rm -f compressed.headers regular.headers compressed.out regular.out
rm -f ns*/managed-keys.bind*
rm -f ns2/Kdnssec* ns2/dnssec.*.id
-rm -f ns2/dnssec.db.signed* ns2/dsset-dnssec.
+rm -f ns2/Kmanykeys* ns2/manykeys.*.id
+rm -f ns2/*.db.signed* ns2/dsset-*. ns2/*.jbk
rm -f ns2/core
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
+dnssec-policy "manykeys" {
+ keys {
+ ksk lifetime unlimited algorithm 5;
+ zsk lifetime unlimited algorithm 5;
+ ksk lifetime unlimited algorithm 13;
+ zsk lifetime unlimited algorithm 13;
+ ksk lifetime unlimited algorithm 14;
+ zsk lifetime unlimited algorithm 14;
+ };
+};
+
zone "example" {
type master;
file "example.db";
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
+
+zone "manykeys" {
+ type master;
+ file "manykeys.db.signed";
+ zone-statistics full;
+ dnssec-policy "manykeys";
+};
zone=dnssec.
infile=dnssec.db.in
zonefile=dnssec.db.signed
-
ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
# Sign deliberately with a very short expiration date.
"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
-
keyfile_to_key_id "$ksk" > dnssec.ksk.id
keyfile_to_key_id "$zsk" > dnssec.zsk.id
+zone=manykeys.
+infile=manykeys.db.in
+zonefile=manykeys.db.signed
+ksk8=$("$KEYGEN" -q -a RSASHA256 -b 2048 -f KSK "$zone")
+zsk8=$("$KEYGEN" -q -a RSASHA256 -b 2048 "$zone")
+ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 -f KSK "$zone")
+zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 "$zone")
+ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 -f KSK "$zone")
+zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 "$zone")
+# Sign deliberately with a very short expiration date.
+"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
+keyfile_to_key_id "$ksk8" > manykeys.ksk8.id
+keyfile_to_key_id "$zsk8" > manykeys.zsk8.id
+keyfile_to_key_id "$ksk13" > manykeys.ksk13.id
+keyfile_to_key_id "$zsk13" > manykeys.zsk13.id
+keyfile_to_key_id "$ksk14" > manykeys.ksk14.id
+keyfile_to_key_id "$zsk14" > manykeys.zsk14.id
*) return 1 ;;
esac
file=`$PERL fetch.pl -p ${EXTRAPORT1} $path`
- cp $file $file.$1.$2
- $PERL zones-${1}.pl $file 2>/dev/null | sort > zones.out.$2
+ cp $file $file.$1.$3
+ $PERL zones-${1}.pl $file $2 2>/dev/null | sort > zones.out.$3
result=$?
return $result
}
# Fetch and check the dnssec sign statistics.
echo_i "fetching zone stats data after zone maintenance at startup ($n)"
if [ $PERL_XML ]; then
- getzones xml x$n || ret=1
+ getzones xml $zone x$n || ret=1
cmp zones.out.x$n zones.expect.$n || ret=1
fi
if [ $PERL_JSON ]; then
- getzones json j$n || ret=1
+ getzones json $zone j$n || ret=1
cmp zones.out.j$n zones.expect.$n || ret=1
fi
if [ $ret != 0 ]; then echo_i "failed"; fi
# Fetch and check the dnssec sign statistics.
echo_i "fetching zone stats data after dynamic update ($n)"
if [ $PERL_XML ]; then
- getzones xml x$n || ret=1
+ getzones xml $zone x$n || ret=1
cmp zones.out.x$n zones.expect.$n || ret=1
fi
if [ $PERL_JSON ]; then
- getzones json j$n || ret=1
+ getzones json $zone j$n || ret=1
cmp zones.out.j$n zones.expect.$n || ret=1
fi
if [ $ret != 0 ]; then echo_i "failed"; fi
rm -f zones.expect
# Fetch and check the dnssec sign statistics.
if [ $PERL_XML ]; then
- getzones xml x$n || ret=1
+ getzones xml $zone x$n || ret=1
cmp zones.out.x$n zones.expect.$n || ret=1
fi
if [ $PERL_JSON ]; then
- getzones json j$n || ret=1
+ getzones json $zone j$n || ret=1
cmp zones.out.j$n zones.expect.$n || ret=1
fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
+# 4. Test a zone with more than four keys.
+zone="manykeys"
+ksk8_id=`cat ns2/$zone.ksk8.id`
+zsk8_id=`cat ns2/$zone.zsk8.id`
+ksk13_id=`cat ns2/$zone.ksk13.id`
+zsk13_id=`cat ns2/$zone.zsk13.id`
+ksk14_id=`cat ns2/$zone.ksk14.id`
+zsk14_id=`cat ns2/$zone.zsk14.id`
+
+ret=0
+echo_i "fetch zone stats data for a zone with many keys ($n)"
+# Fetch and check the dnssec sign statistics.
+if [ $PERL_XML ]; then
+ getzones xml $zone x$n || ret=1
+fi
+if [ $PERL_JSON ]; then
+ getzones json $zone j$n || ret=1
+fi
+# The output is gibberish, but at least make sure it does not crash.
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
use JSON;
my $file = $ARGV[0];
+my $zone = $ARGV[1];
open(INPUT, "<$file");
my $text = do{local$/;<INPUT>};
close(INPUT);
my $ref = decode_json($text);
-my $dnssecsign = $ref->{views}->{_default}->{zones}[0]->{"dnssec-sign"};
+my $dnssecsign = $ref->{views}->{_default}->{zones}[$zone]->{"dnssec-sign"};
my $type = "dnssec-sign operations ";
foreach $key (keys %{$dnssecsign}) {
print $type . $key . ": ". $dnssecsign->{$key} ."\n";
}
-my $dnssecrefresh = $ref->{views}->{_default}->{zones}[0]->{"dnssec-refresh"};
+my $dnssecrefresh = $ref->{views}->{_default}->{zones}[$zone]->{"dnssec-refresh"};
my $type = "dnssec-refresh operations ";
foreach $key (keys %{$dnssecrefresh}) {
print $type . $key . ": ". $dnssecrefresh->{$key} ."\n";
use XML::Simple;
my $file = $ARGV[0];
+my $zone = $ARGV[1];
my $ref = XMLin($file);
-my $counters = $ref->{views}->{view}->{_default}->{zones}->{zone}->{dnssec}->{counters};
+my $counters = $ref->{views}->{view}->{_default}->{zones}->{zone}->{$zone}->{counters};
foreach $group (@$counters) {
projects / thirdparty / bind9.git / commitdiff
