+2841. [func] Added "smartsign" and improved "autosign" and
+ "dnssec" regression tests. [RT #20865]
+
2840. [bug] Change 2836 was not complete. [RT #20883]
2839. [bug] Temporary fixed pkcs11-destroy usage check.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: clean.sh,v 1.4 2010/01/18 19:19:30 each Exp $
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
-rm -f inact.key del.key unpub.key standby.key rev.key
-rm -f ns1/root.db ns2/example.db ns3/secure.example.db
-rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
-rm -f ns2/private.secure.example.db
+rm -f active.key inact.key del.key unpub.key standby.key rev.key
+rm -f nopriv.key vanishing.key
+rm -f nsupdate.out
rm -f */core
rm -f */example.bk
+rm -f */named.memstats
rm -f dig.out.*
rm -f random.data
-rm -f ns2/dlv.db
-rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
-rm -f ns3/optout-unknown.example.db ns3/optout.example.db
-rm -f */named.memstats
+rm -f ns1/root.db
+rm -f ns2/example.db
+rm -f ns2/private.secure.example.db ns2/bar.db
+rm -f ns3/nsec.example.db
+rm -f ns3/nsec3.example.db
rm -f ns3/nsec3.nsec3.example.db
rm -f ns3/nsec3.optout.example.db
+rm -f ns3/nsec3-to-nsec.example.db
+rm -f ns3/oldsigs.example.db
+rm -f ns3/optout.example.db
rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db
+rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
+rm -f ns3/secure.example.db
rm -f ns3/secure.nsec3.example.db
rm -f ns3/secure.optout.example.db
+rm -f ns3/secure-to-insecure.example.db
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $
+# $Id: keygen.sh,v 1.5 2010/01/18 19:19:30 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
cat $infile ../ns2/dsset-example. > $zonefile
-$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+zskact=`$KEYGEN -3 -q -r $RANDFILE $zone`
+zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone`
zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
+zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
+rm $zsknopriv.private
ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone`
kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone`
' > trusted.conf
cp trusted.conf ../ns5/trusted.conf
+echo $zskact > ../active.key
+echo $zskvanish > ../vanishing.key
echo $zskdel > ../del.key
echo $zskinact > ../inact.key
echo $zskunpub > ../unpub.key
+echo $zsknopriv > ../nopriv.key
echo $zsksby > ../standby.key
echo $kskrev > ../rev.key
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+; $Id: root.db.in,v 1.4 2010/01/18 19:19:30 each Exp $
$TTL 30
. IN SOA a.root.servers.nil. each.isc.org. (
a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
+bar. NS ns2.example.
ns2.example. A 10.53.0.2
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: bar.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+
+; Used for testing ANY queries
+foo TXT "testing"
+foo A 10.0.1.0
+
+; Used for testing CNAME queries
+cname1 CNAME cname1-target
+cname1-target TXT "testing cname"
+
+cname2 CNAME cname2-target
+cname2-target TXT "testing cname"
+
+; Used for testing DNAME queries
+dname1 DNAME dname1-target
+foo.dname1-target TXT "testing dname"
+
+dname2 DNAME dname2-target
+foo.dname2-target TXT "testing dname"
+
+; A secure subdomain
+secure NS ns.secure
+ns.secure A 10.53.0.3
+
+; An insecure subdomain
+insecure NS ns.insecure
+ns.insecure A 10.53.0.3
+
+; A insecure subdomain
+mustbesecure NS ns.mustbesecure
+ns.mustbesecure A 10.53.0.3
+
+z A 10.0.0.26
+
+nsec3 NS ns.nsec3
+ns.nsec3 A 10.53.0.3
+
+optout NS ns.optout
+ns.optout A 10.53.0.3
+
+nsec3-unknown NS ns.nsec3-unknown
+ns.nsec3-unknown A 10.53.0.3
+
+optout-unknown NS ns.optout-unknown
+ns.optout-unknown A 10.53.0.3
+
+multiple NS ns.multiple
+ns.multiple A 10.53.0.3
+
+rsasha256 NS ns.rsasha256
+ns.rsasha256 A 10.53.0.3
+
+rsasha512 NS ns.rsasha512
+ns.rsasha512 A 10.53.0.3
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+; $Id: example.db.in,v 1.4 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
+
+nsec3-to-nsec NS ns.nsec3-to-nsec
+ns.nsec3-to-nsec A 10.53.0.3
+
+oldsigs NS ns.oldsigs
+ns.oldsigs A 10.53.0.3
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $
+# $Id: keygen.sh,v 1.5 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && sh keygen.sh )
-for subdomain in secure nsec3 optout rsasha256 rsasha512
+for subdomain in secure nsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs
do
cp ../ns3/dsset-$subdomain.example. .
