1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=.. 13. $SYSTEMTESTTOP/conf.sh 14 15pzone=parent.nil pfile=parent.db 16czone=child.parent.nil cfile=child.db 17status=0 18n=1 19 20echo_i "setting key timers" 21$SETTIME -A now+15s `cat rolling.key` > /dev/null 22 23inact=`keyfile_to_key_id \`cat inact.key\`` 24ksk=`keyfile_to_key_id \`cat ksk.key\`` 25pending=`keyfile_to_key_id \`cat pending.key\`` 26postrev=`keyfile_to_key_id \`cat postrev.key\`` 27prerev=`keyfile_to_key_id \`cat prerev.key\`` 28rolling=`keyfile_to_key_id \`cat rolling.key\`` 29standby=`keyfile_to_key_id \`cat standby.key\`` 30zsk=`keyfile_to_key_id \`cat zsk.key\`` 31 32echo_i "signing zones" 33$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1 34$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1 35 36awk '$2 ~ /RRSIG/ { 37 type = $3; 38 getline; 39 id = $3; 40 if ($4 ~ /'${czone}'/) { 41 print type, id 42 } 43}' < ${cfile}.signed > sigs 44 45awk '$2 ~ /DNSKEY/ { 46 flags = $3; 47 while ($0 !~ /key id =/) 48 getline; 49 id = $NF; 50 print flags, id; 51}' < ${cfile}.signed > keys 52 53echo_i "checking that KSK signed DNSKEY only ($n)" 54ret=0 55grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1 56grep "SOA $ksk"'$' sigs > /dev/null && ret=1 57n=`expr $n + 1` 58if [ $ret != 0 ]; then echo_i "failed"; fi 59status=`expr $status + $ret` 60 61echo_i "checking that ZSK signed ($n)" 62ret=0 63grep "SOA $zsk"'$' sigs > /dev/null || ret=1 64n=`expr $n + 1` 65if [ $ret != 0 ]; then echo_i "failed"; fi 66status=`expr $status + $ret` 67 68echo_i "checking that standby ZSK did not sign ($n)" 69ret=0 70grep " $standby"'$' sigs > /dev/null && ret=1 71n=`expr $n + 1` 72if [ $ret != 0 ]; then echo_i "failed"; fi 73status=`expr $status + $ret` 74 75echo_i "checking that inactive key did not sign ($n)" 76ret=0 77grep " $inact"'$' sigs > /dev/null && ret=1 78n=`expr $n + 1` 79if [ $ret != 0 ]; then echo_i "failed"; fi 80status=`expr $status + $ret` 81 82echo_i "checking that pending key was not published ($n)" 83ret=0 84grep " $pending"'$' keys > /dev/null && ret=1 85n=`expr $n + 1` 86if [ $ret != 0 ]; then echo_i "failed"; fi 87status=`expr $status + $ret` 88 89echo_i "checking that standby KSK did not sign but is delegated ($n)" 90ret=0 91grep " $rolling"'$' sigs > /dev/null && ret=1 92grep " $rolling"'$' keys > /dev/null || ret=1 93egrep "DS[ ]*$rolling[ ]" ${pfile}.signed > /dev/null || ret=1 94n=`expr $n + 1` 95if [ $ret != 0 ]; then echo_i "failed"; fi 96status=`expr $status + $ret` 97 98echo_i "checking that key was revoked ($n)" 99ret=0 100grep " $prerev"'$' keys > /dev/null && ret=1 101grep " $postrev"'$' keys > /dev/null || ret=1 102n=`expr $n + 1` 103if [ $ret != 0 ]; then echo_i "failed"; fi 104status=`expr $status + $ret` 105 106echo_i "checking that revoked key self-signed ($n)" 107ret=0 108grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1 109grep "SOA $postrev"'$' sigs > /dev/null && ret=1 110n=`expr $n + 1` 111if [ $ret != 0 ]; then echo_i "failed"; fi 112status=`expr $status + $ret` 113 114echo_i "waiting 20 seconds for key changes to occur" 115sleep 20 116 117echo_i "re-signing zone" 118$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1 119 120echo_i "checking that standby KSK is now active ($n)" 121ret=0 122grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1 123n=`expr $n + 1` 124if [ $ret != 0 ]; then echo_i "failed"; fi 125status=`expr $status + $ret` 126 127echo_i "checking update of an old-style key ($n)" 128ret=0 