diff options
| author | Internet Software Consortium, Inc <@isc.org> | 2012-01-18 10:10:04 -0700 |
|---|---|---|
| committer | Internet Software Consortium, Inc <@isc.org> | 2012-01-18 10:10:04 -0700 |
| commit | 52a7f63e4e1a5cc6705c88c2090499b2caaa0805 (patch) | |
| tree | 330f8ca530b9d9e0161703f3d85575c1e43dd8d8 /bin | |
| parent | cf94dd77f7578bef7bc0ff3feac9aaa548180641 (diff) | |
| download | bind9-52a7f63e4e1a5cc6705c88c2090499b2caaa0805.tar.gz | |
9.9.0b1
Diffstat (limited to 'bin')
62 files changed, 2071 insertions, 264 deletions
diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 index 8243d685..14aecb16 100644 --- a/bin/dnssec/dnssec-dsfromkey.8 +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-dsfromkey.8,v 1.14 2011-03-28 01:14:34 tbox Exp $ +.\" $Id: dnssec-dsfromkey.8,v 1.15 2011-10-26 01:14:51 tbox Exp $ .\" .hy 0 .ad l @@ -32,9 +32,9 @@ dnssec\-dsfromkey \- DNSSEC DS RR generation tool .SH "SYNOPSIS" .HP 17 -\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] {keyfile} +\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile} .HP 17 -\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname} +\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname} .SH "DESCRIPTION" .PP \fBdnssec\-dsfromkey\fR @@ -58,6 +58,11 @@ Select the digest algorithm. The value of must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive. .RE .PP +\-T \fITTL\fR +.RS 4 +Specifies the TTL of the DS records. +.RE +.PP \-K \fIdirectory\fR .RS 4 Look for key files (or, in keyset mode, diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 75ea71ab..145c1517 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-dsfromkey.c,v 1.23 2011-09-03 05:51:29 each Exp $ */ +/* $Id: dnssec-dsfromkey.c,v 1.24 2011-10-25 01:54:18 marka Exp $ */ /*! \file */ @@ -62,6 +62,7 @@ static dns_rdataclass_t rdclass; static dns_fixedname_t fixed; static dns_name_t *name = NULL; static isc_mem_t *mctx = NULL; +static isc_uint32_t ttl; static isc_result_t initname(char *setname) { @@ -294,6 +295,9 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, isc_buffer_usedregion(&nameb, &r); printf("%.*s ", (int)r.length, r.base); + if (ttl != 0U) + printf("%u ", ttl); + isc_buffer_usedregion(&classb, &r); printf("%.*s", (int)r.length, r.base); @@ -329,6 +333,7 @@ usage(void) { fprintf(stderr, " -l: add lookaside zone and print DLV records\n"); fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n"); fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n"); + fprintf(stderr, " -T TTL\n"); fprintf(stderr, " -f file: read keyset from zone file\n"); fprintf(stderr, " -A: when used with -f, " "include all keys in DS set, not just KSKs\n"); @@ -368,7 +373,7 @@ main(int argc, char **argv) { isc_commandline_errprint = ISC_FALSE; while ((ch = isc_commandline_parse(argc, argv, - "12Aa:c:d:Ff:K:l:sv:h")) != -1) { + "12Aa:c:d:Ff:K:l:sT:v:h")) != -1) { switch (ch) { case '1': dtype = DNS_DSDIGEST_SHA1; @@ -408,6 +413,9 @@ main(int argc, char **argv) { case 's': usekeyset = ISC_TRUE; break; + case 'T': + ttl = atol(isc_commandline_argument); + break; case 'v': verbose = strtol(isc_commandline_argument, &endp, 0); if (*endp != '\0') diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook index ba2a059c..0a47ba76 100644 --- a/bin/dnssec/dnssec-dsfromkey.docbook +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-dsfromkey.docbook,v 1.16 2011-03-27 06:39:59 marka Exp $ --> +<!-- $Id: dnssec-dsfromkey.docbook,v 1.17 2011-10-25 01:54:18 marka Exp $ --> <refentry id="man.dnssec-dsfromkey"> <refentryinfo> <date>August 26, 2009</date> @@ -52,6 +52,7 @@ <arg><option>-2</option></arg> <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg> <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> + <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg> <arg choice="req">keyfile</arg> </cmdsynopsis> <cmdsynopsis> @@ -64,6 +65,7 @@ <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> <arg><option>-s</option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg> <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg> <arg><option>-A</option></arg> <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> @@ -114,6 +116,15 @@ </varlistentry> <varlistentry> + <term>-T <replaceable class="parameter">TTL</replaceable></term> + <listitem> + <para> + Specifies the TTL of the DS records. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-K <replaceable class="parameter">directory</replaceable></term> <listitem> <para> diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index 2a4313af..f4ec6458 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-dsfromkey.html,v 1.14 2011-03-28 01:14:34 tbox Exp $ --> +<!-- $Id: dnssec-dsfromkey.html,v 1.15 2011-10-26 01:14:50 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -28,18 +28,18 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] {keyfile}</p></div> -<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543467"></a><h2>DESCRIPTION</h2> +<a name="id2543484"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-dsfromkey</strong></span> outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). </p> </div> <div class="refsect1" lang="en"> -<a name="id2543479"></a><h2>OPTIONS</h2> +<a name="id2543496"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-1</span></dt> <dd><p> @@ -56,6 +56,10 @@ <code class="option">algorithm</code> must be one of SHA-1 (SHA1), SHA-256 (SHA256) or GOST. These values are case insensitive. </p></dd> +<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt> +<dd><p> + Specifies the TTL of the DS records. + </p></dd> <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> Look for key files (or, in keyset mode, @@ -111,7 +115,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543687"></a><h2>EXAMPLE</h2> +<a name="id2543722"></a><h2>EXAMPLE</h2> <p> To build the SHA-256 DS RR from the <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> @@ -126,7 +130,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543717"></a><h2>FILES</h2> +<a name="id2543752"></a><h2>FILES</h2> <p> The keyfile can be designed by the key identification <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name @@ -140,13 +144,13 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543752"></a><h2>CAVEAT</h2> +<a name="id2543787"></a><h2>CAVEAT</h2> <p> A keyfile error can give a "file not found" even if the file exists. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543762"></a><h2>SEE ALSO</h2> +<a name="id2543797"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -156,7 +160,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543801"></a><h2>AUTHOR</h2> +<a name="id2543836"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index e411804c..b418a9a4 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keyfromlabel.c,v 1.36 2011-03-18 02:16:43 marka Exp $ */ +/* $Id: dnssec-keyfromlabel.c,v 1.37 2011-10-20 21:20:01 marka Exp $ */ /*! \file */ @@ -527,8 +527,7 @@ main(int argc, char **argv) { * is a risk of ID collision due to this key or another key * being revoked. */ - if (key_collision(dst_key_id(key), name, directory, alg, mctx, &exact)) - { + if (key_collision(key, name, directory, mctx, &exact)) { isc_buffer_clear(&buf); ret = dst_key_buildfilename(key, 0, directory, &buf); if (ret != ISC_R_SUCCESS) diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 4cd9bebf..4c66c245 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.118 2011-03-17 01:40:34 each Exp $ */ +/* $Id: dnssec-keygen.c,v 1.119 2011-10-20 21:20:01 marka Exp $ */ /*! \file */ @@ -977,8 +977,7 @@ main(int argc, char **argv) { * if there is a risk of ID collision due to this key * or another key being revoked. */ - if (key_collision(dst_key_id(key), name, directory, - alg, mctx, NULL)) { + if (key_collision(key, name, directory, mctx, NULL)) { conflict = ISC_TRUE; if (null_key) { dst_key_free(&key); diff --git a/bin/dnssec/dnssec-revoke.8 b/bin/dnssec/dnssec-revoke.8 index d57b6aa0..c1f7dab1 100644 --- a/bin/dnssec/dnssec-revoke.8 +++ b/bin/dnssec/dnssec-revoke.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-revoke.8,v 1.9 2010-05-19 01:14:14 tbox Exp $ +.\" $Id: dnssec-revoke.8,v 1.10 2011-10-21 01:14:50 tbox Exp $ .\" .hy 0 .ad l @@ -32,7 +32,7 @@ dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key .SH "SYNOPSIS" .HP 14 -\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] {keyfile} +\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile} .SH "DESCRIPTION" .PP \fBdnssec\-revoke\fR @@ -70,6 +70,11 @@ Force overwrite: Causes \fBdnssec\-revoke\fR to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key. .RE +.PP +\-R +.RS 4 +Print the key tag of the key with the REVOKE bit set but do not revoke the key. +.RE .SH "SEE ALSO" .PP \fBdnssec\-keygen\fR(8), @@ -79,5 +84,5 @@ RFC 5011. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2009, 2011 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 90e905c4..1759b184 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-revoke.c,v 1.22 2010-05-06 23:50:56 tbox Exp $ */ +/* $Id: dnssec-revoke.c,v 1.24 2011-10-20 23:46:51 tbox Exp $ */ /*! \file */ @@ -92,6 +92,7 @@ main(int argc, char **argv) { isc_buffer_t buf; isc_boolean_t force = ISC_FALSE; isc_boolean_t remove = ISC_FALSE; + isc_boolean_t id = ISC_FALSE; if (argc == 1) usage(); @@ -104,7 +105,7 @@ main(int argc, char **argv) { isc_commandline_errprint = ISC_FALSE; - while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) { + while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:")) != -1) { switch (ch) { case 'E': engine = isc_commandline_argument; @@ -126,6 +127,9 @@ main(int argc, char **argv) { case 'r': remove = ISC_TRUE; break; + case 'R': + id = ISC_TRUE; + break; case 'v': verbose = strtol(isc_commandline_argument, &endp, 0); if (*endp != '\0') @@ -186,6 +190,10 @@ main(int argc, char **argv) { fatal("Invalid keyfile name %s: %s", filename, isc_result_totext(result)); + if (id) { + fprintf(stdout, "%u\n", dst_key_rid(key)); + goto cleanup; + } dst_key_format(key, keystr, sizeof(keystr)); if (verbose > 2) diff --git a/bin/dnssec/dnssec-revoke.docbook b/bin/dnssec/dnssec-revoke.docbook index b7b56202..d63f844e 100644 --- a/bin/dnssec/dnssec-revoke.docbook +++ b/bin/dnssec/dnssec-revoke.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-revoke.docbook,v 1.7 2009-11-03 21:44:46 each Exp $ --> +<!