done
cp $infile $zonefile
$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+
+# Extract saved keys for the revoke-to-duplicate-key test
+zone=bar
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cat $infile > $zonefile
+sh revkeys.shar > /dev/null
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+$DSFROMKEY Kbar.+005+30804.key > dsset-bar.
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4 2010/01/18 19:19:31 each Exp $ */
// NS2
};
key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-md5;
+ secret "1234abcd8765";
+ algorithm hmac-md5;
};
controls {
- inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+ inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
zone "example" {
type master;
file "example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
+};
+
+zone "bar" {
+ type master;
+ file "bar.db";
+ allow-query { any; };
+ allow-transfer { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+ dnssec-dnskey-kskonly yes;
};
zone "private.secure.example" {
type master;
file "private.secure.example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "insecure.secure.example" {
type master;
file "insecure.secure.example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "child.nsec3.example" {
type master;
file "child.nsec3.example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "child.optout.example" {
type master;
file "child.optout.example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
include "trusted.conf";
--- /dev/null
+#!/bin/sh
+# This is a shell archive (produced by GNU sharutils 4.6.3).
+# To extract the files from this archive, save it to some FILE, remove
+# everything before the `#!/bin/sh' line above, then type `sh FILE'.
+#
+lock_dir=_sh31052
+# Made on 2010-01-08 23:17 PST by <each@pisces>.
+# Source directory was `/home/each/isc/bind9/bin/tests/system/autosign/ns2/keys'.
+#
+# Existing files will *not* be overwritten, unless `-c' is specified.
+#
+# This shar contains:
+# length mode name
+# ------ ---------- ------------------------------------------
+# 538 -rw-r--r-- Kbar.+005+30676.key
+# 1774 -rw-r--r-- Kbar.+005+30676.private
+# 538 -rw-r--r-- Kbar.+005+30804.key
+# 1774 -rw-r--r-- Kbar.+005+30804.private
+#
+MD5SUM=${MD5SUM-md5sum}
+f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
+test -n "${f}" && md5check=true || md5check=false
+${md5check} || \
+ echo 'Note: not verifying md5sums. Consider installing GNU coreutils.'
+save_IFS="${IFS}"
+IFS="${IFS}:"
+gettext_dir=FAILED
+locale_dir=FAILED
+first_param="$1"
+for dir in $PATH
+do
+ if test "$gettext_dir" = FAILED && test -f $dir/gettext \
+ && ($dir/gettext --version >/dev/null 2>&1)
+ then
+ case `$dir/gettext --version 2>&1 | sed 1q` in
+ *GNU*) gettext_dir=$dir ;;
+ esac
+ fi
+ if test "$locale_dir" = FAILED && test -f $dir/shar \
+ && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
+ then
+ locale_dir=`$dir/shar --print-text-domain-dir`
+ fi
+done
+IFS="$save_IFS"
+if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
+then
+ echo=echo
+else
+ TEXTDOMAINDIR=$locale_dir
+ export TEXTDOMAINDIR
+ TEXTDOMAIN=sharutils
+ export TEXTDOMAIN
+ echo="$gettext_dir/gettext -s"
+fi
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null
+then if (echo -n test; echo 1,2,3) | grep n >/dev/null
+ then shar_n= shar_c='
+'
+ else shar_n=-n shar_c= ; fi
+else shar_n= shar_c='\c' ; fi
+f=shar-touch.$$
+st1=200112312359.59
+st2=123123592001.59
+st2tr=123123592001.5 # old SysV 14-char limit
+st3=1231235901
+
+if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st1} && test -f ${f}; then
+ shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
+
+elif touch -am ${st2} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then
+ shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
+
+elif touch -am ${st3} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st3} && test -f ${f}; then
+ shar_touch='touch -am $3$4$5$6$2 "$8"'
+
+else
+ shar_touch=:
+ echo
+ ${echo} 'WARNING: not restoring timestamps. Consider getting and'
+ ${echo} 'installing GNU `touch'\'', distributed in GNU coreutils...'
