diff options
Diffstat (limited to 'bin')
28 files changed, 715 insertions, 67 deletions
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 8f3cbc8d..a1258ef3 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-settime.c,v 1.28.16.2 2011-03-21 23:46:58 tbox Exp $ */ +/* $Id: dnssec-settime.c,v 1.28.16.3 2011-06-02 20:24:11 each Exp $ */ /*! \file */ @@ -81,8 +81,7 @@ usage(void) { "deletion date\n"); fprintf(stderr, "Printing options:\n"); fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time " - "value or values " - "[default: all]\n"); + "value or values\n"); fprintf(stderr, " -u: print times in unix epoch " "format\n"); fprintf(stderr, "Output:\n"); diff --git a/bin/named/query.c b/bin/named/query.c index 3d2def49..9be178be 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.353.8.8 2011-04-27 23:47:01 tbox Exp $ */ +/* $Id: query.c,v 1.353.8.11 2011-06-09 03:14:03 marka Exp $ */ /*! \file */ @@ -635,6 +635,7 @@ query_findversion(ns_client_t *client, dns_db_t *db) dns_db_attach(db, &dbversion->db); dns_db_currentversion(db, &dbversion->version); dbversion->acl_checked = ISC_FALSE; + dbversion->queryok = ISC_FALSE; ISC_LIST_APPEND(client->query.activeversions, dbversion, link); } @@ -766,6 +767,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, dbversion->queryok = ISC_FALSE; return (DNS_R_REFUSED); } + dbversion->queryok = ISC_TRUE; approved: /* Transfer ownership, if necessary. */ @@ -4103,8 +4105,13 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, } break; case DNS_R_DNAME: - policy = DNS_RPZ_POLICY_RECORD; - break; + /* + * DNAME policy RRs have very few if any uses that are not + * better served with simple wildcards. Making the work would + * require complications to get the number of labels matched + * in the name or the found name itself to the main DNS_R_DNAME + * case in query_find(). So fall through to treat them as NODATA. + */ case DNS_R_NXRRSET: policy = DNS_RPZ_POLICY_NODATA; break; @@ -5314,6 +5321,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) break; case DNS_RPZ_POLICY_RECORD: if (type == dns_rdatatype_any && + result != DNS_R_CNAME && dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); break; diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 021ae8f9..a3e713b4 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.170.14.3 2011-03-11 06:47:01 marka Exp $ */ +/* $Id: zoneconf.c,v 1.170.14.4 2011-05-23 20:56:10 each Exp $ */ /*% */ @@ -1214,7 +1214,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, */ if (ztype == dns_zone_master) { isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE; - isc_boolean_t create = ISC_FALSE; obj = NULL; result = ns_config_get(maps, "check-wildcard", &obj); @@ -1304,15 +1303,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, allow = ISC_TRUE; else if (strcasecmp(arg, "maintain") == 0) allow = maint = ISC_TRUE; - else if (strcasecmp(arg, "create") == 0) - allow = maint = create = ISC_TRUE; else if (strcasecmp(arg, "off") == 0) ; else INSIST(0); dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow); dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, create); } } diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index f7a1e4a1..058088c8 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.193.12.2 2011-03-21 19:53:33 each Exp $ */ +/* $Id: nsupdate.c,v 1.193.12.3 2011-05-23 22:12:14 each Exp $ */ /*! \file */ @@ -695,8 +695,10 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { keyfile, isc_result_totext(result)); return; } - } else + } else { dst_key_attach(dstkey, &sig0key); + dst_key_free(&dstkey); + } } static void diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 39352c98..dc39ecfd 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -1,6 +1,6 @@ #!/bin/sh -e # -# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.7 2010-06-07 04:45:43 marka Exp $ +# $Id: keygen.sh,v 1.7.112.2 2011-05-26 23:47:04 tbox Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -57,5 +57,5 @@ for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \ do cp $i `echo $i | sed s/X/K/` done -$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null +$KEYGEN -q -r $RANDFILE $zone > /dev/null $DSFROMKEY Kbar.