-- $Id: dnssec-revoke.docbook,v 1.9 2011-10-20 23:46:51 tbox Exp $ --> <refentry id="man.dnssec-revoke"> <refentryinfo> <date>June 1, 2009</date> @@ -37,6 +37,7 @@ <docinfo> <copyright> <year>2009</year> + <year>2011</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -49,6 +50,7 @@ <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg> <arg><option>-f</option></arg> + <arg><option>-R</option></arg> <arg choice="req">keyfile</arg> </cmdsynopsis> </refsynopsisdiv> @@ -123,6 +125,16 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term>-R</term> + <listitem> + <para> + Print the key tag of the key with the REVOKE bit set but do + not revoke the key. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/bin/dnssec/dnssec-revoke.html b/bin/dnssec/dnssec-revoke.html index fad9ac52..08940264 100644 --- a/bin/dnssec/dnssec-revoke.html +++ b/bin/dnssec/dnssec-revoke.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-revoke.html,v 1.9 2010-05-19 01:14:14 tbox Exp $ --> +<!-- $Id: dnssec-revoke.html,v 1.10 2011-10-21 01:14:50 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -28,10 +28,10 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543373"></a><h2>DESCRIPTION</h2> +<a name="id2543381"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-revoke</strong></span> reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -39,7 +39,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543385"></a><h2>OPTIONS</h2> +<a name="id2543393"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-h</span></dt> <dd><p> @@ -69,17 +69,22 @@ write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key. </p></dd> +<dt><span class="term">-R</span></dt> +<dd><p> + Print the key tag of the key with the REVOKE bit set but do + not revoke the key. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543491"></a><h2>SEE ALSO</h2> +<a name="id2543511"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 5011</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543515"></a><h2>AUTHOR</h2> +<a name="id2543536"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index da6b0b2a..28d17a2d 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.c,v 1.60 2010-01-19 23:48:56 tbox Exp $ */ +/* $Id: dnssectool.c,v 1.63 2011-10-21 03:55:33 marka Exp $ */ /*! \file */ @@ -406,19 +406,24 @@ set_keyversion(dst_key_t *key) { } isc_boolean_t -key_collision(isc_uint16_t id, dns_name_t *name, const char *dir, - dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact) +key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, + isc_mem_t *mctx, isc_boolean_t *exact) { isc_result_t result; isc_boolean_t conflict = ISC_FALSE; dns_dnsseckeylist_t matchkeys; dns_dnsseckey_t *key = NULL; - isc_uint16_t oldid, diff; - isc_uint16_t bits = DNS_KEYFLAG_REVOKE; /* flag bits to look for */ + isc_uint16_t id, oldid; + isc_uint32_t rid, roldid; + dns_secalg_t alg; if (exact != NULL) *exact = ISC_FALSE; + id = dst_key_id(dstkey); + rid = dst_key_rid(dstkey); + alg = dst_key_alg(dstkey); + ISC_LIST_INIT(matchkeys); result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys); if (result == ISC_R_NOTFOUND) @@ -430,10 +435,11 @@ key_collision(isc_uint16_t id, dns_name_t *name, const char *dir, goto next; oldid = dst_key_id(key->key); - diff = (oldid > id) ? (oldid - id) : (id - oldid); - if ((diff & ~bits) == 0) { + roldid = dst_key_rid(key->key); + + if (oldid == rid || roldid == id || id == oldid) { conflict = ISC_TRUE; - if (diff != 0) { + if (id != oldid) { if (verbose > 1) fprintf(stderr, "Key ID %d could " "collide with %d\n", @@ -461,4 +467,3 @@ key_collision(isc_uint16_t id, dns_name_t *name, const char *dir, return (conflict); } - diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index b52bc135..3dff6d44 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.h,v 1.31 2010-01-19 23:48:56 tbox Exp $ */ +/* $Id: dnssectool.h,v 1.33 2011-10-20 23:46:51 tbox Exp $ */ #ifndef DNSSECTOOL_H #define DNSSECTOOL_H 1 @@ -78,6 +78,7 @@ void set_keyversion(dst_key_t *key); isc_boolean_t -key_collision(isc_uint16_t id, dns_name_t *name, const char *dir, - dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact); +key_collision(dst_key_t *key, dns_name_t *name, const char *dir, + isc_mem_t *mctx, isc_boolean_t *exact); + #endif /* DNSSEC_DNSSECTOOL_H */ diff --git a/bin/named/client.c b/bin/named/client.c index 6b78adaf..9fec223d 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.280 2011-10-11 23:46:44 tbox Exp $ */ +/* $Id: client.c,v 1.281 2011-10-25 16:21:21 each Exp $ */ #include <config.h> @@ -1956,6 +1956,11 @@ static isc_result_t get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) { isc_mem_t *clientmctx; isc_result_t result; +#if NMCTXS > 0 + unsigned int nextmctx; +#endif + + MTRACE("clientmctx"); /* * Caller must be holding the manager lock. @@ -1967,19 +1972,21 @@ get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) { return (result); } #if NMCTXS > 0 - INSIST(manager->nextmctx < NMCTXS); - clientmctx = manager->mctxpool[manager->nextmctx]; + nextmctx = manager->nextmctx++; + if (manager->nextmctx == NMCTXS) + manager->nextmctx = 0; + + INSIST(nextmctx < NMCTXS); + + clientmctx = manager->mctxpool[nextmctx]; if (clientmctx == NULL) { result = isc_mem_create(0, 0, &clientmctx); if (result != ISC_R_SUCCESS) return (result); isc_mem_setname(clientmctx, "client", NULL); - manager->mctxpool[manager->nextmctx] = clientmctx; + manager->mctxpool[nextmctx] = clientmctx; } - manager->nextmctx++; - if (manager->nextmctx == NMCTXS) - manager->nextmctx = 0; #else clientmctx = manager->mctx; #endif @@ -2545,7 +2552,9 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, else { MTRACE("create new"); + LOCK(&manager->lock); result = client_create(manager, &client); + UNLOCK(&manager->lock); if (result != ISC_R_SUCCESS) return (result); @@ -2591,18 +2600,11 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, MTRACE("createclients"); - /* - * We MUST lock the manager lock for the entire client creation - * process. If we didn't do this, then a client could get a - * shutdown event and disappear out from under us. - */ - LOCK(&manager->lock); for (disp = 0; disp < n; disp++) { result = get_client(manager, ifp, ifp->udpdispatch[disp], tcp); if (result != ISC_R_SUCCESS) break; } - UNLOCK(&manager->lock); return (result); } diff --git a/bin/named/control.c b/bin/named/control.c index 2370fe1c..1b23390b 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.44 2011-08-02 20:36:11 each Exp $ */ +/* $Id: control.c,v 1.46 2011-10-28 06:20:04 each Exp $ */ /*! \file */ @@ -205,6 +205,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { result = ns_server_add_zone(ns_g_server, command); } else if (command_compare(command, NS_COMMAND_DELZONE)) { result = ns_server_del_zone(ns_g_server, command); + } else if (command_compare(command, NS_COMMAND_SIGNING)) { + result = ns_server_signing(ns_g_server, command, text); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h index 3dcc1391..3d13bc2f 100644 --- a/bin/named/include/named/control.h +++ b/bin/named/include/named/control.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.h,v 1.34 2011-08-02 20:36:12 each Exp $ */ +/* $Id: control.h,v 1.36 2011-10-28 06:20:04 each Exp $ */ #ifndef NAMED_CONTROL_H #define NAMED_CONTROL_H 1 @@ -64,6 +64,7 @@ #define NS_COMMAND_ADDZONE "addzone" #define NS_COMMAND_DELZONE "delzone" #define NS_COMMAND_SYNC "sync" +#define NS_COMMAND_SIGNING "signing" isc_result_t ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index a52de722..3601e337 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.h,v 1.113 2011-08-02 20:36:12 each Exp $ */ +/* $Id: server.h,v 1.115 2011-10-28 06:20:04 each Exp $ */ #ifndef NAMED_SERVER_H #define NAMED_SERVER_H 1 @@ -342,4 +342,9 @@ ns_server_add_zone(ns_server_t *server, char *args); isc_result_t ns_server_del_zone(ns_server_t *server, char *args); +/*% + * Lists the status of the signing records for a given zone. + */ +isc_result_t +ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text); #endif /* NAMED_SERVER_H */ diff --git a/bin/named/query.c b/bin/named/query.c index c4ed4526..ec5a4824 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.375 2011-10-13 22:48:23 tbox Exp $ */ +/* $Id: query.c,v 1.377 2011-10-28 11:46:49 marka Exp $ */ /*! \file */ @@ -3378,8 +3378,9 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, sigrdataset, fname, ISC_TRUE, cname); if (!dns_rdataset_isassociated(rdataset)) goto cleanup; - query_addrrset(client, &fname, &rdataset, &sigrdataset, - dbuf, DNS_SECTION_AUTHORITY); + if (!ispositive) + query_addrrset(client, &fname, &rdataset, &sigrdataset, + dbuf, DNS_SECTION_AUTHORITY); /* * Replace resources which were consumed by query_addrrset. @@ -3827,6 +3828,7 @@ rpz_st_clear(ns_client_t *client) { dns_rpz_st_t *st = client->query.rpz_st; rpz_clean(&st->m.zone, &st->m.db, &st->m.node, NULL); + st->m.version = NULL; if (st->m.rdataset != NULL) query_putrdataset(client, &st->m.rdataset); @@ -4120,10 +4122,10 @@ rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type, static isc_result_t rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, dns_name_t *sname, dns_rpz_type_t rpz_type, dns_zone_t **zonep, - dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_db_t **dbp, dns_dbversion_t **versionp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, dns_rpz_policy_t *policyp) { - dns_dbversion_t *version; dns_rpz_policy_t policy; dns_fixedname_t fixed; dns_name_t *found; @@ -4144,8 +4146,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, * Try to get either a CNAME or the type of record demanded by the * request from the policy zone. */ - version = NULL; - result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, &version); + *versionp = NULL; + result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, versionp); if (result != ISC_R_SUCCESS) { *policyp = DNS_RPZ_POLICY_MISS; return (DNS_R_NXDOMAIN); @@ -4153,14 +4155,14 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, dns_fixedname_init(&fixed); found = dns_fixedname_name(&fixed); - result = dns_db_findext(*dbp, qnamef, version, dns_rdatatype_any, 0, + result = dns_db_findext(*dbp, qnamef, *versionp, dns_rdatatype_any, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); if (result == ISC_R_SUCCESS) { dns_rdatasetiter_t *rdsiter; rdsiter = NULL; - result = dns_db_allrdatasets(*dbp, *nodep, version, 0, + result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0, &rdsiter); if (result != ISC_R_SUCCESS) { dns_db_detachnode(*dbp, nodep); @@ -4199,7 +4201,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, qtype == dns_rdatatype_sig) result = DNS_R_NXRRSET; else - result = dns_db_findext(*dbp, qnamef, version, + result = dns_db_findext(*dbp, qnamef, *versionp, qtype, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); @@ -4267,6 +4269,7 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, dns_name_t *prefix, *suffix, *rpz_qname; dns_zone_t *zone; dns_db_t *db; + dns_dbversion_t *version; dns_dbnode_t *node; dns_rpz_policy_t policy; unsigned int labels; @@ -4328,7 +4331,8 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, * See if the policy record exists. */ result = rpz_find(client, qtype, rpz_qname, qname, rpz_type, - &zone, &db, &node, rdatasetp, &policy); + &zone, &db, &version, &node, rdatasetp, + &policy); switch (result) { case DNS_R_NXDOMAIN: case DNS_R_EMPTYNAME: @@ -4387,6 +4391,7 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, node = NULL; st->m.db = db; db = NULL; + st->m.version = version; st->m.zone = zone; zone = NULL; } @@ -5699,6 +5704,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) rpz_st->m.node = NULL; db = rpz_st->m.db; rpz_st->m.db = NULL; + version = rpz_st->m.version; + rpz_st->m.version = NULL; zone = rpz_st->m.zone; rpz_st->m.zone = NULL; diff --git a/bin/named/server.c b/bin/named/server.c index a45e1da0..c1cefd25 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.621 2011-10-11 00:09:01 each Exp $ */ +/* $Id: server.c,v 1.625 2011-10-28 12:08:04 tbox Exp $ */ /*! \file */ @@ -34,6 +34,7 @@ #include <isc/entropy.h> #include <isc/file.h> #include <isc/hash.h> +#include <isc/hex.h> #include <isc/httpd.h> #include <isc/lex.h> #include <isc/parseint.h> @@ -73,6 +74,7 @@ #include <dns/order.h> #include <dns/peer.h> #include <dns/portlist.h> +#include <dns/private.h> #include <dns/rbt.h> #include <dns/rdataclass.h> #include <dns/rdataset.h> @@ -5912,7 +5914,7 @@ next_token(char **stringp, const char *delim) { */ static isc_result_t zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep, - const char **zonename) + const char **zonename, isc_boolean_t skip) { char *input, *ptr; const char *zonetxt; @@ -5928,10 +5930,12 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep, input = args; - /* Skip the command name. */ - ptr = next_token(&input, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); + if (skip) { + /* Skip the command name. */ + ptr = next_token(&input, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + } /* Look for the zone name. */ zonetxt = next_token(&input, " \t"); @@ -5999,7 +6003,7 @@ ns_server_retransfercommand(ns_server_t *server, char *args) { dns_zone_t *zone = NULL; dns_zonetype_t type; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) @@ -6023,7 +6027,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { dns_zonetype_t type; const char *msg = NULL; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { @@ -6083,7 +6087,7 @@ ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) { dns_zone_t *zone = NULL; const unsigned char msg[] = "zone notify queued"; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) @@ -6108,7 +6112,7 @@ ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) { const unsigned char msg2[] = "not a slave or stub zone"; dns_zonetype_t type; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) @@ -7216,7 +7220,7 @@ ns_server_rekey(ns_server_t *server, char *args) { if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0) fullsign = ISC_TRUE; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) @@ -7283,7 +7287,7 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) { (void) next_token(&args, " \t"); } - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); @@ -7359,7 +7363,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args, isc_boolean_t frozen; const char *msg = NULL; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { @@ -7579,13 +7583,14 @@ ns_server_add_zone(ns_server_t *server, char *args) { CHECK(isc_stdio_open(view->new_zone_file, "a", &fp)); /* Mark view unfrozen so that zone can be added */ + isc_task_beginexclusive(server->task); dns_view_thaw(view); result = configure_zone(cfg->config, parms, vconfig, server->mctx, view, cfg->actx, ISC_FALSE); dns_view_freeze(view); - if (result != ISC_R_SUCCESS) { + isc_task_endexclusive(server->task); + if (result != ISC_R_SUCCESS) goto cleanup; - } /* Is it there yet? */ CHECK(dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone)); @@ -7686,7 +7691,7 @@ ns_server_del_zone(ns_server_t *server, char *args) { FILE *ifp = NULL, *ofp = NULL; /* Parse parameters */ - CHECK(zone_from_args(server, args, &zone, &zonename)); + CHECK(zone_from_args(server, args, &zone, &zonename, ISC_TRUE)); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { @@ -7854,3 +7859,143 @@ newzone_cfgctx_destroy(void **cfgp) { isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg)); *cfgp = NULL; } + +isc_result_t +ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) { + isc_result_t result = ISC_R_SUCCESS; + dns_zone_t *zone = NULL; + dns_name_t *origin; + dns_db_t *db = NULL; + dns_dbnode_t *node = NULL; + dns_dbversion_t *version = NULL; + dns_rdatatype_t privatetype; + dns_rdataset_t privset; + isc_boolean_t first = ISC_TRUE; + isc_boolean_t list = ISC_FALSE, clear = ISC_FALSE; + isc_boolean_t chain = ISC_FALSE; + char keystr[DNS_SECALG_FORMATSIZE + 7]; + isc_uint8_t hash = 0, flags = 0, iter = 0, saltlen = 0; + unsigned char salt[255]; + const char *ptr; + size_t n; + + dns_rdataset_init(&privset); + + (void) next_token(&args, " \t"); + ptr = next_token(&args, " \t"); + if (strcasecmp(ptr, "-list") == 0) + list = ISC_TRUE; + else if (strcasecmp(ptr, "-clear") == 0) { + clear = ISC_TRUE; + ptr = next_token(&args, " \t"); + memcpy(keystr, ptr, sizeof(keystr)); + } else if(strcasecmp(ptr, "-nsec3param") == 0) { + const char *hashstr, *flagstr, *iterstr; + isc_buffer_t buf; + char nbuf[512]; + + chain = ISC_TRUE; + hashstr = next_token(&args, " \t"); + + if (strcasecmp(hashstr, "none") == 0) + hash = 0; + else { + flagstr = next_token(&args, " \t"); + iterstr = next_token(&args, " \t"); + n = snprintf(nbuf, sizeof(nbuf), "%s %s %s", + hashstr, flagstr, iterstr); + if (n == sizeof(nbuf)) + return (ISC_R_NOSPACE); + n = sscanf(nbuf, "%hhd %hhd %hhd", + &hash, &flags, &iter); + if (n != 3) + return (ISC_R_BADNUMBER); + + ptr = next_token(&args, " \t"); + isc_buffer_init(&buf, salt, sizeof(salt)); + CHECK(isc_hex_decodestring(ptr, &buf)); + saltlen = isc_buffer_usedlength(&buf); + } + } else + CHECK(ISC_R_NOTFOUND); + + CHECK(zone_from_args(server, args, &zone, NULL, ISC_FALSE)); + if (zone == NULL) + CHECK(ISC_R_UNEXPECTEDEND); + + if (clear) { + result = dns_zone_keydone(zone, keystr); + if (result == ISC_R_SUCCESS) { + isc_buffer_putstr(text, "request queued"); + isc_buffer_putuint8(text, 0); + } else + CHECK(result); + } else if (chain) { + result = dns_zone_setnsec3param(zone, hash, flags, iter, + saltlen, salt, ISC_TRUE); + if (result == ISC_R_SUCCESS) { + isc_buffer_putstr(text, "request queued"); + isc_buffer_putuint8(text, 0); + } else + CHECK(result); + } else { + privatetype = dns_zone_getprivatetype(zone); + origin = dns_zone_getorigin(zone); + CHECK(dns_zone_getdb(zone, &db)); + CHECK(dns_db_findnode(db, origin, ISC_FALSE, &node)); + dns_db_currentversion(db, &version); + + result = dns_db_findrdataset(db, node, version, privatetype, + dns_rdatatype_none, 0, + &privset, NULL); + if (result == ISC_R_NOTFOUND) { + isc_buffer_putstr(text, "No signing records found"); + isc_buffer_putuint8(text, 0); + result = ISC_R_SUCCESS; + goto cleanup; + } + + for (result = dns_rdataset_first(&privset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&privset)) + { + dns_rdata_t priv = DNS_RDATA_INIT; + char output[BUFSIZ]; + isc_buffer_t buf; + + dns_rdataset_current(&privset, &priv); + + isc_buffer_init(&buf, output, sizeof(output)); + CHECK(dns_private_totext(&priv, &buf)); + + if (!first) + isc_buffer_putstr(text, "\n"); + first = ISC_FALSE; + + n = snprintf((char *)isc_buffer_used(text), + isc_buffer_availablelength(text), + "%s", output); + if (n >= isc_buffer_availablelength(text)) + CHECK(ISC_R_NOSPACE); + + isc_buffer_add(text, n); + } + + if (result == ISC_R_NOMORE) + result = ISC_R_SUCCESS; + } + + cleanup: + if (dns_rdataset_isassociated(&privset)) + dns_rdataset_disassociate(&privset); + if (node != NULL) + dns_db_detachnode(db, &node); + if (version != NULL) + dns_db_closeversion(db, &version, ISC_FALSE); + if (db != NULL) + dns_db_detach(&db); + if (zone != NULL) + dns_zone_detach(&zone); + + return (result); +} diff --git a/bin/named/unix/dlz_dlopen_driver.c b/bin/named/unix/dlz_dlopen_driver.c index 6cee006e..1521a056 100644 --- a/bin/named/unix/dlz_dlopen_driver.c +++ b/bin/named/unix/dlz_dlopen_driver.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dlz_dlopen_driver.c,v 1.5 2011-10-11 00:09:01 each Exp $ */ +/* $Id: dlz_dlopen_driver.c,v 1.6 2011-10-27 23:01:59 smann Exp $ */ #include <config.h> @@ -253,7 +253,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], isc_mutex_init(&cd->lock); /* Open the library */ - dlopen_flags = RTLD_NOW; + dlopen_flags = RTLD_NOW|RTLD_GLOBAL; #ifdef RTLD_DEEPBIND /* diff --git a/bin/named/update.c b/bin/named/update.c index 34243945..fac54241 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.197 2011-08-31 06:49:09 marka Exp $ */ +/* $Id: update.c,v 1.198 2011-10-28 06:20:04 each Exp $ */ #include <config.h> @@ -3068,7 +3068,7 @@ update_action(isc_task_t *task, isc_event_t *event) { * remove any NSEC chain present will also be removed. */ CHECK(dns_nsec3param_deletechains(db, ver, zone, - &diff)); + ISC_TRUE, &diff)); } else if (has_dnskey && isdnssec(db, ver, privatetype)) { isc_uint32_t interval; dns_update_log_t log; diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 8ebc4611..0b73748b 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.184 2011-10-12 00:10:19 marka Exp $ */ +/* $Id: zoneconf.c,v 1.185 2011-10-26 15:23:36 each Exp $ */ /*% */ @@ -909,7 +909,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, return (ISC_R_FAILURE); } - masterformat = dns_masterformat_text; + if (ztype == dns_zone_slave) + masterformat = dns_masterformat_raw; + else + masterformat = dns_masterformat_text; obj = NULL; result= ns_config_get(maps, "masterfile-format", &obj); if (result == ISC_R_SUCCESS) { diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index df371c9a..62080ac6 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.134 2011-03-21 15:39:05 each Exp $ */ +/* $Id: rndc.c,v 1.136 2011-10-28 06:20:05 each Exp $ */ /*! \file */ @@ -154,6 +154,15 @@ command is one of the following:\n\ Add zone to given view. Requires new-zone-file option.