+ echo
+fi
+rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
+#
+if test ! -d ${lock_dir}
+then : ; else ${echo} 'lock directory '${lock_dir}' exists'
+ exit 1
+fi
+if mkdir ${lock_dir}
+then ${echo} 'x - created lock directory `'${lock_dir}\''.'
+else ${echo} 'x - failed to create lock directory `'${lock_dir}\''.'
+ exit 1
+fi
+# ============= Kbar.+005+30676.key ==============
+if test -f 'Kbar.+005+30676.key' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30676.key (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30676.key (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.key' &&
+; This is a key-signing key, keyid 30676, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30676.key'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30676.key'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30676.key failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.key: MD5 check failed'
+ ) << SHAR_EOF
+9c89adb7c9e6d5e2fd34f694b8752c95 Kbar.+005+30676.key
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30676.key'` -ne 538 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30676.key is not 538'
+ fi
+fi
+# ============= Kbar.+005+30676.private ==============
+if test -f 'Kbar.+005+30676.private' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30676.private (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30676.private (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.private' &&
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQAB
+PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
+Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30676.private'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30676.private'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30676.private failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.private: MD5 check failed'
+ ) << SHAR_EOF
+c85dfac0b5c0cf2972878a65717af9ea Kbar.+005+30676.private
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30676.private'` -ne 1774 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30676.private is not 1774'
+ fi
+fi
+# ============= Kbar.+005+30804.key ==============
+if test -f 'Kbar.+005+30804.key' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30804.key (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30804.key (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.key' &&
+; This is a key-signing key, keyid 30804, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30804.key'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30804.key'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30804.key failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.key: MD5 check failed'
+ ) << SHAR_EOF
+825116de64b44b14893cb3b8a48475bc Kbar.+005+30804.key
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30804.key'` -ne 538 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30804.key is not 538'
+ fi
+fi
+# ============= Kbar.+005+30804.private ==============
+if test -f 'Kbar.+005+30804.private' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30804.private (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30804.private (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.private' &&
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQCB
+PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
+Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30804.private'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30804.private'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30804.private failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.private: MD5 check failed'
+ ) << SHAR_EOF
+580cfb43bac6ed945896b464923676e7 Kbar.+005+30804.private
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30804.private'` -ne 1774 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30804.private is not 1774'
+ fi
+fi
+if rm -fr ${lock_dir}
+then ${echo} 'x - removed lock directory `'${lock_dir}\''.'
+else ${echo} 'x - failed to remove lock directory `'${lock_dir}\''.'
+ exit 1
+fi
+exit 0
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: keygen.sh,v 1.4 2009/12/19 17:30:31 each Exp $
+# $Id: keygen.sh,v 1.5 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# NSEC-only zone.
+#
+zone=nsec.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# Signature refresh test zone. Signatures are set to expire long
+# in the past; they should be updated by autosign.
+#
+zone=oldsigs.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1
+
+#
+# NSEC3->NSEC transition test zone.
+#
+zone=nsec3-to-nsec.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
+$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
+$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
+
+#
+# secure-to-insecure transition test zone.
