n)" ret=0 -newserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'` +newserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') [ "$newserial" != "$oldserial" ] || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking delayed key publication/activation ($n)" ret=0 -zsk=`cat delayzsk.key` -ksk=`cat delayksk.key` +zsk=$(cat delayzsk.key) +ksk=$(cat delayksk.key) # publication and activation times should be unset $SETTIME -K ns3 -pA -pP $zsk > settime.out.test$n.zsk || ret=1 grep -v UNSET settime.out.test$n.zsk >/dev/null && ret=1 @@ -1232,9 +1232,9 @@ grep -v UNSET settime.out.test$n.ksk >/dev/null && ret=1 $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 # DNSKEY not expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking scheduled key publication, not activation ($n)" ret=0 @@ -1252,9 +1252,9 @@ $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1 # RRSIG not expected: awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking scheduled key activation ($n)" ret=0 @@ -1278,17 +1278,17 @@ check_is_signed() { return 0 } retry_quiet 5 check_is_signed || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking former active key was removed ($n)" # # Work out how long we need to sleep. Allow 4 seconds for the records # to be removed. # -now=`$PERL -e 'print time(), "\n";'` -sleep=`expr $starttime + 29 - $now` +now=$($PERL -e 'print time(), "\n";') +sleep=$((starttime + 29 - now)) case $sleep in -*|0);; *) echo_i "waiting for timer to have activated"; sleep $sleep;; @@ -1296,18 +1296,18 @@ esac ret=0 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking private key file removal caused no immediate harm ($n)" ret=0 id=$(keyfile_to_key_id "$(cat vanishing.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking revoked key with duplicate key ID (failure expected) ($n)" lret=0 @@ -1316,7 +1316,7 @@ $DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1 grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1 $DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $lret != 0 ]; then echo_i "not yet implemented"; fi echo_i "checking key event timers are always set ($n)" @@ -1324,9 +1324,9 @@ echo_i "checking key event timers are always set ($n)" # be scheduled for the present moment, and then never fire. check for # visible evidence of this error in the logs: awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # this confirms that key events are never scheduled more than # 'dnssec-loadkeys-interval' minutes in the future, and that the @@ -1360,19 +1360,19 @@ ret=0 check_interval ns1 3600 || ret=1 check_interval ns2 1800 || ret=1 check_interval ns3 600 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking for key reloading loops ($n)" ret=0 # every key event should schedule a successor, so these should be equal -rekey_calls=`grep "reconfiguring zone keys" ns*/named.run | wc -l` -rekey_events=`grep "next key event" ns*/named.run | wc -l` +rekey_calls=$(grep "reconfiguring zone keys" ns*/named.run | wc -l) +rekey_events=$(grep "next key event" ns*/named.run | wc -l) [ "$rekey_calls" = "$rekey_events" ] || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "forcing full sign with unreadable keys ($n)" ret=0 @@ -1380,31 +1380,31 @@ chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1 ($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "test turning on auto-dnssec during reconfig ($n)" ret=0 # first create a zone that doesn't have auto-dnssec ($RNDCCMD 10.53.0.3 addzone reconf.example '{ type primary; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` +rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) [ "$rekey_calls" -eq 0 ] || ret=1 # ...then we add auto-dnssec and reconfigure ($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 rndc_reconfig ns3 10.53.0.3 for i in 0 1 2 3 4 5 6 7 8 9; do lret=0 - rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` + rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) [ "$rekey_calls" -gt 0 ] || lret=1 if [ "$lret" -eq 0 ]; then break; fi echo_i "waiting ... ($i)" sleep 1 done -n=`expr $n + 1` +n=$((n + 1)) if [ "$lret" != 0 ]; then ret=$lret; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "test CDS and CDNSKEY auto generation ($n)" ret=0 @@ -1412,42 +1412,42 @@ $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1 grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n -lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n $DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n $DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n -lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" -$SETTIME -D sync now `cat sync.key` > settime.out.test$n || ret=1 +$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 echo_i "checking that the CDS and CDNSKEY are deleted ($n)" @@ -1459,51 +1459,51 @@ ensure_cds_and_cdnskey_are_deleted() { awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 } retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that dnssec-settime -p Dsync works ($n)" ret=0 -$SETTIME -p Dsync `cat sync.key` > settime.out.test$n || ret=1 +$SETTIME -p Dsync $(cat sync.key) > settime.out.test$n || ret=1 grep "SYNC Delete:" settime.out.