1#!/bin/sh -e
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12. ../conf.sh
13
14status=0
15n=0
16fail() {
17	echo_i "failed"
18	status=`expr $status + 1`
19}
20
21runcmd() {
22        "$@" 1> out.$n 2> err.$n
23	echo $?
24}
25
26testcase() {
27	n=`expr $n + 1`
28	echo_i "$name ($n)"
29	expect=$1
30	shift
31	result=`runcmd "$@"`
32	check_stdout
33	check_stderr
34	if [ "$expect" -ne "$result" ]; then
35                echo_d "exit status does not match $expect"
36		fail
37	fi
38        unset name err out
39}
40
41check_stderr() {
42	if [ -n "${err:=}" ]; then
43		egrep "$err" err.$n >/dev/null && return 0
44	else
45		[ -s err.$n ] || return 0
46	fi
47	echo_d "stderr did not match '$err'"
48	cat err.$n | cat_d
49	fail
50}
51
52check_stdout() {
53	$DIFF out.$n "${out:-empty}" >/dev/null && return
54	echo_d "stdout did not match '$out'"
55	(	echo "wanted"
56		cat "$out"
57		echo "got"
58		cat out.$n
59	) | cat_d
60	fail
61}
62
63Z=cds.test
64
65name='usage'
66err='Usage'
67testcase 1 $CDS
68
69name='need a DS file'
70err='DS pathname'
71testcase 1 $CDS $Z
72
73name='name of dsset in directory'
74err="./dsset-$Z.: file not found"
75testcase 1 $CDS -d . $Z
76
77name='load a file'
78err='could not find DS records'
79testcase 1 $CDS -d empty $Z
80
81name='load DS records'
82err='path to file containing child data must be specified'
83testcase 1 $CDS -d DS.1 $Z
84
85name='missing DNSKEY'
86err='could not find signed DNSKEY RRset'
87testcase 1 $CDS -f db.null -d DS.1 $Z
88
89name='sigs too old'
90err='could not validate child DNSKEY RRset'
91testcase 1 $CDS -f sig.null -d DS.1 $Z
92
93name='sigs too old, verbosely'
94err='skip RRSIG by key [0-9]+: too old'
95testcase 1 $CDS -v1 -f sig.null -d DS.1 $Z
96
97name='old sigs are allowed'
98err='found RRSIG by key'
99out=DS.1
100testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
101
102name='no CDS/CDNSKEY records'
103out=DS.1
104testcase 0 $CDS -s -7200 -f sig.null -d DS.1 $Z
105
106name='no child records, verbosely'
107err='has neither CDS nor CDNSKEY records'
108out=DS.1
109testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
110
111name='unsigned CDS'
112err='missing RRSIG CDS records'
113testcase 1 $CDS -f brk.unsigned-cds -d DS.1 $Z
114
115name='correct signature inception time'
116$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr
117testcase 0 $PERL checktime.pl 3600 xerr
118
119name='in-place reads modification time'
120testcase 0 $CDS -a1 -a2 -f sig.cds.1 -i.bak -d DS.inplace $Z
121
122name='in-place output correct modification time'
123testcase 0 $PERL checkmtime.pl 3600 DS.inplace
124
125name='in-place backup correct modification time'
126testcase 0 $PERL checkmtime.pl 7200 DS.inplace.bak
127
128name='in-place correct output'
129testcase 0 $DIFF DS.1 DS.inplace
130
131name='in-place backup unmodified'
132testcase 0 $DIFF DS.1 DS.inplace.bak
133
134name='one mangled DS'
135err='found RRSIG by key'
136out=DS.1
137testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke1 $Z
138
139name='other mangled DS'
140err='found RRSIG by key'
141out=DS.1
142testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke2 $Z
143
144name='both mangled DS'
145err='could not validate child DNSKEY RRset'
146testcase 1 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke12 $Z
147
148name='mangle RRSIG CDS by ZSK'
149err='found RRSIG by key'
150out=DS.1
151testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z
152
153name='mangle RRSIG CDS by KSK'
154err='could not validate child CDS RRset'
155testcase 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z
156
157name='mangle CDS 1'
158err='could not validate child DNSKEY RRset with new DS records'
159testcase 1 $CDS -a1 -a2 -s -7200 -f sig.cds-mangled -d DS.1 $Z
160
161name='inconsistent digests'
162err='do not cover each key with the same set of digest types'
163testcase 1 $CDS -a1 -a2 -s -7200 -f sig.bad-digests -d DS.1 $Z
164
165name='inconsistent algorithms'
166err='missing signature for algorithm'
167testcase 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z
168
169name='add DS records'
170out=DS.both
171$CDS -a1 -a2 -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out
172# sort to allow for numerical vs lexical order of key tags
173testcase 0 sort DS.out
174
175name='update add'
176out=UP.add2
177testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.both -d DS.1 $Z
178
179name='remove DS records'
180out=DS.2
181testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.2 -d DS.both $Z
182
183name='update del'
184out=UP.del1
185testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.both $Z
186
187name='swap DS records'
188out=DS.2
189testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.2 -d DS.1 $Z
190
191name='update swap'
192out=UP.swap
193testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.1 $Z
194
195name='TTL from -T'
196out=DS.ttl2
197testcase 0 $CDS -a1 -a2 -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
198
199name='update TTL from -T'
200out=UP.swapttl
201testcase 0 $CDS -a1 -a2 -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
202
203name='update TTL from dsset'
204out=UP.swapttl
205testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
206
207name='TTL from -T overrides dsset'
208out=DS.ttlong2
209testcase 0 $CDS -a1 -a2 -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
210
211name='stable DS record order (changes)'
212out=DS.1
213testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.rev1 -d DS.2 $Z
214
215name='CDNSKEY default algorithm'
216out=DS.2-2
217testcase 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
218
219name='CDNSKEY SHA1'
220out=DS.2-1
221testcase 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
222
223name='CDNSKEY two algorithms'
224out=DS.2
225testcase 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
226
227name='CDNSKEY two algorithms, reversed'
228out=DS.2
229testcase 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
230
231name='CDNSKEY and CDS'
232out=DS.2
233testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
234
235name='prefer CDNSKEY'
236out=DS.2-2
237testcase 0 $CDS -D -s -7200 -f sig.cds1.cdnskey2 -d DS.1 $Z
238
239name='CDS subset default (SHA-256)'
240out=DS.2-2
241testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z
242
243name='CDS subset replace SHA1 with SHA2'
244out=DS.2-2
245testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2.sha1 -d DS.1 $Z
246
247name='CDS subset mismatch'
248err='do not match any -a digest types'
249testcase 1 $CDS -s -7200 -f sig.cds.2.sha1 -d DS.1 $Z
250
251name='CDS algorithm unavailable, use CDNSKEY'
252err='using CDNSKEY instead'
253out=DS.2-2
254testcase 0 $CDS -v1 -a SHA256 -s -7200 -f sig.cds.cdnskey.2.sha1 -d DS.1 $Z
255
256echo_i "exit status: $status"
257[ $status -eq 0 ] || exit 1
258