+#
+zone=secure-to-insecure.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4 2010/01/18 19:19:31 each Exp $ */
// NS3
};
key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-md5;
+ secret "1234abcd8765";
+ algorithm hmac-md5;
};
controls {
- inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+ inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
file "example.bk";
};
+zone "bar" {
+ type slave;
+ masters { 10.53.0.2; };
+ file "bar.bk";
+};
+
zone "secure.example" {
type master;
file "secure.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "insecure.example" {
type master;
file "nsec3.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "optout.nsec3.example" {
type master;
file "optout.nsec3.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "nsec3.nsec3.example" {
type master;
file "nsec3.nsec3.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "secure.nsec3.example" {
type master;
file "secure.nsec3.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "optout.example" {
type master;
file "optout.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "secure.optout.example" {
type master;
file "secure.optout.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "nsec3.optout.example" {
type master;
file "nsec3.optout.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "optout.optout.example" {
type master;
file "optout.optout.example.db";
allow-update { any; };
- auto-dnssec maintain;
-};
-
-zone "multiple.example" {
- type master;
- file "multiple.example.db";
- allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "rsasha256.example" {
type master;
file "rsasha256.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "rsasha512.example" {
type master;
file "rsasha512.example.db";
- allow-update { any; };
- auto-dnssec maintain;
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "nsec.example" {
+ type master;
+ file "nsec.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "nsec3-to-nsec.example" {
+ type master;
+ file "nsec3-to-nsec.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "secure-to-insecure.example" {
+ type master;
+ file "secure-to-insecure.example.db";
+ allow-update { any; };
+ dnssec-secure-to-insecure yes;
+};
+
+zone "oldsigs.example" {
+ type master;
+ file "oldsigs.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
};
include "trusted.conf";
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec3-to-nsec.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: oldsigs.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: multiple.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+; $Id: secure-to-insecure.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
-a.a.a.a A 10.0.0.3
-*.e A 10.0.0.6
-child NS ns2.example.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: prereq.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: prereq.sh,v 1.4 2010/01/18 19:19:30 each Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
../../../tools/genrandom 400 random.data
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: setup.sh,v 1.4 2010/01/18 19:19:30 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
. ./clean.sh
+echo "I:generating keys and preparing zones"
+
../../../tools/genrandom 400 random.data
cd ns1 && sh keygen.sh
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.5 2009/12/19 17:30:31 each Exp $
+# $Id: tests.sh,v 1.6 2010/01/18 19:19:30 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+echo "I:waiting 30 seconds for autosign changes to take effect"
+sleep 30
+
+echo "I:checking that zone transfer worked ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
+ret=0
+# this command should result in an empty file:
+$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC3->NSEC conversion prerequisites ($n)"
+ret=0
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:converting zones from nsec to nsec3"
-$NSUPDATE > /dev/null <<END || status=1
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
server 10.53.0.3 5300
zone nsec3.nsec3.example.
update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END
-echo "I:waiting 30 seconds for key changes to take effect"
-sleep 30
+# try to convert nsec.example; this should fail due to non-NSEC key
+$NSUPDATE > nsupdate.out 2>&1 <<END
+server 10.53.0.3 5300
+zone nsec.example.
+update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+END
+
+echo "I:waiting for changes to take effect"
+sleep 3
+
+echo "I:converting zone from nsec3 to nsec"
+$NSUPDATE > /dev/null 2>&1 << END || status=1
+server 10.53.0.3 5300
+zone nsec3-to-nsec.example.
