1#!/bin/sh -e 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12. ../conf.sh 13 14status=0 15n=0 16fail() { 17 echo_i "failed" 18 status=`expr $status + 1` 19} 20 21runcmd() { 22 "$@" 1> out.$n 2> err.$n 23 echo $? 24} 25 26testcase() { 27 n=`expr $n + 1` 28 echo_i "$name ($n)" 29 expect=$1 30 shift 31 result=`runcmd "$@"` 32 check_stdout 33 check_stderr 34 if [ "$expect" -ne "$result" ]; then 35 echo_d "exit status does not match $expect" 36 fail 37 fi 38 unset name err out 39} 40 41check_stderr() { 42 if [ -n "${err:=}" ]; then 43 egrep "$err" err.$n >/dev/null && return 0 44 else 45 [ -s err.$n ] || return 0 46 fi 47 echo_d "stderr did not match '$err'" 48 cat err.$n | cat_d 49 fail 50} 51 52check_stdout() { 53 $DIFF out.$n "${out:-empty}" >/dev/null && return 54 echo_d "stdout did not match '$out'" 55 ( echo "wanted" 56 cat "$out" 57 echo "got" 58 cat out.$n 59 ) | cat_d 60 fail 61} 62 63Z=cds.test 64 65name='usage' 66err='Usage' 67testcase 1 $CDS 68 69name='need a DS file' 70err='DS pathname' 71testcase 1 $CDS $Z 72 73name='name of dsset in directory' 74err="./dsset-$Z.: file not found" 75testcase 1 $CDS -d . $Z 76 77name='load a file' 78err='could not find DS records' 79testcase 1 $CDS -d empty $Z 80 81name='load DS records' 82err='path to file containing child data must be specified' 83testcase 1 $CDS -d DS.1 $Z 84 85name='missing DNSKEY' 86err='could not find signed DNSKEY RRset' 87testcase 1 $CDS -f db.null -d DS.1 $Z 88 89name='sigs too old' 90err='could not validate child DNSKEY RRset' 91testcase 1 $CDS -f sig.null -d DS.1 $Z 92 93name='sigs too old, verbosely' 94err='skip RRSIG by key [0-9]+: too old' 95testcase 1 $CDS -v1 -f sig.null -d DS.1 $Z 96 97name='old sigs are allowed' 98err='found RRSIG by key' 99out=DS.1 100testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z 101 102name='no CDS/CDNSKEY records' 103out=DS.1 104testcase 0 $CDS -s -7200 -f sig.null -d DS.1 $Z 105 106name='no child records, verbosely' 107err='has neither CDS nor CDNSKEY records' 108out=DS.1 109testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z 110 111name='unsigned CDS' 112err='missing RRSIG CDS records' 113testcase 1 $CDS -f brk.unsigned-cds -d DS.1 $Z 114 115name='correct signature inception time' 116$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr 117testcase 0 $PERL checktime.pl 3600 xerr 118 119name='in-place reads modification time' 120testcase 0 $CDS -a1 -a2 -f sig.cds.1 -i.bak -d DS.inplace $Z 121 122name='in-place output correct modification time' 123testcase 0 $PERL checkmtime.pl 3600 DS.inplace 124 125name='in-place backup correct modification time' 126testcase 0 $PERL checkmtime.pl 7200 DS.inplace.bak 127 128name='in-place correct output' 129testcase 0 $DIFF DS.1 DS.inplace 130 131name='in-place backup unmodified' 132testcase 0 $DIFF DS.1 DS.inplace.bak 133 134name='one mangled DS' 135err='found RRSIG by key' 136out=DS.1 137testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke1 $Z 138 139name='other mangled DS' 140err='found RRSIG by key' 141out=DS.1 142testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke2 $Z 143 144name='both mangled DS' 145err='could not validate child DNSKEY RRset' 146testcase 1 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke12 $Z 147 148name='mangle RRSIG CDS by ZSK' 149err='found RRSIG by key' 150out=DS.1 151testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z 152 153name='mangle RRSIG CDS by KSK' 154err='could not validate child CDS RRset' 155testcase 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z 156 157name='mangle CDS 1' 158err='could not validate child DNSKEY RRset with new DS records' 159testcase 1 $CDS -a1 -a2 -s -7200 -f sig.cds-mangled -d DS.1 $Z 160 161name='inconsistent digests' 162err='do not cover each key with the same set of digest types' 163testcase 1 $CDS -a1 -a2 -s -7200 -f sig.bad-digests -d DS.1 $Z 164 165name='inconsistent algorithms' 166err='missing signature for algorithm' 167testcase 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z 168 169name='add DS records' 170out=DS.both 171$CDS -a1 -a2 -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out 172# sort to allow for numerical vs lexical order of key tags 173testcase 0 sort DS.out 174 175name='update add' 176out=UP.add2 177testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.both -d DS.1 $Z 178 179name='remove DS records' 180out=DS.2 181testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.2 -d DS.both $Z 182 183name='update del' 184out=UP.del1 185testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.both $Z 186 187name='swap DS records' 188out=DS.2 189testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.2 -d DS.1 $Z 190 191name='update swap' 192out=UP.swap 193testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.1 $Z 194 195name='TTL from -T' 196out=DS.ttl2 197testcase 0 $CDS -a1 -a2 -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z 198 199name='update TTL from -T' 200out=UP.swapttl 201testcase 0 $CDS -a1 -a2 -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z 202 203name='update TTL from dsset' 204out=UP.swapttl 205testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z 206 207name='TTL from -T overrides dsset' 208out=DS.ttlong2 209testcase 0 $CDS -a1 -a2 -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z 210 211name='stable DS record order (changes)' 212out=DS.1 213testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.rev1 -d DS.2 $Z 214 215name='CDNSKEY default algorithm' 216out=DS.2-2 217testcase 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z 218 219name='CDNSKEY SHA1' 220out=DS.2-1 221testcase 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z 222 223name='CDNSKEY two algorithms' 224out=DS.2 225testcase 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z 226 227name='CDNSKEY two algorithms, reversed' 228out=DS.2 229testcase 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z 230 231name='CDNSKEY and CDS' 232out=DS.2 233testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z 234 235name='prefer CDNSKEY' 236out=DS.2-2 237testcase 0 $CDS -D -s -7200 -f sig.cds1.cdnskey2 -d DS.1 $Z 238 239name='CDS subset default (SHA-256)' 240out=DS.2-2 241testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z 242 243name='CDS subset replace SHA1 with SHA2' 244out=DS.2-2 245testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2.sha1 -d DS.1 $Z 246 247name='CDS subset mismatch' 248err='do not match any -a digest types' 249testcase 1 $CDS -s -7200 -f sig.cds.2.sha1 -d DS.1 $Z 250 251name='CDS algorithm unavailable, use CDNSKEY' 252err='using CDNSKEY instead' 253out=DS.2-2 254testcase 0 $CDS -v1 -a SHA256 -s -7200 -f sig.cds.cdnskey.2.sha1 -d DS.1 $Z 255 256echo_i "exit status: $status" 257[ $status -eq 0 ] || exit 1 258