\n\ delzone [\"file\"] zone [class [view]]\n\ Removes zone from given view. Requires new-zone-file option.\n\ + signing -list zone [class [view]]\n\ + List the private records showing the state of DNSSEC\n\ + signing in the given zone.\n\ + signing -clear <keyid>/<algorithm> zone [class [view]]\n\ + Remove the private record that indicating the given key\n\ + has finished signing the given zone.\n\ + signing -clear all zone [class [view]]\n\ + Remove the private records for all keys that have\n\ + finished signing the given zone.\n\ \n\ * == not yet implemented\n\ Version: %s\n", diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index b1512f4c..0dc916a2 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -1,6 +1,6 @@ #!/bin/sh -e # -# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.6 2010-01-18 23:48:40 tbox Exp $ +# $Id: keygen.sh,v 1.8 2011-10-20 23:46:51 tbox Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -72,4 +72,4 @@ echo $zskinact > ../inact.key echo $zskunpub > ../unpub.key echo $zsknopriv > ../nopriv.key echo $zsksby > ../standby.key -echo $kskrev > ../rev.key +$REVOKE -R $kskrev > ../rev.key diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 735d33ff..d3d25e1e 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.34 2011-07-26 04:42:20 marka Exp $ +# $Id: tests.sh,v 1.37 2011-10-28 06:20:05 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -126,7 +126,7 @@ zone nsec3.example. update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF send zone autonsec3.example. -update add autonsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF +update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF send zone nsec3.optout.example. update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF @@ -140,6 +140,7 @@ send END # try to convert nsec.example; this should fail due to non-NSEC key +echo "I:preset nsec3param in unsigned zone via nsupdate ($n)" $NSUPDATE > nsupdate.out 2>&1 <<END server 10.53.0.3 5300 zone nsec.example. @@ -155,6 +156,27 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking for nsec3param signing record ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list autonsec3.example. > signing.out.test$n 2>&1 +grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:resetting nsec3param via rndc signing ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all autonsec3.example. > /dev/null 2>&1 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1 +sleep 1 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list autonsec3.example. > signing.out.test$n 2>&1 +grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 +num=`grep "Pending " signing.out.test$n | wc -l` +[ $num -eq 1 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:signing preset nsec3 zone" zsk=`cat autozsk.key` ksk=`cat autoksk.key` @@ -275,6 +297,22 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none autonsec3.example. > /dev/null 2>&1 +sleep 2 +# this command should result in an empty file: +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking TTLs of imported DNSKEYs (no default) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 @@ -699,8 +737,7 @@ status=`expr $status + $ret` echo "I:checking that revoked key is present ($n)" ret=0 -id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key` -id=`expr $id + 128 % 65536` +id=`cat rev.key` $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 n=`expr $n + 1` @@ -709,8 +746,7 @@ status=`expr $status + $ret` echo "I:checking that revoked key self-signs ($n)" ret=0 -id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key` -id=`expr $id + 128 % 65536` +id=`cat rev.key` $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 n=`expr $n + 1` diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 2aa3239b..a32bb34a 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: conf.sh.in,v 1.69 2011-08-30 05:16:11 marka Exp $ +# $Id: conf.sh.in,v 1.70 2011-10-27 20:18:41 smann Exp $ # # Common configuration data for system tests, to be sourced into @@ -54,7 +54,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint # v6synth SUBDIRS="acl allow_query addzone autosign builtin cacheclean checkconf checknames checkzone database dlv dlvauto dlz dlzexternal - dname dns64 dnssec forward glue gost ixfr inline limits + dname dns64 dnssec edns forward glue gost ixfr inline limits logfileconfig lwresd masterfile masterformat metadata notify nsupdate pending pkcs11 redirect resolver rndc rpz rrsetorder sortlist smartsign staticstub stub tkey tsig tsiggss unknown diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 2ced443c..0e98ee7d 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.43 2011-10-11 19:26:06 each Exp $ +# $Id: clean.sh,v 1.44 2011-10-28 06:20:05 each Exp $ rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk @@ -59,3 +59,4 @@ rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f ns3/ttlpatch.example.db.patched rm -f ns3/split-smart.example.db rm -f nosign.before +rm -f signing.out* diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index 62a4efc1..1cb9299a 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.48 2011-05-23 20:10:02 each Exp $ */ +/* $Id: named.conf,v 1.49 2011-10-28 06:20:05 each Exp $ */ // NS3 @@ -35,6 +35,15 @@ options { dnssec-validation yes; }; +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; +}; + zone "." { type hint; file "../../common/root.hint"; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index ccebaa29..ae124415 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.97 2011-10-11 19:26:06 each Exp $ +# $Id: tests.sh,v 1.101 2011-10-28 06:20:05 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -60,10 +60,16 @@ checkprivate () { # Check the example. domain echo "I:checking that zone transfer worked ($n)" -ret=0 -$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 + $DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 + [ $ret = 0 ] && break + sleep 1 +done +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -133,6 +139,24 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking positive wildcard answer NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking positive wildcard answer NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking positive wildcard validation NSEC3 ($n)" ret=0 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 @@ -1236,6 +1260,17 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking that root DS queries validate ($n)" +ret=0 +$DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" ret=0 $DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns2.test$n || ret=1 @@ -1295,6 +1330,33 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check rndc signing -list output ($n)" +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic.example 2>&1 > signing.out +grep "No signing records found" signing.out > /dev/null 2>&1 || { + ret=1 + sed 's/^/I:ns3 /' signing.out +} +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out +grep "Done signing with key .*/NSEC3RSASHA1" signing.out > /dev/null 2>&1 || { + ret=1 + sed 's/^/I:ns3 /' signing.out +} +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:clear signing records ($n)" +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all update-nsec3.example > /dev/null || ret=1 +sleep 1 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out +grep "No signing records found" signing.out > /dev/null 2>&1 || { + ret=1 + sed 's/^/I:ns3 /' signing.out +} +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking that a insecure zone beneath a cname resolves ($n)" ret=0 $DIG $DIGOPTS soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 diff --git a/bin/tests/system/edns/ans2/ans.pl b/bin/tests/system/edns/ans2/ans.pl new file mode 100644 index 00000000..8b4ec2a4 --- /dev/null +++ b/bin/tests/system/edns/ans2/ans.pl @@ -0,0 +1,419 @@ +#!/usr/bin/perl +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: ans.pl,v 1.2 2011-10-27 20:18:41 smann Exp $ + +# +# This is the name server from hell. It provides canned +# responses based on pattern matching the queries, and +# can be reprogrammed on-the-fly over a TCP connection. +# +# The server listens for control connections on port 5301. +# A control connection is a TCP stream of lines like +# +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# +# There can be any number of patterns, each associated +# with any number of response RRs. Each pattern is a +# Perl regular expression. +# +# Each incoming query is converted into a string of the form +# "qname qtype" (the printable query domain name, space, +# printable query type) and matched against each pattern. +# +# The first pattern matching the query is selected, and +# the RR following the pattern line are sent in the +# answer section of the response. +# +# Each new control connection causes the current set of +# patterns and responses to be cleared before adding new +# ones. +# +# The server handles UDP and TCP queries. Zone transfer +# responses work, but must fit in a single 64 k message. +# +# Now you can add TSIG, just specify key/key data with: +# +# /pattern <key> <key_data>/ +# name ttl type rdata +# name ttl type rdata +# +# Note that this data will still be sent with any request for +# pattern, only this data will be signed. Currently, this is only +# done for TCP. + + +use IO::File; +use IO::Socket; +use Data::Dumper; +use Net::DNS; +use Net::DNS::Packet; +use Net::DNS::RR; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +# We default to listening on 10.53.0.2 for historical reasons +# XXX: we should also be able to specify IPv6 +my $server_addr = "10.53.0.2"; +if (@ARGV > 0) { + $server_addr = @ARGV[0]; +} + +# XXX: we should also be able to set the port numbers to listen on. +my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => 5301, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => 5300, Proto => "udp", Reuse => 1) or die "$!"; + +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => 5300, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +print "listening on $server_addr:5300,5301.