1#!/bin/sh 2# 3# Copyright (C) 2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC") 4# 5# Permission to use, copy, modify, and/or distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15# PERFORMANCE OF THIS SOFTWARE. 16 17# Id: tests.sh,v 1.9 2011/07/08 01:43:26 each Exp 18 19SYSTEMTESTTOP=.. 20. $SYSTEMTESTTOP/conf.sh 21 22pzone=parent.nil pfile=parent.db 23czone=child.parent.nil cfile=child.db 24status=0 25n=0 26 27echo "I:setting key timers" 28$SETTIME -A now+15s `cat rolling.key` > /dev/null 29 30inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key` 31ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key` 32pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key` 33postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key` 34prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key` 35rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key` 36standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key` 37zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key` 38 39../../../tools/genrandom 400 $RANDFILE 40 41echo "I:signing zones" 42$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1 43$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1 44 45awk '$2 ~ /RRSIG/ { 46 type = $3; 47 getline; 48 id = $3; 49 if ($4 ~ /'${czone}'/) { 50 print type, id 51 } 52}' < ${cfile}.signed > sigs 53 54awk '$2 ~ /DNSKEY/ { 55 flags = $3; 56 while ($0 !~ /key id =/) 57 getline; 58 id = $NF; 59 print flags, id; 60}' < ${cfile}.signed > keys 61 62echo "I:checking that KSK signed DNSKEY only ($n)" 63ret=0 64grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1 65grep "SOA $ksk"'$' sigs > /dev/null && ret=1 66n=`expr $n + 1` 67if [ $ret != 0 ]; then echo "I:failed"; fi 68status=`expr $status + $ret` 69 70echo "I:checking that ZSK signed ($n)" 71ret=0 72grep "SOA $zsk"'$' sigs > /dev/null || ret=1 73n=`expr $n + 1` 74if [ $ret != 0 ]; then echo "I:failed"; fi 75status=`expr $status + $ret` 76 77echo "I:checking that standby ZSK did not sign ($n)" 78ret=0 79grep " $standby"'$' sigs > /dev/null && ret=1 80n=`expr $n + 1` 81if [ $ret != 0 ]; then echo "I:failed"; fi 82status=`expr $status + $ret` 83 84echo "I:checking that inactive key did not sign ($n)" 85ret=0 86grep " $inact"'$' sigs > /dev/null && ret=1 87n=`expr $n + 1` 88if [ $ret != 0 ]; then echo "I:failed"; fi 89status=`expr $status + $ret` 90 91echo "I:checking that pending key was not published ($n)" 92ret=0 93grep " $pending"'$' keys > /dev/null && ret=1 94n=`expr $n + 1` 95if [ $ret != 0 ]; then echo "I:failed"; fi 96status=`expr $status + $ret` 97 98echo "I:checking that standby KSK did not sign but is delegated ($n)" 99ret=0 100grep " $rolling"'$' sigs > /dev/null && ret=1 101grep " $rolling"'$' keys > /dev/null || ret=1 102egrep "DS[ ]*$rolling[ ]" ${pfile}.signed > /dev/null || ret=1 103n=`expr $n + 1` 104if [ $ret != 0 ]; then echo "I:failed"; fi 105status=`expr $status + $ret` 106 107echo "I:checking that key was revoked ($n)" 108ret=0 109grep " $prerev"'$' keys > /dev/null && ret=1 110grep " $postrev"'$' keys > /dev/null || ret=1 111n=`expr $n + 1` 112if [ $ret != 0 ]; then echo "I:failed"; fi 113status=`expr $status + $ret` 114 115echo "I:checking that revoked key self-signed ($n)" 116ret=0 117grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1 118grep "SOA $postrev"'$' sigs > /dev/null && ret=1 119n=`expr $n + 1` 120if [ $ret != 0 ]; then echo "I:failed"; fi 121status=`expr $status + $ret` 122 123echo "I:waiting 20 seconds for key changes to occur" 124sleep 20 125 126echo "I:re-signing zone" 127$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1 128 129echo "I:checking that standby KSK is now active ($n)" 130ret=0 131grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1 132n=`expr $n + 1` 133if [ $ret != 0 ]; then echo "I:failed"; fi 134status=`expr $status + $ret` 135 136echo "I:checking update of an old-style key ($n)" 137ret=0 138# printing metadata should not work with an old-style key 139$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 && ret=1 140$SETTIME -f `cat oldstyle.key` > /dev/null 2>&1 || ret=1 141# but now it should 142$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 || ret=1 143n=`expr $n + 1` 144if [ $ret != 0 ]; then echo "I:failed"; fi 145status=`expr $status + $ret` 146 147echo "I:checking warning about permissions change on key with dnssec-settime ($n)" 148ret=0 149# settime should print a warning about changing the permissions 150chmod 644 `cat oldstyle.key`.private 151$SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1 152grep "warning" tmp.out > /dev/null 2>&1 || ret=1 153$SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1 154grep "warning" tmp.out > /dev/null 2>&1 && ret=1 155n=`expr $n + 1` 156if [ $ret != 0 ]; then echo "I:failed"; fi 157status=`expr $status + $ret` 158 159echo "I:checking warning about delete date < inactive date with dnssec-settime ($n)" 160ret=0 161# settime should print a warning about delete < inactive 162$SETTIME -I now+15s -D now `cat oldstyle.key` > tmp.out 2>&1 || ret=1 163grep "warning" tmp.out > /dev/null 2>&1 || ret=1 164n=`expr $n + 1` 165if [ $ret != 0 ]; then echo "I:failed"; fi 166status=`expr $status + $ret` 167 168echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)" 169ret=0 170# keygen should print a warning about delete < inactive 171$KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 172grep "warning" tmp.out > /dev/null 2>&1 || ret=1 173n=`expr $n + 1` 174if [ $ret != 0 ]; then echo "I:failed"; fi 175status=`expr $status + $ret` 176 177echo "I:checking correct behavior setting activation without publication date ($n)" 178ret=0 179key=`$KEYGEN -q -r $RANDFILE -A +1w $czone` 180pub=`$SETTIME -upP $key | awk '{print $2}'` 181act=`$SETTIME -upA $key | awk '{print $2}'` 182[ $pub -eq $act ] || ret=1 183key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone` 184pub=`$SETTIME -upP $key | awk '{print $2}'` 185act=`$SETTIME -upA $key | awk '{print $2}'` 186[ $pub -lt $act ] || ret=1 187key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone` 188pub=`$SETTIME -upP $key | awk '{print $2}'` 189[ $pub = "UNSET" ] || ret=1 190n=`expr $n + 1` 191if [ $ret != 0 ]; then echo "I:failed"; fi 192status=`expr $status + $ret` 193 194echo "I:exit status: $status" 195exit $status 196