# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+set -e
+
rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/dlvset-* ./*/signedkey-* ./*/*.signed
rm -f ./*/example.bk
rm -f ./*/named.conf
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
zone=.
infile=root.db.in
zonefile=root.db
cat "$infile" "$keyname.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
# Configure the resolving server with a trusted key.
keyfile_to_trusted_keys "$keyname" > trusted.conf
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
zone=example.
infile=example.db.in
zonefile=example.db
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null
+"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
#
# lower/uppercase the signature bits with the exception of the last characters
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null
+"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
# Sign the privately secure file
cat "$privinfile" "$privkeyname.key" > "$privzonefile"
-"$SIGNER" -P -g -o "$privzone" -l dlv "$privzonefile" > /dev/null
+"$SIGNER" -P -g -o "$privzone" -l dlv "$privzonefile" > /dev/null 2>&1
# Sign the DLV secure zone.
cat "$dlvinfile" "$dlvkeyname.key" "$dlvsetfile" > "$dlvzonefile"
-"$SIGNER" -P -g -o "$dlvzone" "$dlvzonefile" > /dev/null
+"$SIGNER" -P -g -o "$dlvzone" "$dlvzonefile" > /dev/null 2>&1
# Sign the badparam secure file
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
-"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null
+"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
-"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null
+"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
#
# algroll has just has the old DNSKEY records removed and is waiting
cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
-"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null
+"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
#
# Make a zone big enough that it takes several seconds to generate a new
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$key1.key" "$key2.key" >> "$zonefile"
-"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null
+"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
zone=cds.secure
infile=cds.secure.db.in
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cds-x.secure
infile=cds.secure.db.in
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key2.key" > "$key2.cds"
cat "$infile" "$key1.key" "$key3.key" "$key2.cds" > "$zonefile"
-"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cds-update.secure
infile=cds-update.secure.db.in
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cds-kskonly.secure
infile=cds-kskonly.secure.db.in
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cds-auto.secure
infile=cds-auto.secure.db.in
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cdnskey-x.secure
infile=cdnskey.secure.db.in
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
-"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cdnskey-update.secure
infile=cdnskey-update.secure.db.in
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cdnskey-kskonly.secure
infile=cdnskey-kskonly.secure.db.in
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
zone=secure.example.
infile=secure.example.db.in
zonefile=secure.example.db
# shellcheck disable=SC2016
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
-"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null 2>&1
#
# Zone with signatures about to expire, but no private key to replace them
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
-"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null 2>/dev/null
+"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null 2>&1
$CHECKZONE -D upper.example $lower 2>/dev/null | \
sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
zone=.
infile=../ns1/root.db.in
zonefile=root.db.signed
# create a current set of keys, and sign the root zone
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null
-"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null
+"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
zone=optout-tld
infile=optout-tld.db.in
zonefile=optout-tld.db
cat "$infile" "$keyname.key" > "$zonefile"
-"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
zone=split-rrsig
infile=split-rrsig.db.in
zonefile=split-rrsig.db
cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
-"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null
+"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1
awk 'BEGIN { r = ""; }
$4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
{ print }
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
if "$PERL" -e 'use Net::DNS;' 2>/dev/null
then
# shellcheck disable=SC2016
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
+set -e
+
status=0
n=1
rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
keyid=$(cat ns1/managed.key.id)
cp ns4/named.secroots named.secroots.test$n
-linecount=$(grep -c "./${DEFAULT_ALGORITHM}/$keyid ; trusted" named.secroots.test$n)
+linecount=$(grep -c "./${DEFAULT_ALGORITHM}/$keyid ; trusted" named.secroots.test$n || true)
[ "$linecount" -eq 1 ] || ret=1
linecount=$(< named.secroots.test$n wc -l)
[ "$linecount" -eq 10 ] || ret=1
$PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
# check nta table
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n._11
-lines=$(grep -c " expiry " rndc.out.ns4.test$n._11)
+lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true)
[ "$lines" -le 2 ] || ret=1
grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1
grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1
# check nta table has been cleaned up now
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3
-lines=$(grep -c " expiry " rndc.out.ns4.test$n.3)
+lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true)
[ "$lines" -eq 0 ] || ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi
n=$((n+1))
echo_i "testing NTA with bogus lifetimes ($n)"
echo_i "check with no nta lifetime specified"
-rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1
+rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 || true
grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
ret=0
echo_i "check with bad nta lifetime"
-rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1
+rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 || true
grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
ret=0
echo_i "check with too long nta lifetime"
-rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1
+rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 || true
grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
n=$((n+1))
echo_i "testing NTA persistence across restarts ($n)"
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1
-lines=$(grep -c " expiry " rndc.out.ns4.test$n.1)
+lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true)
[ "$lines" -eq 0 ] || ret=1
rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i
rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2
-lines=$(grep -c " expiry " rndc.out.ns4.test$n.2)
+lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true)
[ "$lines" -eq 2 ] || ret=1
# shellcheck disable=SC2016
start=$($PERL -e 'print time()."\n";')
echo_i "check that named doesn't loop when all private keys are not available ($n)"
ret=0
-lines=$(grep -c "reading private key file expiring.example" ns3/named.run)
+lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true)
test "${lines:-1000}" -lt 15 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
echo_i "check against against missing nearest provable proof ($n)"
dig_with_opts +norec b.c.d.optout-tld. \
@10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1
-nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n)
+nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true)
[ "$nsec3" -eq 2 ] || ret=1
dig_with_opts +norec b.c.d.optout-tld. \
@10.53.0.6 A > dig.out.ns6.test$n || ret=1
-nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n)
+nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true)
[ "$nsec3" -eq 1 ] || ret=1
dig_with_opts optout-tld. \
@10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1
sleep 1
done
test "$keys" -gt 2 || ret=1
-sigs=$(grep -c RRSIG dig.out.ns3.test$n)
+sigs=$(grep -c RRSIG dig.out.ns3.test$n || true)
n=$((n+1))
test "$sigs" -eq 2 || ret=1
if test "$ret" -ne 0 ; then echo_i "failed"; fi
alg=$((alg+1))
continue;;
1|5|7|8|10) # RSA algorithms
- key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err)
+ key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err || true)
;;
*)
- key1=$($KEYGEN -a "$alg" -n zone example 2> keygen.err)
+ key1=$($KEYGEN -a "$alg" -n zone example 2> keygen.err || true)
esac
if grep "unsupported algorithm" keygen.err > /dev/null
then
$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
sed "s/^/update add /"
echo send
-) | $NSUPDATE > nsupdate.out.test$n 2>&1
+) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p'
echo send
-) | $NSUPDATE > nsupdate.out.test$n 2>&1
+) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
projects / thirdparty / bind9.git / commitdiff