\n"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +#my @answers = (); +my @rules; +sub handleUDP { + my ($buf) = @_; + my $squeeze = 1; + + my ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + # check additional section for edns, if found, then set squeeze + # to false + my @additional = $packet->additional; + my $ra; + foreach $ra (@additional) { + if ("OPT" eq $ra->type) { + $squeeze = 0; + my $raclass = $ra->class; + print "[handleUDP] edns size: $raclass\n"; + last; + } + } + + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + while (my $rr = $packet->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleUDP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + # Sign the packet + print " Signing the response with " . + "$key_name/$key_data\n"; + my $tsig = Net::DNS::RR-> + new("$key_name TSIG $key_data"); + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {}; + $packet->{"header"}{"arcount"} += 1; + if (defined($prev_tsig)) { + my $rmac = pack('n H*', + $prev_tsig->mac_size, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } + + $packet->sign_tsig($tsig); + } + last; + } + } + #$packet->print; + + $packet->truncate(512) && print " Truncating UDP packet\n" + if ($squeeze); + + + return $packet->data; +} + +# namelen: +# given a stream of data, reads a DNS-formatted name and returns its +# total length, thus making it possible to skip past it. +sub namelen { + my ($data) = @_; + my $len = 0; + my $label_len = 0; + do { + $label_len = unpack("c", $data); + $data = substr($data, $label_len + 1); + $len += $label_len + 1; + } while ($label_len != 0); + return ($len); +} + +# packetlen: +# given a stream of data, reads a DNS wire-format packet and returns +# its total length, making it possible to skip past it. +sub packetlen { + my ($data) = @_; + my $q; + my $rr; + + my ($header, $offset) = Net::DNS::Header->parse(\$data); + for (1 .. $header->qdcount) { + ($q, $offset) = Net::DNS::Question->parse(\$data, $offset); + } + for (1 .. $header->ancount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + for (1 .. $header->nscount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + for (1 .. $header->arcount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + return $offset; +} + +# sign_tcp_continuation: +# This is a hack to correct the problem that Net::DNS has no idea how +# to sign multiple-message TCP responses. Several data that are included +# in the digest when signing a query or the first message of a response are +# omitted when signing subsequent messages in a TCP stream. +# +# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing +# function (specified by calling Packet->sign_func()). We use this +# function as the signing function for TCP continuations, and it removes +# the unwanted data from the digest before calling the default sign_hmac +# function. +sub sign_tcp_continuation { + my ($key, $data) = @_; + + # copy out first two bytes: size of the previous MAC + my $rmacsize = unpack("n", $data); + $data = substr($data, 2); + + # copy out previous MAC + my $rmac = substr($data, 0, $rmacsize); + $data = substr($data, $rmacsize); + + # try parsing out the packet information + my $plen = packetlen($data); + my $pdata = substr($data, 0, $plen); + $data = substr($data, $plen); + + # remove the keyname, ttl, class, and algorithm name + $data = substr($data, namelen($data)); + $data = substr($data, 6); + $data = substr($data, namelen($data)); + + # preserve the TSIG data + my $tdata = substr($data, 0, 8); + + # prepare a new digest and sign with it + $data = pack("n", $rmacsize) . $rmac . $pdata . $tdata; + return Net::DNS::RR::TSIG::sign_hmac($key, $data); +} + +sub handleTCP { + my ($buf) = @_; + + my ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + my $signer; + while (my $rr = $packet->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + + my @results = (); + my $count_these = 0; + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleTCP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + $count_these++; + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + # sign the packet + print " Signing the data with " . + "$key_name/$key_data\n"; + + my $tsig = Net::DNS::RR-> + new("$key_name TSIG $key_data"); + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {}; + $packet->{"header"}{"arcount"} += 1; + if (defined($prev_tsig)) { + my $rmac = pack('n H*', + $prev_tsig->mac_size, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } + + $tsig->sign_func($signer) if defined($signer); + $packet->sign_tsig($tsig); + $signer = \&sign_tcp_continuation; + + my $copy = + Net::DNS::Packet->new(\($packet->data)); + $prev_tsig = $copy->pop("additional"); + } + #$packet->print; + push(@results,$packet->data); + $packet = new Net::DNS::Packet(\$buf, 0); + $packet->header->qr(1); + $packet->header->aa(1); + } + } + print " A total of $count_these patterns matched\n"; + return \@results; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($ctlsock), 1) = 1; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($ctlsock), 1)) { + warn "ctl conn"; + my $conn = $ctlsock->accept; + my $rule = (); + @rules = (); + while (my $line = $conn->getline) { + chomp $line; + if ($line =~ m!^/(.*)/$!) { + $rule = { pattern => $1, answer => [] }; + push(@rules, $rule); + } else { + push(@{$rule->{answer}}, + new Net::DNS::RR($line)); + } + } + $conn->close; + #print Dumper(@rules); + #print "+=+=+ $rules[0]->{'pattern'}\n"; + #print "+=+=+ $rules[0]->{'answer'}->[0]->{'rname'}\n"; + #print "+=+=+ $rules[0]->{'answer'}->[0]\n"; + } elsif (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + my $result = handleUDP($buf); + # mimic fw and refuse to send packets > 512 + my $len = length $result; + if ($len <= 512) { + my $num_chars = $udpsock->send($result); + print " Sent $num_chars bytes via UDP\n"; + } else { + print " Dropping UDP packet (size = $len)\n"; + } + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + last unless $n == $len; + print "TCP request\n"; + my $result = handleTCP($buf); + foreach my $response (@$result) { + $len = length($response); + $n = $conn->syswrite(pack("n", $len), 2); + $n = $conn->syswrite($response, $len); + print " Sent: $n chars via TCP\n"; + } + } + $conn->close; + } +} diff --git a/bin/tests/system/edns/clean.sh b/bin/tests/system/edns/clean.sh new file mode 100644 index 00000000..548aa885 --- /dev/null +++ b/bin/tests/system/edns/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.3 2011-10-27 23:46:30 tbox Exp $ + +# +# Clean up after zone transfer tests. +# + +exit diff --git a/bin/tests/system/edns/ns1/named.conf b/bin/tests/system/edns/ns1/named.conf new file mode 100644 index 00000000..0beae458 --- /dev/null +++ b/bin/tests/system/edns/ns1/named.conf @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.3 2011-10-27 23:46:31 tbox Exp $ */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + forward only; + forwarders { 10.53.0.2; }; + dump-file "named.dump"; +}; diff --git a/bin/tests/system/edns/prereq.sh b/bin/tests/system/edns/prereq.sh new file mode 100644 index 00000000..c65ee288 --- /dev/null +++ b/bin/tests/system/edns/prereq.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: prereq.sh,v 1.3 2011-10-28 12:20:31 tbox Exp $ + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + vers=`perl -MNet::DNS -e 'print "$Net::DNS::VERSION\n"'|awk -F. '{ print $1 }'` + + if [ $vers -ge 66 ] + then + : + else + echo "I:This test requires the version 0.66 or later of the Net::DNS library." >&2 + exit 255 + fi +else + echo "I:This test requires the Net::DNS library." >&2 + exit 255 +fi diff --git a/bin/tests/system/edns/setup.sh b/bin/tests/system/edns/setup.sh new file mode 100644 index 00000000..bdb3cced --- /dev/null +++ b/bin/tests/system/edns/setup.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: setup.sh,v 1.3 2011-10-27 23:46:30 tbox Exp $ + diff --git a/bin/tests/system/edns/tests.sh b/bin/tests/system/edns/tests.sh new file mode 100644 index 00000000..832fe407 --- /dev/null +++ b/bin/tests/system/edns/tests.sh @@ -0,0 +1,93 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: tests.sh,v 1.3 2011-10-27 23:46:30 tbox Exp $ + +# ns1 = forward only server +# ans2 = modified ans.pl master + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd" +DIGCMD="$DIG $DIGOPTS @10.53.0.1 -p 5300" +SENDCMD="$PERL ../send.pl 10.53.0.2 5301" +RNDCCMD="$RNDC -s 10.53.0.1 -p 9953 -c ../common/rndc.conf" + +echo "I:Setting up master" +$SENDCMD <<EOF +/SOA/ +nil. 0 SOA ns.nil. root.nil. 1 300 300 604800 300 +/TXT/ +nil. 0 TXT ("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + "cccccccccccccccccccccccccccccccccccccccccccccccccc" + "dddddddddddddddddddddddddddddddddddddddddddddddddd" + "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "ffffffffffffffffffffffffffffffffffffffffffffffffff" + "gggggggggggggggggggggggggggggggggggggggggggggggggg" + "hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh" + "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii" + "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj" + "kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk" + ) +EOF + +echo "I:testing forwarder" +$DIGCMD nil. TXT > /dev/null 2>&1 +edns_count=`grep -c "edns size: 4096" ans2/ans.run` +if [ $edns_count -ne 1 ] +then + echo "I:failed (EDNS4096 attempt)" + status=1 +else + echo "I: EDNS4096 attempt OK" +fi + +edns_count=`grep -c "edns size: 512" ans2/ans.run` +if [ $edns_count -ne 3 ] +then + echo "I:failed (EDNS512 attempts)" + status=1 +else + echo "I: Three EDNS512 attempt OK" +fi + +trunc_count=`grep -c "Truncating UDP packet" ans2/ans.run` +if [ $trunc_count -ne 1 ] +then + echo "I:failed (should be 1 truncation but $trunc_count returned)" + status=1 +else + echo "I: packet truncated" +fi + +sleep 15 + +$DIGCMD nil. TXT > /dev/null 2>&1 +trunc_count=`grep -c "Truncating UDP packet" ans2/ans.run` +if [ $trunc_count -ne 2 ] +then + echo "I:failed (should be 2 truncations but $trunc_count returned)" + status=1 +else + echo "I: packet truncated" +fi + +echo "I:exit status: $status" +exit $status diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index f67a88b3..d3bd19d8 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -12,11 +12,15 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.3 2011-10-12 00:10:19 marka Exp $ +# $Id: clean.sh,v 1.5 2011-10-28 06:20:05 each Exp $ rm -f */named.memstats rm -f */named.run rm -f */trusted.conf +rm -f ns1/K* +rm -f ns1/dsset-* +rm -f ns1/root.db +rm -f ns1/root.db.signed rm -f ns2/bits.db rm -f ns2/bits.db.jnl rm -f ns3/K* @@ -39,3 +43,4 @@ rm -f ns5/bits.bk.signed rm -f ns5/bits.bk.signed.jnl rm -f random.data rm -f dig.out.ns*.test* +rm -f signing.out* diff --git a/bin/tests/system/inline/ns1/named.conf b/bin/tests/system/inline/ns1/named.conf index 61209758..07f53333 100644 --- a/bin/tests/system/inline/ns1/named.conf +++ b/bin/tests/system/inline/ns1/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2011-08-30 23:46:52 tbox Exp $ */ +/* $Id: named.conf,v 1.3 2011-10-25 01:54:20 marka Exp $ */ // NS1 @@ -39,4 +39,4 @@ zone "." { file "root.db.signed"; }; -// include "trusted.conf"; +include "trusted.conf"; diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in new file mode 100644 index 00000000..47002fcc --- /dev/null +++ b/bin/tests/system/inline/ns1/root.db.in @@ -0,0 +1,40 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: root.db.in,v 1.4 2011-10-26 20:56:45 marka Exp $ + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +bits. NS ns3.bits. +bits. NS ns4.bits. +ns3.bits. A 10.53.0.3 +ns4.bits. A 10.53.0.4 + +noixfr. NS ns3.noixfr. +ns3.noixfr. A 10.53.0.3 + +master. NS ns3.master. +ns3.master. A 10.53.0.3 + +dynamic. NS ns3.dynamic. +ns3.dynamic. