5 October 2022: George
- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
- Fix string comparison in mini_tdir.sh.
+ - Make ede.tdir test more predictable by using static data.
4 October 2022: George
- Merge #764: Leniency for target discovery when under load (for
+++ /dev/null
-rm -f K* piece1 base expired notyetincepted trust-anchors dnssec-failures.test.signed dnskey-failures.test.signed nsec-failures.test.signed rrsig-failures.test.signed
--- /dev/null
+dnskey-failures.test. 3600 IN SOA ns.dnskey-failures.test. hostmaster.dnskey-failures.test. 1 14400 1800 2419200 300
+dnskey-failures.test. 3600 IN RRSIG SOA 13 2 3600 20010201000000 20001230000000 45928 dnskey-failures.test. NKixvGKa0WHSI8oE5THI1hjm5nExVkryUmW15VoNZ3pwqUYexGWLIlfuYsTaDE5GVEtPpSKbA+PlYDk19EsLNQ==
+dnskey-failures.test. 3600 IN A 192.0.2.1
+dnskey-failures.test. 3600 IN RRSIG A 13 2 3600 20010201000000 20001230000000 45928 dnskey-failures.test. FCEvbVL3TkzO7jWeOz7E/A3Q64QkpegVazS4OL+ybxN2o8OzXdCJN3QbCGdFP26/Rbj089ThDCZ0+OormAk1dw==
+dnskey-failures.test. 3600 IN RRSIG DNSKEY 13 2 3600 20010201000000 20001230000000 45928 dnskey-failures.test. pEjWVsJbFiQBvwNGV3v0nVirMJDOYKXqC4IX9dFuRTnoWSb95anvB08pgaZ1ie+thk6YC1fX2fUTRKRFr3vHnA==
+dnskey-failures.test. 300 IN NSEC dnskey-failures.test. A SOA RRSIG NSEC DNSKEY
+dnskey-failures.test. 300 IN RRSIG NSEC 13 2 300 20010201000000 20001230000000 45928 dnskey-failures.test. /vAazBDetA5+np+fE7V6f9W+faEQT3ETGueNNhFPjUsPF1dU9Gglu4PZ15fWOxsk0DPWHNmTMF70ZCGQJ2k+fw==
--- /dev/null
+dnssec-failures.test. 3600 IN SOA ns.dnssec-failures.test. hostmaster.dnssec-failures.test. 1 14400 1800 2419200 300
+dnssec-failures.test. 3600 IN RRSIG SOA 13 2 3600 20010201000000 20001230000000 53876 dnssec-failures.test. K37BIR/jLR4tN1JtTx3MwzgozslvnFtwUquCSfiBykCcKIv6wErSI9Gnw/tjH0tXrLI1eoLa5oWkgtxy0KKybg==
+dnssec-failures.test. 3600 IN NS ns.dnssec-failures.test.
+dnssec-failures.test. 3600 IN RRSIG NS 13 2 3600 20010201000000 20001230000000 53876 dnssec-failures.test. JP6mYQORwnwwv+2q9UxpeeaVs5/171y3lyc1FKAY3FHmFqjd4Uo0byW8jgk/BrJyVkaDeZbjvuZq+BED0codpw==
+dnssec-failures.test. 3600 IN DNSKEY 257 3 13 mx6xe39HZrYCpyC+9YmquHIf1WdWYaDqOfcpXg2Gtv5VJGS/WSO14txlUoKjYCldyRwcg9wT6JAwikpkzWS6UQ== ;{id = 53876 (ksk), size = 256b}
+dnssec-failures.test. 3600 IN RRSIG DNSKEY 13 2 3600 20010201000000 20001230000000 53876 dnssec-failures.test. F760TrogHIBkenX7nGr6LEvocTcGAZamfAaiftIkwprBp21/LZ+qotGsFu9YWsxlGqB3KAINXYATjS6AEJfGEQ==
+dnssec-failures.test. 300 IN NSEC expired.dnssec-failures.test. NS SOA RRSIG NSEC DNSKEY
+dnssec-failures.test. 300 IN RRSIG NSEC 13 2 300 20010201000000 20001230000000 53876 dnssec-failures.test. Zk+RW0mbLSzwvSYuNQJhNdd4XmtQv47CiLtHbqOyS8/xt5Pt87T0v1UxnCkZAlA+VTEWbJkasq06ER1wMuTetA==
+expired.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. UAhzOVumQZ2PVspwJS5NyOjZypIaQXfHMiXGEUYaZ161IfQdB3coBx2vF8MHdqbePOl6Z4oa51ltITMlBL+Stw==
+missingrrsigs.dnssec-failures.test. 3600 IN TXT "Signatures missing"
+missingrrsigs.dnssec-failures.test. 300 IN NSEC notyetincepted.dnssec-failures.test. TXT RRSIG NSEC
+missingrrsigs.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. 4phKld6eMt4cxA4w6I1i29uAbdfbwFrkpRGLBWwerUgDbOdDwUm1de6t4QhBys7DtoZb3wIS+DLJYjBNbz7Sig==
+notyetincepted.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. ix6Gg9uUZ0A56IQXbDJuBQ3vIm6QipuvzQTKd2wF6kZuEW/53wuy4ROBDIQ4IgnQD17vG8tJNeDOCfj0hh8+dQ==
+ns.dnssec-failures.test. 3600 IN A 192.0.2.1
+ns.dnssec-failures.test. 3600 IN RRSIG A 13 3 3600 20010201000000 20001230000000 53876 dnssec-failures.test. PbcykgJEHG218vCkj9pD8W5JVqyCD9VRNOy3SHqCTvWGVAApasdZ7n5wzNVpHdKrqlTpyLwf6z6vv4NMYbEQdw==