+update delete nsec3-to-nsec.example. NSEC3PARAM
+send
+END
+
+echo "I:waiting for change to take effect"
+sleep 3
# Send rndc freeze command to ns1, ns2 and ns3, to force the dynamically
# signed zones to be dumped to their zone files
echo "I:dumping zone files"
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 freeze 2>&1 | sed 's/^/I:ns1 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 thaw 2>&1 | sed 's/^/I:ns1 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 freeze 2>&1 | sed 's/^/I:ns2 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 thaw 2>&1 | sed 's/^/I:ns2 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze 2>&1 | sed 's/^/I:ns3 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw 2>&1 | sed 's/^/I:ns3 /'
-# Check the example. domain
+echo "I:checking expired signatures were updated ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
-echo "I:checking that zone transfer worked ($n)"
+echo "I:checking NSEC->NSEC3 conversion succeeded ($n)"
ret=0
-$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
+ret=0
+grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC3->NSEC conversion succeeded ($n)"
+ret=0
+# this command should result in an empty file:
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking insertion of public-only key ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < nopriv.key`
+file="ns1/`cat nopriv.key`.key"
+keydata=`grep DNSKEY $file`
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
+server 10.53.0.1 5300
+zone .
+ttl 3600
+update add $keydata
+send
+END
+sleep 1
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:checking key deletion ($n)"
ret=0
id=`sed 's/^K.+007+0*//' < del.key`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking secure-to-insecure transition ($n)"
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
+server 10.53.0.3 5300
+zone secure-to-insecure.example
+update delete secure-to-insecure.example dnskey
+send
+END
+sleep 2
+$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
+egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:preparing to test key change corner cases"
+echo "I:removing a private key file"
+file="ns1/`cat vanishing.key`.private"
+rm -f $file
+
+echo "I:preparing ZSK roll"
+newid=`sed 's/^K.+007+0*//' < standby.key`
+file="ns1/`cat standby.key`.key"
+$SETTIME -A now $file > /dev/null
+oldid=`sed 's/^K.+007+0*//' < active.key`
+file="ns1/`cat active.key`.key"
+$SETTIME -I now -D now+10 $file > /dev/null
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /'
+
+echo "I:revoking key to duplicated key ID"
+$SETTIME -R now ns2/Kbar.+005+30676.key > /dev/null
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 sign bar. 2>&1 | sed 's/^/I:ns2 /'
+
+echo "I:waiting for changes to take effect"
+sleep 5
+
+echo "I:checking former standby key is now active ($n)"
+ret=0
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:waiting for former active key to be removed"
+sleep 10
+
+echo "I:checking key was removed ($n)"
+ret=0
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id =.*'"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking private key file removal caused no immediate harm ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < vanishing.key`
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking revoked key with duplicate key ID (failure expected) ($n)"
+lret=0
+id=30676
+$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
+grep '; key id =.*'"$id"'$' dig.out.ns2.test$n || lret=1
+$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
+n=`expr $n + 1`
+if [ $lret != 0 ]; then echo "I:failed"; fi
+
echo "I:exit status: $status"
exit $status
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: conf.sh.in,v 1.43 2009/11/30 21:00:47 each Exp $
+# $Id: conf.sh.in,v 1.44 2010/01/18 19:19:30 each Exp $
#
# Common configuration data for system tests, to be sourced into
# v6synth
SUBDIRS="acl autosign cacheclean checkconf checknames dnssec forward glue ixfr
limits lwresd masterfile masterformat metadata notify nsupdate pending
- resolver rrsetorder sortlist stub tkey unknown upforwd views xfer xferquota
- zonechecks"
+ resolver rrsetorder sortlist smartsign stub tkey unknown upforwd views
+ xfer xferquota zonechecks"
# PERL will be an empty string if no perl interpreter was found.
PERL=@PERL@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.22 2009/12/30 08:02:22 jinmei Exp $
+; $Id: example.db.in,v 1.23 2010/01/18 19:19:31 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
+
+kskonly NS ns.kskonly
+ns.kskonly A 10.53.0.3
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.36 2009/12/30 08:02:22 jinmei Exp $
+# $Id: sign.sh,v 1.37 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
( cd ../ns3 && sh sign.sh )
for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
- optout-unknown multiple rsasha256 rsasha512
+ optout-unknown multiple rsasha256 rsasha512 kskonly
do
cp ../ns3/dsset-$subdomain.example. .