+005+30804.key > dsset-bar. diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index c943ab35..917237c7 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.12.18.10 2011-05-03 00:36:47 marka Exp $ +# $Id: tests.sh,v 1.12.18.13 2011-05-30 22:31:28 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -26,6 +26,34 @@ n=0 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" +# convert private-type records to readable form +showprivate () { + echo "-- $@ --" + $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | + while read record; do + perl -e 'my $rdata = pack("H*", @ARGV[0]); + die "invalid record" unless length($rdata) == 5; + my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); + my $action = "signing"; + $action = "removing" if $remove; + my $state = " (incomplete)"; + $state = " (complete)" if $complete; + print ("$action: alg: $alg, key: $key$state\n");' $record + done +} + +# check that signing records are marked as complete +checkprivate () { + ret=0 + x=`showprivate "$@"` + echo $x | grep incomplete >&- 2>&- && ret=1 + [ $ret = 1 ] && { + echo "$x" + echo "I:failed" + } + return $ret +} + # # The NSEC record at the apex of the zone and its RRSIG records are # added as part of the last step in signing a zone. We wait for the @@ -704,17 +732,19 @@ file="ns1/`cat vanishing.key`.private" rm -f $file echo "I:preparing ZSK roll" +starttime=`$PERL -e 'print time(), "\n";'` oldfile=`cat active.key` oldid=`sed 's/^K.+007+0*//' < active.key` newfile=`cat standby.key` newid=`sed 's/^K.+007+0*//' < standby.key` -$SETTIME -K ns1 -I now -D now+15 $oldfile > /dev/null +$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null $SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null # note previous zone serial number oldserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'` $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . 2>&1 | sed 's/^/I:ns1 /' +sleep 4 echo "I:revoking key to duplicated key ID" $SETTIME -R now -K ns2 Kbar.+005+30676.key > /dev/null @@ -741,6 +771,36 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking that signing records have been marked as complete ($n)" +ret=0 +checkprivate . 10.53.0.1 || ret=1 +checkprivate bar 10.53.0.2 || ret=1 +checkprivate example 10.53.0.2 || ret=1 +checkprivate private.secure.example 10.53.0.3 || ret=1 +checkprivate nsec3.example 10.53.0.3 || ret=1 +checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 +checkprivate nsec3.optout.example 10.53.0.3 || ret=1 +checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1 +checkprivate nsec.example 10.53.0.3 || ret=1 +checkprivate oldsigs.example 10.53.0.3 || ret=1 +checkprivate optout.example 10.53.0.3 || ret=1 +checkprivate optout.nsec3.example 10.53.0.3 || ret=1 +checkprivate optout.optout.example 10.53.0.3 || ret=1 +checkprivate prepub.example 10.53.0.3 || ret=1 +checkprivate rsasha256.example 10.53.0.3 || ret=1 +checkprivate rsasha512.example 10.53.0.3 || ret=1 +checkprivate secure.example 10.53.0.3 || ret=1 +checkprivate secure.nsec3.example 10.53.0.3 || ret=1 +checkprivate secure.optout.example 10.53.0.3 || ret=1 +checkprivate secure-to-insecure2.example 10.53.0.3 || ret=1 +checkprivate secure-to-insecure.example 10.53.0.3 || ret=1 +checkprivate ttl1.example 10.53.0.3 || ret=1 +checkprivate ttl2.example 10.53.0.3 || ret=1 +checkprivate ttl3.example 10.53.0.3 || ret=1 +checkprivate ttl4.example 10.53.0.3 || ret=1 +n=`expr $n + 1` +status=`expr $status + $ret` + echo "I:forcing full sign" $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /' @@ -820,6 +880,16 @@ if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` echo "I:checking former active key was removed ($n)" +# +# Work out how long we need to sleep. Allow 4 seconds for the records +# to be removed. +# +now=`$PERL -e 'print time(), "\n";'` +sleep=`expr $starttime + 29 - $now` +case $sleep in +-*|0);; +*) echo "I:waiting for timer to have activated"; sleep $sleep;; +esac ret=0 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id =.*'"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 diff --git a/bin/tests/system/dlv/clean.sh b/bin/tests/system/dlv/clean.sh index 8b49fe50..2457e4cb 100644 --- a/bin/tests/system/dlv/clean.sh +++ b/bin/tests/system/dlv/clean.