From: Matthijs Mekking Date: Tue, 7 Dec 2021 13:11:06 +0000 (+0100) Subject: Update autosign test X-Git-Tag: v9.17.22~7^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fbd559ad0d389948c594a35b72d7fb6d16794702;p=thirdparty%2Fbind9.git Update autosign test Update the autosign system test with new expected behavior. The 'nozsk.example' zone should have its expired zone signatures deleted and replaced with signatures generated with the KSK. The 'inaczsk.example' zone should have its expired zone signatures deleted and replaced with signatures generated with the KSK. In both scenarios, signatures are deleted, not retained, so the "retaining signatures" warning should not be logged. Furthermore, thsi commit fixex a test bug where the 'awk' command always returned 0. Finally, this commit adds a test case for an offline KSK, for the zone 'noksk.example'. In this case the expired signatures should be retained (despite the zone being bogus, but resigning the DNSKEY RRset with the ZSK won't help here). --- diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 7a1101d6dd2..20efc694996 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -22,7 +22,7 @@ rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f dig.out.* rm -f digcomp.out.test* rm -f digcomp.out.test* -rm -f missingzsk.key inactivezsk.key +rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key rm -f nopriv.key vanishing.key del1.key del2.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock @@ -43,6 +43,7 @@ rm -f ns3/jitter.nsec3.example.db rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kskonly.example.db rm -f ns3/named.ns3.prev +rm -f ns3/noksk.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db rm -f ns3/nsec.example.db rm -f ns3/nsec3-to-nsec.example.db diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index cc3462a7273..1a0615c6210 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -249,15 +249,27 @@ echo $ksk > ../delayksk.key zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out echo $zsk > ../delayzsk.key +# +# A zone with signatures that are already expired, and the private KSK +# is missing. +# +setup noksk.example +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out +echo $ksk > ../noksk-ksk.key +rm -f ${ksk}.private + # # A zone with signatures that are already expired, and the private ZSK # is missing. # setup nozsk.example -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $zsk > ../missingzsk.key +echo $ksk > ../nozsk-ksk.key +echo $zsk > ../nozsk-zsk.key rm -f ${zsk}.private # @@ -265,10 +277,11 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $zsk > ../inactivezsk.key +echo $ksk > ../inaczsk-ksk.key +echo $zsk > ../inaczsk-zsk.key $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out # diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 7751cc2e425..5cdbd7a0b58 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -249,6 +249,13 @@ zone "inaczsk.example" { auto-dnssec maintain; }; +zone "noksk.example" { + type primary; + file "noksk.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + zone "sync.example" { type primary; file "sync.example.db"; diff --git a/bin/tests/system/autosign/ns3/noksk.example.db.in b/bin/tests/system/autosign/ns3/noksk.example.db.in new file mode 100644 index 00000000000..90dcba9daf2 --- /dev/null +++ b/bin/tests/system/autosign/ns3/noksk.example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 1e026836687..11ee65e068c 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -164,7 +164,7 @@ do grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 done for z in bar. example. inacksk2.example. inacksk3.example \ - inaczsk2.example. inaczsk3.example + inaczsk2.example. inaczsk3.example noksk.example nozsk.example do $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 @@ -371,36 +371,51 @@ END echo_i "waiting for change to take effect" sleep 3 -echo_i "checking that expired RRSIGs from missing key are not deleted ($n)" +missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)") +echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)" ret=0 -missing=$(keyfile_to_key_id "$(cat missingzsk.key)") +$JOURNALPRINT ns3/noksk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)") +ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)") +echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)" +ret=0 +$JOURNALPRINT ns3/nozsk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1 $JOURNALPRINT ns3/nozsk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1 + awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)" +inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)") +ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)") +echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)" ret=0 -inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)") $JOURNALPRINT ns3/inaczsk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1 + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1 +$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ + awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)" +echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)" ret=0 loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l` -[ "$loglines" -eq 1 ] || ret=1 +[ "$loglines" -eq 0 ] || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)" +echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)" ret=0 loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l` -[ "$loglines" -eq 1 ] || ret=1 +[ "$loglines" -eq 0 ] || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`