done
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: kskonly.example.db.in,v 1.2 2010/01/18 19:19:31 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.35 2009/10/27 23:47:44 tbox Exp $ */
+/* $Id: named.conf,v 1.36 2010/01/18 19:19:31 each Exp $ */
// NS3
file "rsasha512.example.db.signed";
};
+zone "kskonly.example" {
+ type master;
+ file "kskonly.example.db.signed";
+};
+
include "trusted.conf";
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
+# $Id: sign.sh,v 1.31 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=bogus.example.
infile=bogus.example.db.in
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=dynamic.example.
infile=dynamic.example.db.in
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=keyless.example.
infile=keyless.example.db.in
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
# Change the signer field of the a.b.keyless.example SIG A
# to point to a provably nonexistent KEY record.
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# NSEC3/NSEC3 test zone
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC3 test zone
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A nsec3 zone (non-optout).
cat $infile $keyname.key >$zonefile
-$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC test zone
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC3 test zone
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/OPTOUT test zone
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A optout nsec3 zone.
cat $infile $keyname.key >$zonefile
-$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A nsec3 zone (non-optout) with unknown hash algorithm.
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A optout nsec3 zone.
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A multiple parameter nsec3 zone.
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A RSASHA256 zone.
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A RSASHA512 zone.
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+#
+# A zone with the DNSKEY set only signed by the KSK
+#
+zone=kskonly.example.
+infile=kskonly.example.db.in
+zonefile=kskonly.example.db
+
+kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
+zskname=`$KEYGEN -q -r $RANDFILE $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.56 2009/12/30 08:02:22 jinmei Exp $
+# $Id: tests.sh,v 1.57 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+# test AD bit:
+# - dig +adflag asks for authentication (ad in response)
+echo "I:checking AD bit asking for validation ($n)"
+ret=0
+$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking for AD in authoritative answer ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:checking positive validation NSEC ($n)"
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking positive validation with KSK-only DNSKEY signature ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:checking cd bit on a query that should fail ($n)"
ret=0
$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.com.db.in,v 1.2 2009/12/30 08:02:22 jinmei Exp $
+; $Id: example.com.db.in,v 1.3 2010/01/18 19:19:31 each Exp $
$TTL 30
@ IN SOA mname1. . (
AAAA 2001:db8::2
pending-ok A 192.0.2.2
pending-ng A 192.0.2.102
+removed A 10.9.8.7
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.6 2010/01/07 23:48:53 tbox Exp $
+# $Id: sign.sh,v 1.7 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
infile=${domain}.db.in
zonefile=${domain}.db
- keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
- keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+ keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+ keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
- cat $infile $keyname1.key $keyname2.key >$zonefile
+ cat $infile $keyname1.key $keyname2.key > $zonefile
- $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+ $SIGNER -3 bebe -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
done
+
+# remove "removed" record from example.com, causing the server to
+# send an apparently-invalid NXDOMAIN
+sed '/^removed/d' example.com.db.signed > example.com.db.new
+rm -f example.com.db.signed
+mv example.com.db.new example.com.db.signed
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.6 2010/01/07 23:48:53 tbox Exp $
+# $Id: tests.sh,v 1.7 2010/01/18 19:19:31 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
status=`expr $status + $ret`
+#
+# Make sure the resolver doesn't cache bogus NXDOMAIN
+#
+echo I:Trying to Prime bogus NXDOMAIN
+ret=0
+expect="SERVFAIL"
+ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1
+ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Confirming the bogus NXDOMAIN was not cached
+ret=0
+expect="SERVFAIL"
+ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1
+ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
--- /dev/null
+$ORIGIN .
+$TTL 60 ; 1 minute
+child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. (
+ 1 ; serial
+ 2000 ; refresh (33 minutes 20 seconds)
+ 2000 ; retry (33 minutes 20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns.child.parent.nil.
+$ORIGIN child.parent.nil.
+$TTL 300 ; 5 minutes
+ns A 10.53.0.3
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002 Internet Software Consortium.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2 2010/01/18 19:19:31 each Exp $
+
+rm -f K* dsset-* *.signed random.data dnskey.sigs other.sigs dsset.out
--- /dev/null
+$ORIGIN .