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh new file mode 100644 index 00000000..d3cc0edc --- /dev/null +++ b/bin/tests/system/inline/ns1/sign.sh @@ -0,0 +1,41 @@ +#!/bin/sh -e +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.2 2011-10-25 01:54:20 marka Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=. +rm -f K.+*+*.key +rm -f K.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$SIGNER -S -x -T 1200 -o ${zone} root.db + +cat ${keyname}.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print <<EOF +trusted-keys { + "$dn" $flags $proto $alg "$key"; +}; +EOF +' > trusted.conf + +cp trusted.conf ../ns6/trusted.conf diff --git a/bin/tests/system/inline/ns3/master.db.in b/bin/tests/system/inline/ns3/master.db.in new file mode 100644 index 00000000..600d6cb4 --- /dev/null +++ b/bin/tests/system/inline/ns3/master.db.in @@ -0,0 +1,134 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: master.db.in,v 1.2 2011-10-26 20:56:45 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 diff --git a/bin/tests/system/inline/ns3/master2.db.in b/bin/tests/system/inline/ns3/master2.db.in new file mode 100644 index 00000000..bff22d40 --- /dev/null +++ b/bin/tests/system/inline/ns3/master2.db.in @@ -0,0 +1,135 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: master2.db.in,v 1.2 2011-10-26 20:56:45 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 2000042408 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +e A 10.0.0.5 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 diff --git a/bin/tests/system/inline/ns3/named.conf b/bin/tests/system/inline/ns3/named.conf index e39580bb..25d412b9 100644 --- a/bin/tests/system/inline/ns3/named.conf +++ b/bin/tests/system/inline/ns3/named.conf @@ -14,11 +14,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2011-08-30 23:46:52 tbox Exp $ */ +/* $Id: named.conf,v 1.4 2011-10-26 20:56:45 marka Exp $ */ -// NS2 +// NS3 -controls { /* empty */ }; +include "../../common/rndc.key"; + +controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; }; options { query-source address 10.53.0.3; @@ -53,3 +55,18 @@ zone "noixfr" { allow-update-forwarding { any; }; file "noixfr.bk"; }; + +zone "master" { + type master; + inline-signing yes; + auto-dnssec maintain; + file "master.db"; +}; + +zone "dynamic" { + type master; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "dynamic.db"; +}; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index fd185cd2..b87849ad 100644 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.2 2011-08-30 23:46:52 tbox Exp $ +# $Id: sign.sh,v 1.4 2011-10-26 20:56:45 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -26,9 +26,25 @@ rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=noixfr rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=master +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=dynamic +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db diff --git a/bin/tests/system/inline/ns6/named.conf b/bin/tests/system/inline/ns6/named.conf new file mode 100644 index 00000000..c779c526 --- /dev/null +++ b/bin/tests/system/inline/ns6/named.conf @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2011-10-25 01:54:21 marka Exp $ */ + +// NS6 + +include "../../common/rndc.key"; + +controls { inet 10.53.0.6 port 9953 allow { any; } keys { rndc_key; }; }; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + notify-delay 0; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index d7f6b3e5..00f497c6 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -12,10 +12,13 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.3 2011-10-12 00:10:19 marka Exp $ +# $Id: setup.sh,v 1.5 2011-10-26 20:56:45 marka Exp $ sh clean.sh +cp ns1/root.db.in ns1/root.db +rm -f ns1/root.db.signed + touch ns2/trusted.conf cp ns2/bits.db.in ns2/bits.db rm -f ns2/bits.db.jnl @@ -25,17 +28,31 @@ rm -f ns3/bits.bk.jnl rm -f ns3/bits.bk.signed rm -f ns3/bits.bk.signed.jnl -touch ns4/trusted.conf -cp ns4/noixfr.db.in ns4/noixfr.db -rm -f ns4/noixfr.db.jnl - rm -f ns3/noixfr.bk rm -f ns3/noixfr.bk.jnl rm -f ns3/noixfr.bk.signed rm -f ns3/noixfr.bk.signed.jnl +rm -f ns3/master.db +rm -f ns3/master.db.jnl +rm -f ns3/master.db.signed +rm -f ns3/master.db.signed.jnl + +rm -f ns3/dynamic.db +rm -f ns3/dynamic.db.jnl +rm -f ns3/dynamic.db.signed +rm -f ns3/dynamic.db.signed.jnl + +cp ns3/master.db.in ns3/master.db +cp ns3/master.db.in ns3/dynamic.db + +touch ns4/trusted.conf +cp ns4/noixfr.db.in ns4/noixfr.db +rm -f ns4/noixfr.db.jnl + cp ns5/named.conf.pre ns5/named.conf ../../../tools/genrandom 400 random.data (cd ns3; sh -e sign.sh) +(cd ns1; sh -e sign.sh) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index 4b84e147..c08fa886 100644 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.3 2011-10-12 00:10:19 marka Exp $ +# $Id: tests.sh,v 1.6 2011-10-28 06:20:05 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -31,17 +31,77 @@ ret=0 for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 - records=`grep "TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001" dig.out.ns3.test$n | wc -l` - [ $records = 2 ] || ret=1 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 + keys=`grep '^Done signing' signing.out.test$n | wc -l` + [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking removal of private type record via 'rndc signing -clear' ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 +keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n` +for key in $keys; do + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} bits > /dev/null || ret=1 + break; # We only want to remove 1 record for now. +done 2>&1 |sed 's/^/I:ns3 /' + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 + num=`grep "Done signing with" signing.out.test$n | wc -l` + [ $num = 1 ] && break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking private type was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking removal of remaining private type record via 'rndc signing -clear all' ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all bits > /dev/null || ret=1 + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 + grep "No signing records found" signing.out.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking negative private type response was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n +grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + $NSUPDATE << EOF zone bits server 10.53.0.2 5300 @@ -111,11 +171,9 @@ ret=0 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr TYPE65534 > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 - records=`grep "TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001" dig.out.ns3.test$n | wc -l` - [ $records = 2 ] || ret=1 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list noixfr > signing.out.test$n 2>&1 + keys=`grep '^Done signing' signing.out.test$n | wc -l` + [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done @@ -186,6 +244,146 @@ if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` n=`expr $n + 1` +echo "I:checking that the master zone signed on initial load ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 + keys=`grep '^Done signing' signing.out.test$n | wc -l` + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi + +n=`expr $n + 1` +echo "I:checking removal of private type record via 'rndc signing -clear' (master) ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 +keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n` +for key in $keys; do + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} master > /dev/null || ret=1 + break; # We only want to remove 1 record for now. +done 2>&1 |sed 's/^/I:ns3 /' + +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 + num=`grep "Done signing with" signing.out.test$n | wc -l` + [ $num = 1 ] && break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking private type was properly signed (master) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 -p 5300 master TYPE65534 > dig.out.ns6.test$n +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking removal of remaining private type record via 'rndc signing -clear' (master) ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all master > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 + grep "No signing records found" signing.out.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:check adding of record to unsigned master ($n)" +ret=0 +sleep 1 +cp ns3/master2.db.in ns3/master.db +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1 + +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns3.test$n + grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:check the added record was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns6.test$n +grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that the dynamic master zone signed on initial load ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic > signing.out.test$n 2>&1 + keys=`grep '^Done signing' signing.out.test$n | wc -l` + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi + +n=`expr $n + 1` +echo "I:checking adding of record to unsigned master using UPDATE ($n)" +ret=0 + +[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo "I:journal exists (pretest)" ; } + +$NSUPDATE << EOF +zone dynamic +server 10.53.0.3 5300 +update add e.dynamic 0 A 1.2.3.4 +send +EOF + +[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo "I:journal does not exist (posttest)" ; } + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 e.dynamic > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +[ $ans = 0 ] || { ret=1; echo "I:signed record not found"; cat dig.out.ns3.test$n ; } + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` echo "I:stop bump in the wire signer server ($n)" ret=0 $PERL ../stop.pl . ns3 || ret=1 @@ -195,7 +393,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:restart bump in the wire signer server ($n)" ret=0 -$PERL ../start.pl --noclean . ns3 || ret=1 +$PERL ../start.pl --noclean --restart . ns3 || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -350,4 +548,5 @@ done if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +status=`expr $status + $ret` exit $status diff --git a/bin/tests/system/lwresd/tests.sh b/bin/tests/system/lwresd/tests.sh index 7b453180..cba6c195 100644 --- a/bin/tests/system/lwresd/tests.sh +++ b/bin/tests/system/lwresd/tests.