+ns.dnssec-failures.test. 300 IN NSEC sigsinvalid.dnssec-failures.test. A RRSIG NSEC
+ns.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. SEO+C116gcmI0sY4lnIM4DQrUxqyaGIIqlvhxyGrzF9jJopRZB8gflQcYPy5qhIwGZJoEMB+SO4er4LCaS8NwA==
+sigsinvalid.dnssec-failures.test. 3600 IN TXT "Signatures INVALID"
+sigsinvalid.dnssec-failures.test. 3600 IN RRSIG TXT 13 3 3600 20010201000000 20001230000000 53876 dnssec-failures.test. 3XFjjPt+UyY4ZIj8PAINTtOTh7sk4OIAO5akFDQhqgB/Wv6f7dWdqvl8Y2RIqdh0WQz+nGPRMktS8exA3FKW4Q==
+sigsinvalid.dnssec-failures.test. 300 IN NSEC dnssec-failures.test. TXT RRSIG NSEC
+sigsinvalid.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. gmft6HYmqZalLwmdnuWBqJod3JD5fRoGqiwYXVFxySm2bHPvz8J9xSe7RdTSONXPUc+7mE8IHYff/gGW7gctqw==
+expired.dnssec-failures.test. 3600 IN TXT "Expired"
+expired.dnssec-failures.test. 3600 IN RRSIG TXT 13 3 3600 20001230000000 20001201000000 53876 dnssec-failures.test. 8zosYGmmGGcGcBuWaf3oL3TE/hpKDrddtm7ZQGndjmqkZ8CVg6RwFb+8YLqcG5du3Si0rmTuZId+qBOV/pnViA==
+notyetincepted.dnssec-failures.test. 3600 IN TXT "Not yet incepted"
+notyetincepted.dnssec-failures.test. 3600 IN RRSIG TXT 13 3 3600 20010201000000 20010103000000 53876 dnssec-failures.test. lmk0+oEdnnKa1oujIsMeimuElrKvrUSlBknsfSNqOo07VxJxT2R4qkKc95oiEmeSWHcVTOrXxEhtl4kAAactPg==
#!/usr/bin/env bash
-# create oudated zones
-CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test`
-echo $CSK
+# This script was used to generate the broken signed zones used for testing.
-echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \
- cat $CSK.ds - > bogus/trust-anchors
+# Override the current date; it is used in Unbound's configuration also.
+NOW=20010101
# differentiate for MacOS with "gdate"
DATE=date
which gdate > /dev/null 2>&1 && DATE=gdate
-ONEMONTHAGO=`$DATE -d 'now - 1 month' +%Y%m%d`
-YESTERDAY=`$DATE -d 'now - 2 days' +%Y%m%d`
-TOMORROW=`$DATE -d 'now + 2 days' +%Y%m%d`
+ONEMONTHAGO=`$DATE -d "$NOW - 1 month" +%Y%m%d`
+ONEMONTH=`$DATE -d "$NOW + 1 month" +%Y%m%d`
+YESTERDAY=`$DATE -d "$NOW - 2 days" +%Y%m%d`
+TOMORROW=`$DATE -d "$NOW + 2 days" +%Y%m%d`
+
+# Root trust anchor
+echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" > bogus/trust-anchors
+
+# create oudated zones
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test`
+echo $CSK
+cat $CSK.ds >> bogus/trust-anchors
-ldns-signzone -i $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \
+ldns-signzone -i $YESTERDAY -e $ONEMONTH -f - bogus/dnssec-failures.test $CSK | \
grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
sed 's/Signatures invalid/Signatures INVALID/g' | \
grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \
grep -v '[ ]NSEC[ ]' | \
grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
-ldns-signzone -i $TOMORROW -f - bogus/dnssec-failures.test $CSK | \
+ldns-signzone -i $TOMORROW -e $ONEMONTH -f - bogus/dnssec-failures.test $CSK | \
grep -v '[ ]NSEC[ ]' | \
grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
# cleanup old zone keys
rm -f $CSK.*
+
# create zone with DNSKEY missing
CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnskey-failures.test`
echo $CSK
cat $CSK.ds >> bogus/trust-anchors
-ldns-signzone -f tmp.signed bogus/dnskey-failures.test $CSK
+ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/dnskey-failures.test $CSK
grep -v ' DNSKEY ' tmp.signed > bogus/dnskey-failures.test.signed
-
# cleanup old zone keys
rm -f $CSK.*
+
# create zone with NSEC missing
CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom nsec-failures.test`