+$TTL 300 ; 5 minutes
+parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. (
+ 1 ; serial
+ 2000 ; refresh (33 minutes 20 seconds)
+ 2000 ; retry (33 minutes 20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns1.parent.nil.
+ NS ns2.parent.nil.
+$ORIGIN parent.nil.
+$TTL 3600 ; 1 hour
+a A 1.1.1.1
+$TTL 300 ; 5 minutes
+ns1 A 10.53.0.1
+ns2 A 10.53.0.2
+
+child NS ns.child
+ns.child A 10.53.0.3
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2004, 2006, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002 Internet Software Consortium.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.2 2010/01/18 19:19:31 each Exp $
+
+../../../tools/genrandom 400 random.data
+
+if $KEYGEN -q -r random.data foo > /dev/null 2>&1
+then
+ rm -f Kfoo*
+else
+ echo "I:This test requires that --with-openssl was used." >&2
+ exit 1
+fi
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001 Internet Software Consortium.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2 2010/01/18 19:19:31 each Exp $
+
+sh clean.sh
+../../../tools/genrandom 400 random.data
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002 Internet Software Consortium.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2 2010/01/18 19:19:31 each Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+RANDFILE=./random.data
+
+pzone=parent.nil
+pfile=parent.db
+
+czone=child.parent.nil
+cfile=child.db
+
+echo I:generating keys
+# active zsk
+czsk1=`$KEYGEN -q -r $RANDFILE $czone`
+
+# not yet published or active
+czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
+
+# published but not active
+czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
+
+# inactive
+czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
+
+# active ksk
+cksk1=`$KEYGEN -q -r $RANDFILE -fk $czone`
+
+# published but not YET active; will be active in 20 seconds
+cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
+$SETTIME -A now+20s $cksk2 > /dev/null
+
+echo I:revoking key
+# revoking key changes its ID
+cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
+cksk4=`$REVOKE $cksk3`
+
+echo I:signing child zone
+czoneout=`$SIGNER -Sg -r $RANDFILE -o $czone $cfile 2>&1`
+
+echo I:generating keys
+pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
+pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
+
+echo I:signing parent zone
+pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
+
+czactive=`echo $czsk1 | sed 's/^K.*+005+0*//'`
+czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*//'`
+czpublished=`echo $czsk3 | sed 's/^K.*+005+0*//'`
+czinactive=`echo $czsk4 | sed 's/^K.*+005+0*//'`
+ckactive=`echo $cksk1 | sed 's/^K.*+005+0*//'`
+ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*//'`
+ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*//'`
+ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)\.private$/\1/'`
+
+pzid=`echo $pzsk | sed 's/^K.*+005+0*//'`
+pkid=`echo $pksk | sed 's/^K.*+005+0*//'`
+
+echo "I:checking dnssec-signzone output matches expectations"
+ret=0
+echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking parent zone DNSKEY set"
+ret=0
+grep "key id = $pzid" $pfile.signed > /dev/null || ret=1
+grep "key id = $pkid" $pfile.signed > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking parent zone DS records"
+ret=0
+awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
+grep "$ckactive" dsset.out > /dev/null || ret=1
+grep "$ckpublished" dsset.out > /dev/null || ret=1
+# revoked key should not be there, hence the &&
+grep "$ckprerevoke" dsset.out > /dev/null && ret=1
+grep "$ckrevoked" dsset.out > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone DNSKEY set"
+ret=0
+grep "key id = $ckactive" $cfile.signed > /dev/null || ret=1
+grep "key id = $ckpublished" $cfile.signed > /dev/null || ret=1
+grep "key id = $ckrevoked" $cfile.signed > /dev/null || ret=1
+grep "key id = $czactive" $cfile.signed > /dev/null || ret=1