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.18 2007-06-18 23:47:29 tbox Exp $ +# $Id: tests.sh,v 1.20 2011-10-17 23:46:33 tbox Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -36,6 +36,7 @@ $PERL $SYSTEMTESTTOP/start.pl . lwresd1 -- "-m record,size,mctx -c lwresd.conf - echo "I:using lwresd.conf" ret=0 +sleep 1 # allow lwresd to finish starting. ./lwtest || ret=1 if [ $ret != 0 ]; then echo "I:failed" diff --git a/bin/tests/system/masterformat/clean.sh b/bin/tests/system/masterformat/clean.sh index c4757255..f78832fc 100755 --- a/bin/tests/system/masterformat/clean.sh +++ b/bin/tests/system/masterformat/clean.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2005, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,10 +14,12 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.5 2007-09-26 03:22:44 marka Exp $ +# $Id: clean.sh,v 1.7 2011-10-26 23:46:14 tbox Exp $ rm -f named-compilezone rm -f ns1/example.db.raw rm -f ns2/example.db rm -f dig.out.* rm -f */named.memstats +rm -f ns2/transfer.db.* +rm -f ns2/formerly-text.db diff --git a/bin/tests/system/masterformat/ns1/named.conf b/bin/tests/system/masterformat/ns1/named.conf index 7c85481a..5b4fb7ec 100644 --- a/bin/tests/system/masterformat/ns1/named.conf +++ b/bin/tests/system/masterformat/ns1/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2005, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2007-06-19 23:47:04 tbox Exp $ */ +/* $Id: named.conf,v 1.6 2011-10-26 23:46:15 tbox Exp $ */ // NS1 @@ -23,6 +23,7 @@ controls { /* empty */ }; options { pid-file "named.pid"; listen-on port 5300 { 10.53.0.1; }; + port 5300; listen-on-v6 { none; }; recursion no; notify no; @@ -34,3 +35,21 @@ zone "example" { masterfile-format raw; file "example.db.raw"; }; + +zone "transfer1" { + type master; + file "example.db"; + allow-transfer { any; }; +}; + +zone "transfer2" { + type master; + file "example.db"; + allow-transfer { any; }; +}; + +zone "transfer3" { + type master; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/masterformat/ns2/formerly-text.db.in b/bin/tests/system/masterformat/ns2/formerly-text.db.in new file mode 100644 index 00000000..973e7b30 --- /dev/null +++ b/bin/tests/system/masterformat/ns2/formerly-text.db.in @@ -0,0 +1,53 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: formerly-text.db.in,v 1.3 2011-10-26 23:46:15 tbox Exp $ + +$ORIGIN . +$TTL 86400 ; 1 day +transfer3 IN SOA ns.transfer3. hostmaster.transfer3. ( + 1 ; serial + 3600 ; refresh (1 hour) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3 ; minimum (3 seconds) + ) + NS ns.transfer3. +$ORIGIN transfer3. +a A 10.53.0.1 + A 10.53.0.2 +aaaa AAAA 2001:db8::53 +cname CNAME cname-target +dname DNAME dname-target +$TTL 300 ; 5 minutes +dnskey DNSKEY 256 3 1 ( + AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg+Ge4noWR + OpTWOIBvm76zeJPWs4Zfqa1IsswDIx5Mqeg0zwclz59u + ecKsKyx5w9IhtZ8plc4Rb9VIE5x7KNHAYTvTO5d4S8M= + ) ; ZSK; alg = RSAMD5; key id = 30795 +ds DS 30795 1 1 ( + 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 ) +$TTL 86400 ; 1 day +mx MX 10 mail +ns A 10.53.0.1 +$TTL 600 ; 10 minutes +nsec NSEC nsecnext.transfer3. NS DS RRSIG NSEC +$TTL 300 ; 5 minutes +rrsig RRSIG SOA 1 0 300 ( + 20050714214747 20050614214747 30795 . + yi/RRPAQmn6rnjDQaCqVValBa+ICF00ZldKfZSDaoew5 + mMUh83DlrrPPNeAxrzMSNzDGlJ6PfdyIFgzPn/CvthF4 + kjBUAiJTp4r2zhlaUJQ+QFo+drYXYgVJo6aA36fj ) +$TTL 86400 ; 1 day +txt TXT "this is text" diff --git a/bin/tests/system/masterformat/ns2/named.conf b/bin/tests/system/masterformat/ns2/named.conf index e0bf1c7d..c995a64a 100644 --- a/bin/tests/system/masterformat/ns2/named.conf +++ b/bin/tests/system/masterformat/ns2/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2005, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2007-06-19 23:47:04 tbox Exp $ */ +/* $Id: named.conf,v 1.6 2011-10-26 23:46:15 tbox Exp $ */ // NS2 @@ -24,6 +24,7 @@ options { pid-file "named.pid"; listen-on port 5300 { 10.53.0.2; }; listen-on-v6 { none; }; + port 5300; recursion no; notify no; dnssec-enable yes; @@ -33,3 +34,22 @@ zone "example" { type master; file "example.db"; }; + +zone "transfer1" { + type slave; + masters { 10.53.0.1; }; + file "transfer.db.raw"; +}; + +zone "transfer2" { + type slave; + masters { 10.53.0.1; }; + masterfile-format text; + file "transfer.db.txt"; +}; + +zone "transfer3" { + type slave; + masters { 10.53.0.1; }; + file "formerly-text.db"; +}; diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index 9c93c817..03ab5c50 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -1,4 +1,4 @@ -# Copyright (C) 2005-2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2005-2007, 2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -12,9 +12,10 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.6 2007-06-19 23:47:04 tbox Exp $ +# $Id: setup.sh,v 1.8 2011-10-26 23:46:14 tbox Exp $ ln -s $CHECKZONE named-compilezone rm -f ns1/example.db.raw cp ns1/example.db ns2/ +cp ns2/formerly-text.db.in ns2/formerly-text.db cd ns1 && sh compile.sh diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index b5b4c942..9c4b4f33 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2005, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,57 +14,24 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.4 2007-06-19 23:47:04 tbox Exp $ +# $Id: tests.sh,v 1.6 2011-10-26 23:46:14 tbox Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -DIGOPTS="+tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd" - -status=0 - -echo "I:checking that master file in the raw format worked" - -for server in 1 2 -do - for name in ns mx a aaaa cname dname txt rrsig nsec dnskey ds - do - $DIG $DIGOPTS $name.example. $name @10.53.0.$server -p 5300 - echo - done > dig.out.$server -done - -diff dig.out.1 dig.out.2 || status=1 - -echo "I:exit status: $status" -exit $status -#!/bin/sh -# -# Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $Id: tests.sh,v 1.4 2007-06-19 23:47:04 tbox Exp $ - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh +israw () { + cat $1 | perl -e '$input = <STDIN>; + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 0);' + return $? +} DIGOPTS="+tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd" status=0 echo "I:checking that master file in the raw format worked" - +ret=0 for server in 1 2 do for name in ns mx a aaaa cname dname txt rrsig nsec dnskey ds @@ -73,8 +40,30 @@ do echo done > dig.out.$server done - -diff dig.out.1 dig.out.2 || status=1 +$PERL ../digcomp.pl dig.out.1 dig.out.2 || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:waiting for transfers to complete" +sleep 1 + +echo "I:checking that slave was saved in raw format by default" +ret=0 +israw ns2/transfer.db.raw || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:checking that slave was saved in text format when configured" +ret=0 +israw ns2/transfer.db.txt && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:checking that slave formerly in text format is now raw" +ret=0 +israw ns2/formerly-text.db || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/notify/clean.sh b/bin/tests/system/notify/clean.sh index f4d143cd..64374d5a 100644 --- a/bin/tests/system/notify/clean.sh +++ b/bin/tests/system/notify/clean.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,12 +15,12 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.12 2007-09-26 03:22:44 marka Exp $ +# $Id: clean.sh,v 1.14 2011-10-17 23:46:33 tbox Exp $ # # Clean up after zone transfer tests. # -rm -f ns3/example.bk dig.out.ns2 dig.out.ns3 +rm -f ns3/example.bk dig.out.ns2.test* dig.out.ns3.test* rm -f ns2/example.db rm -f */named.memstats diff --git a/bin/tests/system/notify/ns2/named.conf b/bin/tests/system/notify/ns2/named.conf index e2e2cca0..ca4b996f 100644 --- a/bin/tests/system/notify/ns2/named.conf +++ b/bin/tests/system/notify/ns2/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.20 2007-06-19 23:47:04 tbox Exp $ */ +/* $Id: named.conf,v 1.22 2011-10-17 23:46:33 tbox Exp $ */ controls { /* empty */ }; @@ -39,5 +39,4 @@ zone "." { zone "example" { type master; file "example.db"; - allow-update { any; }; }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index 6d34958b..cab3e879 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,78 +15,114 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.33 2007-06-19 23:47:04 tbox Exp $ +# $Id: tests.sh,v 1.36 2011-10-17 01:33:27 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh status=0 +n=0 +# +# Wait up to 10 seconds for the servers to finish starting before testing. +# +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG +tcp example @10.53.0.2 soa -p 5300 > dig.out.ns2.test$n || ret=1 + grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 + grep "flags:.* aa[ ;]" dig.out.ns2.test$n > /dev/null || ret=1 + $DIG +tcp example @10.53.0.3 soa -p 5300 > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "flags:.* aa[ ;]" dig.out.ns3.test$n > /dev/null || ret=1 + [ $ret = 0 ] && break + sleep 1 +done + +n=`expr $n + 1` +echo "I:checking initial status ($n)" +ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ - @10.53.0.2 a -p 5300 > dig.out.ns2 || status=1 -grep ";" dig.out.ns2 + @10.53.0.2 a -p 5300 > dig.out.ns2.test$n || ret=1 +grep "10.0.0.1" dig.out.ns2.test$n > /dev/null || ret=1 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ - @10.53.0.3 a -p 5300 > dig.out.ns3 || status=1 -grep ";" dig.out.ns3 + @10.53.0.3 a -p 5300 > dig.out.ns3.test$n || ret=1 +grep "10.