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that dnssec-settime -p Psync works ($n)" ret=0 -$SETTIME -p Psync `cat sync.key` > settime.out.test$n || ret=1 +$SETTIME -p Psync $(cat sync.key) > settime.out.test$n || ret=1 grep "SYNC Publish:" settime.out.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n -zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ` +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ) pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 -kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ` +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ) pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} " grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # Check that DNSKEY is now signed with the ZSK. @@ -1515,24 +1515,24 @@ ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n -zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ` +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ) pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 -count=`awk 'BEGIN { count = 0 } +count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` + END {print count}' dig.out.ns3.test$n) test $count -eq 1 || ret=1 -count=`awk 'BEGIN { count = 0 } +count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` + END {print count}' dig.out.ns3.test$n) test $count -eq 2 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # Check that zone is now signed with the KSK. @@ -1542,20 +1542,20 @@ echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone" echo_ic "is now signed with the KSK. ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ` +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 -count=`awk 'BEGIN { count = 0 } +count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "CNAME" { count++ } - END {print count}' dig.out.ns3.test$n` + END {print count}' dig.out.ns3.test$n) test $count -eq 1 || ret=1 -count=`awk 'BEGIN { count = 0 } +count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` + END {print count}' dig.out.ns3.test$n) test $count -eq 2 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)" ret=0 @@ -1580,7 +1580,7 @@ if [ $_ret -ne 0 ]; then ret=1 fi # Mark the inactive ZSK as pending removal. -file="ns3/`cat delzsk.key`.key" +file="ns3/$(cat delzsk.key).key" $SETTIME -D now-1h $file > settime.out.test$n || ret=1 # Trigger removal of the inactive ZSK and wait until its completion. ($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 @@ -1589,7 +1589,7 @@ for i in 0 1 2 3 4 5 6 7 8 9; do $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1 grep "Signing " signing.out.3.test$n > /dev/null 2>&1 if [ $? -ne 0 ]; then - if [ `grep "Done signing " signing.out.3.test$n | wc -l` -eq 2 ]; then + if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then _ret=0 break fi @@ -1611,17 +1611,17 @@ fi # $DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 > dig.out.ns3.3.test$n || ret=1 grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)" ret=0 $DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that DNAME is not treated as a delegation when signing ($n)" ret=0 @@ -1629,25 +1629,25 @@ $DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.tes grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1 $DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking key maintenance events were logged correctly ($n)" ret=0 -pub=`grep "DNSKEY .* is now published" ns1/named.run | wc -l` +pub=$(grep "DNSKEY .* is now published" ns1/named.run | wc -l) [ "$pub" -eq 6 ] || ret=1 -act=`grep "DNSKEY .* is now active" ns1/named.run | wc -l` +act=$(grep "DNSKEY .* is now active" ns1/named.run | wc -l) [ "$act" -eq 5 ] || ret=1 -rev=`grep "DNSKEY .* is now revoked" ns1/named.run | wc -l` +rev=$(grep "DNSKEY .* is now revoked" ns1/named.run | wc -l) [ "$rev" -eq 1 ] || ret=1 -inac=`grep "DNSKEY .* is now inactive" ns1/named.run | wc -l` +inac=$(grep "DNSKEY .* is now inactive" ns1/named.run | wc -l) [ "$inac" -eq 1 ] || ret=1 -del=`grep "DNSKEY .* is now deleted" ns1/named.run | wc -l` +del=$(grep "DNSKEY .* is now deleted" ns1/named.run | wc -l) [ "$del" -eq 1 ] || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that CDS (DELETE) persists after zone sign ($n)" echo_i "update add cds-delete.example. CDS 0 0 00" @@ -1686,9 +1686,9 @@ retry_quiet 1 _cds_delete cds-delete.example. || ret=1 echo_i "query cds-delete.example. CDNSKEY" retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)" echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA==" @@ -1727,9 +1727,9 @@ retry_quiet 1 _cdnskey_delete cdnskey-delete.example. || ret=1 echo_i "query cdnskey-delete.example. CDS" retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1