129# printing metadata should not work with an old-style key 130$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 && ret=1 131$SETTIME -f `cat oldstyle.key` > /dev/null 2>&1 || ret=1 132# but now it should 133$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 || ret=1 134n=`expr $n + 1` 135if [ $ret != 0 ]; then echo_i "failed"; fi 136status=`expr $status + $ret` 137 138echo_i "checking warning about permissions change on key with dnssec-settime ($n)" 139uname=`uname -o 2> /dev/null` 140if [ Cygwin = "$uname" ]; then 141 echo_i "Cygwin detected, skipping" 142else 143 ret=0 144 # settime should print a warning about changing the permissions 145 chmod 644 `cat oldstyle.key`.private 146 $SETTIME -P none `cat oldstyle.key` > settime1.test$n 2>&1 || ret=1 147 grep "warning: Permissions on the file.*have changed" settime1.test$n > /dev/null 2>&1 || ret=1 148 $SETTIME -P none `cat oldstyle.key` > settime2.test$n 2>&1 || ret=1 149 grep "warning: Permissions on the file.*have changed" settime2.test$n > /dev/null 2>&1 && ret=1 150 n=`expr $n + 1` 151 if [ $ret != 0 ]; then echo_i "failed"; fi 152 status=`expr $status + $ret` 153fi 154 155echo_i "checking warning about delete date < inactive date with dnssec-settime ($n)" 156ret=0 157# settime should print a warning about delete < inactive 158$SETTIME -I now+15s -D now `cat oldstyle.key` > tmp.out 2>&1 || ret=1 159grep "warning" tmp.out > /dev/null 2>&1 || ret=1 160n=`expr $n + 1` 161if [ $ret != 0 ]; then echo_i "failed"; fi 162status=`expr $status + $ret` 163 164echo_i "checking no warning about delete date < inactive date with dnssec-settime when delete date is unset ($n)" 165ret=0 166$SETTIME -D none `cat oldstyle.key` > tmp.out 2>&1 || ret=1 167$SETTIME -p all `cat oldstyle.key` > tmp.out 2>&1 || ret=1 168grep "warning" tmp.out > /dev/null 2>&1 && ret=1 169n=`expr $n + 1` 170if [ $ret != 0 ]; then echo_i "failed"; fi 171status=`expr $status + $ret` 172 173echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)" 174ret=0 175# keygen should print a warning about delete < inactive 176$KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 177grep "warning" tmp.out > /dev/null 2>&1 || ret=1 178n=`expr $n + 1` 179if [ $ret != 0 ]; then echo_i "failed"; fi 180status=`expr $status + $ret` 181 182echo_i "checking correct behavior setting activation without publication date ($n)" 183ret=0 184key=`$KEYGEN -q -r $RANDFILE -A +1w $czone` 185pub=`$SETTIME -upP $key | awk '{print $2}'` 186act=`$SETTIME -upA $key | awk '{print $2}'` 187[ $pub -eq $act ] || ret=1 188key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone` 189pub=`$SETTIME -upP $key | awk '{print $2}'` 190act=`$SETTIME -upA $key | awk '{print $2}'` 191[ $pub -lt $act ] || ret=1 192key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone` 193pub=`$SETTIME -upP $key | awk '{print $2}'` 194[ $pub = "UNSET" ] || ret=1 195n=`expr $n + 1` 196if [ $ret != 0 ]; then echo_i "failed"; fi 197status=`expr $status + $ret` 198 199echo_i "checking calculation of dates for a successor key ($n)" 200ret=0 201oldkey=`$KEYGEN -q -r $RANDFILE $czone` 202newkey=`$KEYGEN -q -r $RANDFILE $czone` 203$SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1 204$SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1 205$SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1 206n=`expr $n + 1` 207if [ $ret != 0 ]; then echo_i "failed"; fi 208status=`expr $status + $ret` 209 210echo_i "exit status: $status" 211[ $status -eq 0 ] || exit 1 212