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1 -$PERL ../digcomp.pl dig.out.ns2 dig.out.ns3 || status=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 +[ $ret = 0 ] || echo "I:failed" +status=`expr $ret + $status` + +echo "I:reloading with example2 using HUP and waiting 45 seconds" +sleep 1 # make sure filesystem time stamp is newer for reload. rm -f ns2/example.db cp -f ns2/example2.db ns2/example.db kill -HUP `cat ns2/named.pid` sleep 45 +n=`expr $n + 1` +echo "I:checking example2 loaded ($n)" +ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ - @10.53.0.2 a -p 5300 > dig.out.ns2 || status=1 -grep ";" dig.out.ns2 - -$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ - @10.53.0.3 a -p 5300 > dig.out.ns3 || status=1 -grep ";" dig.out.ns3 - -$PERL ../digcomp.pl dig.out.ns2 dig.out.ns3 || status=1 - -### -# Why does not doing the stop not cause problems with the start further on? -### -$PERL $SYSTEMTESTTOP/stop.pl . ns3 - -rm -f ns2/example.db -cp -f ns2/example3.db ns2/example.db -kill -HUP `cat ns2/named.pid` -sleep 45 + @10.53.0.2 a -p 5300 > dig.out.ns2.test$n || ret=1 +grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1 -$PERL $SYSTEMTESTTOP/start.pl . ns3 +[ $ret = 0 ] || echo "I:failed" +status=`expr $ret + $status` +n=`expr $n + 1` +echo "I:checking example2 contents have been transferred after HUP reload ($n)" +ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ - @10.53.0.2 a -p 5300 > dig.out.ns2 || status=1 -grep ";" dig.out.ns2 + @10.53.0.2 a -p 5300 > dig.out.ns2.test$n || ret=1 +grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ - @10.53.0.3 a -p 5300 > dig.out.ns3 || status=1 -grep ";" dig.out.ns3 + @10.53.0.3 a -p 5300 > dig.out.ns3.test$n || ret=1 +grep "10.0.0.2" dig.out.ns3.test$n > /dev/null || ret=1 + +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns2 dig.out.ns3 || status=1 +[ $ret = 0 ] || echo "I:failed" +status=`expr $ret + $status` +echo "I:stopping master and restarting with example4 then waiting 45 seconds" $PERL $SYSTEMTESTTOP/stop.pl . ns2 rm -f ns2/example.db cp -f ns2/example4.db ns2/example.db -$PERL $SYSTEMTESTTOP/start.pl . ns2 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2 sleep 45 +n=`expr $n + 1` +echo "I:checking example4 loaded ($n)" +ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ - @10.53.0.2 a -p 5300 > dig.out.ns2 || status=1 -grep ";" dig.out.ns2 + @10.53.0.2 a -p 5300 > dig.out.ns2.test$n || ret=1 +grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1 + +[ $ret = 0 ] || echo "I:failed" +status=`expr $ret + $status` + +n=`expr $n + 1` +echo "I:checking example4 contents have been transfered after restart ($n)" +ret=0 +$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ + @10.53.0.2 a -p 5300 > dig.out.ns2.test$n || ret=1 +grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\ - @10.53.0.3 a -p 5300 > dig.out.ns3 || status=1 -grep ";" dig.out.ns3 + @10.53.0.3 a -p 5300 > dig.out.ns3.test$n || ret=1 +grep "10.0.0.4" dig.out.ns3.test$n > /dev/null || ret=1 + +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns2 dig.out.ns3 || status=1 +[ $ret = 0 ] || echo "I:failed" +status=`expr $ret + $status` echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/rpz/ns3/crash2 b/bin/tests/system/rpz/ns3/crash2 new file mode 100644 index 00000000..72ed4a10 --- /dev/null +++ b/bin/tests/system/rpz/ns3/crash2 @@ -0,0 +1,25 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: crash2,v 1.2 2011-10-28 11:46:50 marka Exp $ + +; a valid zone containing records that caused crashes + +$TTL 120 +@ SOA crash2.tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns +ns A 10.53.0.3 + +; #18 in test1, crashed new ASSERT() in rbtdb.c +c1 A 172.16.1.1 diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf index 4463f8af..bb856e12 100644 --- a/bin/tests/system/rpz/ns3/named.conf +++ b/bin/tests/system/rpz/ns3/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2011-10-13 01:32:33 vjs Exp $ */ +/* $Id: named.conf,v 1.5 2011-10-28 11:46:50 marka Exp $ */ options { @@ -89,3 +89,4 @@ zone "bl-garden." {type master; file "bl-garden.db"; allow-update {any;};}; zone "crash1.tld2" {type master; file "crash1";}; +zone "crash2.tld3." {type master; file "crash2";}; diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1 index c076c093..50be5dfa 100644 --- a/bin/tests/system/rpz/test1 +++ b/bin/tests/system/rpz/test1 @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test1,v 1.6 2011-10-13 01:32:32 vjs Exp $ +; $Id: test1,v 1.7 2011-10-28 11:46:49 marka Exp $ ; Use comment lines instead of blank lines to combine update requests into @@ -72,4 +72,8 @@ update add a4-5.tld2.bl. 300 A 127.0.0.16 ; 17 update add a4-6.tld2.bl. 300 CNAME . update add a4-6-cname.tld2.bl. 300 A 127.0.0.17 + +; 18 +update add c1.crash2.tld3.bl. 300 CNAME . + send diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 63c2ecfe..5901e62b 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.8 2011-10-13 13:03:51 marka Exp $ +# $Id: tests.sh,v 1.9 2011-10-28 11:46:50 marka Exp $ # test response policy zones (RPZ) @@ -214,6 +214,7 @@ addr 56.56.56.56 a3-6.tld2 # 14 wildcard CNAME addr 57.57.57.57 a3-7.sub1.tld2 # 15 wildcard CNAME addr 127.0.0.16 a4-5-cname3.tld2 # 16 CNAME chain addr 127.0.0.17 a4-6-cname3.tld2 # 17 stop short in CNAME chain +nxdomain c1.crash2.tld3 # 18 assert in rbtdb.c end_group start_group "IP rewrites" test2 diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index 714880fb..8f868095 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.17 2011-10-13 03:55:01 marka Exp $ +# $Id: tests.sh,v 1.18 2011-10-25 03:57:08 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -93,13 +93,17 @@ echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || r echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1 -if [ $ret != 0 ]; then echo "I:failed"; fi +if [ $ret != 0 ]; then + echo "I: parent $pzoneout" + echo "I: child $czoneout" + echo "I:failed"; +fi status=`expr $status + $ret` echo "I:rechecking dnssec-signzone output with -x" ret=0 # use an alternate output file so -x doesn't interfere with later checks -pzoneout=`$SIGNER -Sxg -r $RANDFILE -o $pzone -f {$pfile}2.signed $pfile 2>&1` +pzoneout=`$SIGNER -Sxg -r $RANDFILE -o $pzone -f ${pfile}2.signed $pfile 2>&1` czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -r $RANDFILE -o $czone -f ${cfile}2.signed $cfile 2>&1` echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1 @@ -110,8 +114,14 @@ status=`expr $status + $ret` echo "I:checking parent zone DNSKEY set" ret=0 -grep "key id = $pzid" $pfile.signed > /dev/null || ret=1 -grep "key id = $pkid" $pfile.signed > /dev/null || ret=1 +grep "key id = $pzid" $pfile.signed > /dev/null || { + ret=1 + echo "I: missing expected parent ZSK id = $pzid" +} +grep "key id = $pkid" $pfile.signed > /dev/null || { + ret=1 + echo "I: missing expected parent KSK id = $pkid" +} if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -128,17 +138,45 @@ status=`expr $status + $ret` echo "I:checking child zone DNSKEY set" ret=0 -grep "key id = $ckactive" $cfile.signed > /dev/null || ret=1 -grep "key id = $ckpublished" $cfile.signed > /dev/null || ret=1 -grep "key id = $ckrevoked" $cfile.signed > /dev/null || ret=1 -grep "key id = $czactive" $cfile.signed > /dev/null || ret=1 -grep "key id = $czpublished" $cfile.signed > /dev/null || ret=1 -grep "key id = $czinactive" $cfile.signed > /dev/null || ret=1 +grep "key id = $ckactive" $cfile.signed > /dev/null || { + ret=1 + echo "I: missing expected child KSK id = $ckactive" +} +grep "key id = $ckpublished" $cfile.signed > /dev/null || { + ret=1 + echo "I: missing expected child prepublished KSK id = $ckpublished" +} +grep "key id = $ckrevoked" $cfile.signed > /dev/null || { + ret=1 + echo "I: missing expected child revoked KSK id = $ckrevoked" +} +grep "key id = $czactive" $cfile.signed > /dev/null || { + ret=1 + echo "I: missing expected child ZSK id = $czactive" +} +grep "key id = $czpublished" $cfile.signed > /dev/null || { + ret=1 + echo "I: missing expected child prepublished ZSK id = $czpublished" +} +grep "key id = $czinactive" $cfile.signed > /dev/null || { + ret=1 + echo "I: missing expected child inactive ZSK id = $czinactive" +} # should not be there, hence the && -grep "key id = $ckprerevoke" $cfile.signed > /dev/null && ret=1 -grep "key id = $czgenerated" $cfile.signed > /dev/null && ret=1 -grep "key id = $czpredecessor" $cfile.signed && echo pred is there -grep "key id = $czsuccessor" $cfile.signed && echo succ is there +grep "key id = $ckprerevoke" $cfile.signed > /dev/null && { + ret=1 + echo "I: found unexpect child pre-revoke ZSK id = $ckprerevoke" +} +grep "key id = $czgenerated" $cfile.signed > /dev/null && { + ret=1 + echo "I: found unexpected child generated ZSK id = $czgenerated" +} +grep "key id = $czpredecessor" $cfile.signed > /dev/null && { + echo "I: found unexpected ZSK predecessor id = $czpredecessor (ignored)" +} +grep "key id = $czsuccessor" $cfile.signed > /dev/null && { + echo "I: found unexpected ZSK successor id = $czsuccessor (ignored)" +} #grep "key id = $czpredecessor" $cfile.signed > /dev/null && ret=1 #grep "key id = $czsuccessor" $cfile.signed > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi diff --git a/bin/tests/system/upforwd/ns3/named.conf b/bin/tests/system/upforwd/ns3/named.conf index 61af892d..e4c72c61 100644 --- a/bin/tests/system/upforwd/ns3/named.conf +++ b/bin/tests/system/upforwd/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.13 2011-09-02 02:25:07 marka Exp $ */ +/* $Id: named.conf,v 1.14 2011-10-26 15:23:37 each Exp $ */ controls { /* empty */ }; @@ -43,5 +43,6 @@ zone "nomaster" { type slave; file "nomaster1.db"; allow-update-forwarding { any; }; + masterfile-format text; masters { 10.53.0.4; }; }; diff --git a/bin/tests/system/xferquota/setup.pl b/bin/tests/system/xferquota/setup.pl index 07b9be31..77352193 100644 --- a/bin/tests/system/xferquota/setup.pl +++ b/bin/tests/system/xferquota/setup.pl @@ -1,6 +1,6 @@ #!/usr/bin/perl # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.pl,v 1.14 2007-06-19 23:47:07 tbox Exp $ +# $Id: setup.pl,v 1.16 2011-10-26 23:46:15 tbox Exp $ # # Set up test data for zone transfer quota tests. @@ -28,7 +28,7 @@ my $slaveconf = new FileHandle("ns2/zones.conf", "w") or die; for ($z = 0; $z < 300; $z++) { my $zn = sprintf("zone%06d.example", $z); print $masterconf "zone \"$zn\" { type master; file \"$zn.db\"; };\n"; - print $slaveconf "zone \"$zn\" { type slave; file \"$zn.bk\"; masters { 10.53.0.1; }; };\n"; + print $slaveconf "zone \"$zn\" { type slave; file \"$zn.bk\"; masterfile-format text; masters { 10.53.0.1; }; };\n"; my $fn = "ns1/$zn.db"; my $f = new FileHandle($fn, "w") or die "open: $fn: $!"; print $f "\$TTL 300 |