From: Matthijs Mekking Date: Tue, 7 Dec 2021 13:11:06 +0000 (+0100) Subject: Update autosign test X-Git-Tag: v9.16.25~8^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=17ae663084bdab626314da73b30aa53fc76ebe16;p=thirdparty%2Fbind9.git Update autosign test Update the autosign system test with new expected behavior. The 'nozsk.example' zone should have its expired zone signatures deleted and replaced with signatures generated with the KSK. The 'inaczsk.example' zone should have its expired zone signatures deleted and replaced with signatures generated with the KSK. In both scenarios, signatures are deleted, not retained, so the "retaining signatures" warning should not be logged. Furthermore, thsi commit fixex a test bug where the 'awk' command always returned 0. Finally, this commit adds a test case for an offline KSK, for the zone 'noksk.example'. In this case the expired signatures should be retained (despite the zone being bogus, but resigning the DNSKEY RRset with the ZSK won't help here). (cherry picked from commit fbd559ad0d389948c594a35b72d7fb6d16794702) --- diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 7a1101d6dd2..20efc694996 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -22,7 +22,7 @@ rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f dig.out.* rm -f digcomp.out.test* rm -f digcomp.out.test* -rm -f missingzsk.key inactivezsk.key +rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key rm -f nopriv.key vanishing.key del1.key del2.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock @@ -43,6 +43,7 @@ rm -f ns3/jitter.nsec3.example.db rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kskonly.example.db rm -f ns3/named.ns3.prev +rm -f ns3/noksk.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db rm -f ns3/nsec.example.db rm -f ns3/nsec3-to-nsec.example.db diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 4c85d0c87cd..633e08360a3 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -250,15 +250,27 @@ echo $ksk > ../delayksk.key zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out echo $zsk > ../delayzsk.key +# +# A zone with signatures that are already expired, and the private KSK +# is missing. +# +setup noksk.example +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out +echo $ksk > ../noksk-ksk.key +rm -f ${ksk}.private + # # A zone with signatures that are already expired, and the private ZSK # is missing. # setup nozsk.example -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $zsk > ../missingzsk.key +echo $ksk > ../nozsk-ksk.key +echo $zsk > ../nozsk-zsk.key rm -f ${zsk}.private # @@ -266,10 +278,11 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $zsk > ../inactivezsk.key +echo $ksk > ../inaczsk-ksk.key +echo $zsk > ../inaczsk-zsk.key $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out # diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 7c8f74f19a2..8aa64b21656 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -249,6 +249,13 @@ zone "inaczsk.example" { auto-dnssec maintain; }; +zone "noksk.example" { + type primary; + file "noksk.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + zone "sync.example" { type primary; file "sync.example.db"; diff --git a/bin/tests/system/autosign/ns3/noksk.example.db.in b/bin/tests/system/autosign/ns3/noksk.example.db.in new file mode 100644 index 00000000000..90dcba9daf2 --- /dev/null +++ b/bin/tests/system/autosign/ns3/noksk.example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 79c5999d94e..33692cd5f55 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -157,7 +157,7 @@ do grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 done for z in bar. example. inacksk2.example. inacksk3.example \ - inaczsk2.example. inaczsk3.example + inaczsk2.example. inaczsk3.example noksk.example nozsk.example do $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 @@ -364,36 +364,51 @@ END echo_i "waiting for change to take effect" sleep 3 -echo_i "checking that expired RRSIGs from missing key are not deleted ($n)" +missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)") +echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)" ret=0 -missing=$(keyfile_to_key_id "$(cat missingzsk.key)") +$JOURNALPRINT ns3/noksk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)") +ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)") +echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)" +ret=0 +$JOURNALPRINT ns3/nozsk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1 $JOURNALPRINT ns3/nozsk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1 + awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)" +inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)") +ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)") +echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)" ret=0 -inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)") $JOURNALPRINT ns3/inaczsk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1 + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1 +$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ + awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)" +echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)" ret=0 loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l` -[ "$loglines" -eq 1 ] || ret=1 +[ "$loglines" -eq 0 ] || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)" +echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)" ret=0 loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l` -[ "$loglines" -eq 1 ] || ret=1 +[ "$loglines" -eq 0 ] || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`