+grep "key id = $czpublished" $cfile.signed > /dev/null || ret=1
+grep "key id = $czinactive" $cfile.signed > /dev/null || ret=1
+# should not be there, hence the &&
+grep "key id = $ckprerevoke" $cfile.signed > /dev/null && ret=1
+grep "key id = $czgenerated" $cfile.signed > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone signatures"
+ret=0
+# check DNSKEY signatures first
+awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs
+grep "$ckactive" dnskey.sigs > /dev/null || ret=1
+grep "$ckrevoked" dnskey.sigs > /dev/null || ret=1
+grep "$czactive" dnskey.sigs > /dev/null || ret=1
+# should not be there:
+grep "$ckprerevoke" dnskey.sigs > /dev/null && ret=1
+grep "$ckpublished" dnskey.sigs > /dev/null && ret=1
+grep "$czpublished" dnskey.sigs > /dev/null && ret=1
+grep "$czinactive" dnskey.sigs > /dev/null && ret=1
+grep "$czgenerated" dnskey.sigs > /dev/null && ret=1
+# now check other signatures first
+awk '$2 == "RRSIG" && $3 != "DNSKEY" { getline; print $2 }' $cfile.signed | sort -un > other.sigs
+# should not be there:
+grep "$ckactive" other.sigs > /dev/null && ret=1
+grep "$ckpublished" other.sigs > /dev/null && ret=1
+grep "$ckprerevoke" other.sigs > /dev/null && ret=1
+grep "$ckrevoked" other.sigs > /dev/null && ret=1
+grep "$czpublished" other.sigs > /dev/null && ret=1
+grep "$czinactive" other.sigs > /dev/null && ret=1
+grep "$czgenerated" other.sigs > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:waiting 20 seconds for key activation"
+sleep 20
+echo "I:re-signing child zone"
+czoneout2=`$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed 2>&1`
+mv $cfile.new $cfile.signed
+
+echo "I:checking dnssec-signzone output matches expectations"
+ret=0
+echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone signatures again"
+ret=0
+awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs
+grep "$ckpublished" dnskey.sigs > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
./bin/tests/system/autosign/ns2/keygen.sh SH 2009
./bin/tests/system/autosign/ns2/named.conf CONF-C 2009
./bin/tests/system/autosign/ns2/private.secure.example.db.in ZONE 2009
+./bin/tests/system/autosign/ns2/revkeys.shar X 2010
./bin/tests/system/autosign/ns3/.cvsignore X 2009
./bin/tests/system/autosign/ns3/insecure.example.db ZONE 2009
./bin/tests/system/autosign/ns3/keygen.sh SH 2009
-./bin/tests/system/autosign/ns3/multiple.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/named.conf CONF-C 2009
+./bin/tests/system/autosign/ns3/nsec.example.db.in ZONE 2010
+./bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in ZONE 2010
./bin/tests/system/autosign/ns3/nsec3.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/nsec3.optout.example.db.in ZONE 2009
+./bin/tests/system/autosign/ns3/oldsigs.example.db.in ZONE 2010
./bin/tests/system/autosign/ns3/optout.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/optout.nsec3.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/optout.optout.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/rsasha256.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/rsasha512.example.db.in ZONE 2009
+./bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in ZONE 2010
./bin/tests/system/autosign/ns3/secure.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/secure.nsec3.example.db.in ZONE 2009
./bin/tests/system/autosign/ns3/secure.optout.example.db.in ZONE 2009
./bin/tests/system/dnssec/ns3/insecure.nsec3.example.db ZONE 2008
./bin/tests/system/dnssec/ns3/insecure.optout.example.db ZONE 2008
./bin/tests/system/dnssec/ns3/keyless.example.db.in ZONE 2001,2002,2004,2007
+./bin/tests/system/dnssec/ns3/kskonly.example.db.in ZONE 2010
./bin/tests/system/dnssec/ns3/multiple.example.db.in ZONE 2006,2008
./bin/tests/system/dnssec/ns3/named.conf CONF-C 2000,2001,2002,2004,2006,2007,2008,2009
./bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in ZONE 2006,2008
projects / thirdparty / bind9.git / commitdiff