echo $CSK
cat $CSK.ds >> bogus/trust-anchors
-ldns-signzone -f tmp.signed bogus/nsec-failures.test $CSK
+ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/nsec-failures.test $CSK
grep -v ' NSEC ' tmp.signed > bogus/nsec-failures.test.signed
-
# cleanup old zone keys
rm -f $CSK.*
+
# create zone with RRSIGs missing
CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom rrsig-failures.test`
echo $CSK
cat $CSK.ds >> bogus/trust-anchors
-ldns-signzone -f tmp.signed bogus/rrsig-failures.test $CSK
+ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/rrsig-failures.test $CSK
grep -v ' RRSIG ' tmp.signed > bogus/rrsig-failures.test.signed
# cleanup
--- /dev/null
+nsec-failures.test. 3600 IN SOA ns.nsec-failures.test. hostmaster.nsec-failures.test. 1 14400 1800 2419200 300
+nsec-failures.test. 3600 IN RRSIG SOA 13 2 3600 20010201000000 20001230000000 12342 nsec-failures.test. ZdnRF2uI0IDJsHTXsd4TclX9gUEkxjp19LykHuI3DaCKe3bY8uTETta8i73hlKWJWeRjmgQojIsi9tBlivOwjQ==
+nsec-failures.test. 3600 IN A 192.0.2.1
+nsec-failures.test. 3600 IN RRSIG A 13 2 3600 20010201000000 20001230000000 12342 nsec-failures.test. /JccCtWkuQgSF81gv6DPsxaicmlJoGAhVpCpR4JGgVz3tZMhIp+iXUGeI+CkBofw9G/MK66Hk937JRmMh9UTvQ==
+nsec-failures.test. 3600 IN DNSKEY 257 3 13 41tJnzHY0o3WKid0ZsIo6S5SJdC1JiW0H/KizsAD2phHdi1AIDiBclL+nG2lKvPjMoX2hcMfd8h9DfU99HR3kg== ;{id = 12342 (ksk), size = 256b}
+nsec-failures.test. 3600 IN RRSIG DNSKEY 13 2 3600 20010201000000 20001230000000 12342 nsec-failures.test. Y23xTzxdqQBjFsWLlqCRgPKT7raPcP0lAy2tR8trW5+vUAhBePXdVixp4AjoxEqXsLLalAtnJnc4QgH7+HO6PA==
+nsec-failures.test. 300 IN RRSIG NSEC 13 2 300 20010201000000 20001230000000 12342 nsec-failures.test. KfpncqGIzIPNB2ExkH22/z0jAPmq8jTTjDkLte29iKqR9t3bSZlcS0MQ2QB7Z6tgks8fo7Zpc9+BvaDq7Y6ONg==
--- /dev/null
+rrsig-failures.test. 3600 IN SOA ns.rrsig-failures.test. hostmaster.rrsig-failures.test. 1 14400 1800 2419200 300
+rrsig-failures.test. 3600 IN A 192.0.2.1
+rrsig-failures.test. 3600 IN DNSKEY 257 3 13 rIMJ4/qnOb91GuxKzAYiCdPNdEtUhyt+mi1Jz+NPP0rJQdGOhXr37LpctEiKK4isabCXcwYlVtFdDPopa4RufA== ;{id = 13838 (ksk), size = 256b}
+rrsig-failures.test. 300 IN NSEC rrsig-failures.test. A SOA RRSIG NSEC DNSKEY
--- /dev/null
+. IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
+dnssec-failures.test. IN DS 53876 13 2 e0207223d847e0d8f3bd2afcf887f727178777a94563b94e1d0be8ca2f070d9a
+dnskey-failures.test. IN DS 45928 13 2 9295d5c0d9296599809ce968f994a974d4da7752266ee124ead4ce980c006c20
+nsec-failures.test. IN DS 12342 13 2 b0a994fe4ff12a706b2a47a794601b254a8d28e040832ad6e39e96dbf7736ca2
+rrsig-failures.test. IN DS 13838 13 2 b083d59d2e7ac370e1103bc5ada2a921e4e65745ea8550350b6fcb57eba9f917
val-log-level: 2
trust-anchor-file: "bogus/trust-anchors"
+ val-override-date: "20010101020202"
module-config: "respip validator iterator"
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
+PRE="../.."
. ../common.sh
+
get_random_port 2
UNBOUND_PORT=$RND_PORT
UNBOUND_PORT2=$(($RND_PORT + 1))
sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < temp.conf > ub.conf
sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < ede-auth.conf > ub2.conf
-# create broken dnssec zone
-bogus/make-broken-zone.sh
-
# start unbound in the background
-PRE="../.."
$PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
UNBOUND_PID2=$!
echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
-
cat .tpkg.var.test
wait_unbound_up unbound.log
wait_unbound_up unbound2.log
-
projects / thirdparty / unbound.git / commitdiff