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2010, 2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,17 +14,30 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.7 2010-05-27 23:51:08 tbox Exp $ +# $Id: clean.sh,v 1.7.120.2 2011-05-26 23:47:05 tbox Exp $ rm -f random.data rm -f ns*/named.run +rm -f ns1/K* +rm -f ns1/dsset-* +rm -f ns1/*.signed +rm -f ns1/signer.err +rm -f ns1/root.db +rm -f ns2/K* +rm -f ns2/dlvset-* +rm -f ns2/dsset-* +rm -f ns2/*.signed +rm -f ns2/*.pre +rm -f ns2/signer.err +rm -f ns2/druz.db rm -f ns3/K* rm -f ns3/*.db rm -f ns3/*.signed rm -f ns3/dlvset-* rm -f ns3/dsset-* rm -f ns3/keyset-* -rm -f ns3/trusted.conf ns5/trusted.conf +rm -f ns1/trusted.conf ns5/trusted.conf +rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf rm -f ns3/signer.err rm -f ns6/K* rm -f ns6/*.db diff --git a/bin/tests/system/dlv/ns1/named.conf b/bin/tests/system/dlv/ns1/named.conf index 2d5d8c16..d452cd6d 100644 --- a/bin/tests/system/dlv/ns1/named.conf +++ b/bin/tests/system/dlv/ns1/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2007-06-19 23:47:02 tbox Exp $ */ +/* $Id: named.conf,v 1.4.814.2 2011-05-26 23:47:05 tbox Exp $ */ controls { /* empty */ }; @@ -28,8 +28,8 @@ options { listen-on-v6 { none; }; recursion no; notify yes; - dnssec-enable no; + dnssec-enable yes; }; -zone "." { type master; file "root.db"; }; +zone "." { type master; file "root.signed"; }; zone "rootservers.utld" { type master; file "rootservers.utld.db"; }; diff --git a/bin/tests/system/dlv/ns1/root.db b/bin/tests/system/dlv/ns1/root.db.in index 620c66e9..4ad4fbf7 100644 --- a/bin/tests/system/dlv/ns1/root.db +++ b/bin/tests/system/dlv/ns1/root.db.in @@ -1,4 +1,4 @@ -; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db,v 1.4 2007-06-19 23:47:02 tbox Exp $ +; $Id: root.db.in,v 1.2.2.3 2011-05-26 23:47:05 tbox Exp $ $TTL 120 @ SOA ns.rootservers.utld hostmaster.ns.rootservers.utld ( @@ -22,3 +22,5 @@ ns A 10.53.0.1 ; utld NS ns.utld ns.utld A 10.53.0.2 +druz NS ns.druz +ns.druz A 10.53.0.2 diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh new file mode 100755 index 00000000..c7ce3078 --- /dev/null +++ b/bin/tests/system/dlv/ns1/sign.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.2.2.3 2011-05-26 23:47:05 tbox Exp $ + +(cd ../ns2 && sh -e ./sign.sh || exit 1) + +echo "I:dlv/ns1/sign.sh" + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=. +infile=root.db.in +zonefile=root.db +outfile=root.signed + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err + +echo "I: signed $zone" + +grep -v '^;' $keyname2.key | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print <<EOF +trusted-keys { + "$dn" $flags $proto $alg "$key"; +}; +EOF +' > trusted.conf +cp trusted.conf ../ns5 + diff --git a/bin/tests/system/dlv/ns2/druz.db.in b/bin/tests/system/dlv/ns2/druz.db.in new file mode 100644 index 00000000..dd402204 --- /dev/null +++ b/bin/tests/system/dlv/ns2/druz.db.in @@ -0,0 +1,54 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: druz.db.in,v 1.3.2.3 2011-05-26 23:47:05 tbox Exp $ + +$TTL 120 +@ SOA ns hostmaster.ns 1 3600 1200 604800 60 +@ NS ns +ns A 10.53.0.2 +; +rootservers NS ns.rootservers +ns.rootservers A 10.53.0.1 +; +; +child1 NS ns.child1 +ns.child1 A 10.53.0.3 +; +child2 NS ns.child2 +ns.child2 A 10.53.0.4 +; +child3 NS ns.child3 +ns.child3 A 10.53.0.3 +; +child4 NS ns.child4 +ns.child4 A 10.53.0.3 +; +child5 NS ns.child5 +ns.child5 A 10.53.0.3 +; +child6 NS ns.child6 +ns.child6 A 10.53.0.4 +; +child7 NS ns.child7 +ns.child7 A 10.53.0.3 +; +child8 NS ns.child8 +ns.child8 A 10.53.0.3 +; +child9 NS ns.child9 +ns.child9 A 10.53.0.3 +; +child10 NS ns.child10 +ns.child10 A 10.53.0.3 diff --git a/bin/tests/system/dlv/ns2/named.conf b/bin/tests/system/dlv/ns2/named.conf index c7e6ba8d..1c793a12 100644 --- a/bin/tests/system/dlv/ns2/named.conf +++ b/bin/tests/system/dlv/ns2/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2007-06-19 23:47:02 tbox Exp $ */ +/* $Id: named.conf,v 1.4.814.2 2011-05-26 23:47:05 tbox Exp $ */ controls { /* empty */ }; @@ -28,8 +28,9 @@ options { listen-on-v6 { none; }; recursion no; notify yes; - dnssec-enable no; + dnssec-enable yes; }; zone "." { type hint; file "hints"; }; zone "utld" { type master; file "utld.db"; }; +zone "druz" { type master; file "druz.signed"; }; diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh new file mode 100755 index 00000000..3c362f68 --- /dev/null +++ b/bin/tests/system/dlv/ns2/sign.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.2.2.3 2011-05-26 23:47:05 tbox Exp $ + +(cd ../ns3 && sh -e ./sign.sh || exit 1) + +echo "I:dlv/ns2/sign.sh" + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=druz. +infile=druz.db.in +zonefile=druz.db +outfile=druz.pre +dlvzone=utld. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err + +$CHECKZONE -q -D -i none druz druz.pre | +sed '/IN DNSKEY/s/\([a-z0-9A-Z/]\{10\}\)[a-z0-9A-Z/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed + +echo "I: signed $zone" diff --git a/bin/tests/system/dlv/ns3/named.conf b/bin/tests/system/dlv/ns3/named.conf index daa862ac..181ed832 100644 --- a/bin/tests/system/dlv/ns3/named.conf +++ b/bin/tests/system/dlv/ns3/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2007-06-19 23:47:02 tbox Exp $ */ +/* $Id: named.conf,v 1.4.814.2 2011-05-26 23:47:05 tbox Exp $ */ controls { /* empty */ }; @@ -41,3 +41,11 @@ zone "child7.utld" { type master; file "child7.signed"; }; // no dlv zone "child8.utld" { type master; file "child8.signed"; }; // no dlv zone "child9.utld" { type master; file "child9.signed"; }; // dlv zone "child10.utld" { type master; file "child.db.in"; }; // dlv unsigned +zone "child1.druz" { type master; file "child1.druz.signed"; }; // dlv +zone "child3.druz" { type master; file "child3.druz.signed"; }; // dlv +zone "child4.druz" { type master; file "child4.druz.signed"; }; // dlv +zone "child5.druz" { type master; file "child5.druz.signed"; }; // dlv +zone "child7.druz" { type master; file "child7.druz.signed"; }; // no dlv +zone "child8.druz" { type master; file "child8.druz.signed"; }; // no dlv +zone "child9.druz" { type master; file "child9.druz.signed"; }; // dlv +zone "child10.druz" { type master; file "child.db.in"; }; // dlv unsigned diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh index 1b716d7b..4a1b5457 100755 --- a/bin/tests/system/dlv/ns3/sign.sh +++ b/bin/tests/system/dlv/ns3/sign.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,21 +14,24 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.9 2010-05-27 23:51:08 tbox Exp $ +# $Id: sign.sh,v 1.9.120.2 2011-05-26 23:47:05 tbox Exp $ (cd ../ns6 && sh -e ./sign.sh) +echo "I:dlv/ns3/sign.sh" + SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh RANDFILE=../random.data +dlvzone=dlv.utld. dlvsets= +dssets= zone=child1.utld. infile=child.db.in zonefile=child1.utld.db outfile=child1.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -44,7 +47,6 @@ zone=child3.utld. infile=child.db.in zonefile=child3.utld.db outfile=child3.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -60,7 +62,6 @@ zone=child4.utld. infile=child.db.in zonefile=child4.utld.db outfile=child4.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -76,7 +77,6 @@ zone=child5.utld. infile=child.db.in zonefile=child5.utld.db outfile=child5.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -92,7 +92,6 @@ zone=child7.utld. infile=child.db.in zonefile=child7.utld.db outfile=child7.signed -dlvzone=dlv.utld. keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -107,7 +106,6 @@ zone=child8.utld. infile=child.db.in zonefile=child8.utld.db outfile=child8.signed -dlvzone=dlv.utld. keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -122,7 +120,6 @@ zone=child9.utld. infile=child.db.in zonefile=child9.utld.db outfile=child9.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -137,7 +134,6 @@ zone=child10.utld. infile=child.db.in zonefile=child10.utld.db outfile=child10.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -148,12 +144,133 @@ cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo "I: signed $zone" +zone=child1.druz. +infile=child.db.in +zonefile=child1.druz.db +outfile=child1.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child3.druz. +infile=child.db.in +zonefile=child3.druz.db +outfile=child3.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child4.druz. +infile=child.db.in +zonefile=child4.druz.db +outfile=child4.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child5.druz. +infile=child.db.in +zonefile=child5.druz.db +outfile=child5.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child7.druz. +infile=child.db.in +zonefile=child7.druz.db +outfile=child7.druz.signed +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile + +$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child8.druz. +infile=child.db.in +zonefile=child8.druz.db +outfile=child8.druz.signed + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child9.druz. +infile=child.db.in +zonefile=child9.druz.db +outfile=child9.druz.signed +dlvsets="$dlvsets dlvset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + +zone=child10.druz. +infile=child.db.in +zonefile=child10.druz.db +outfile=child10.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + zone=dlv.utld. infile=dlv.db.in zonefile=dlv.utld.db outfile=dlv.signed -dlvzone=dlv.utld. keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -172,5 +289,7 @@ trusted-keys { "$dn" $flags $proto $alg "$key"; }; EOF -' > trusted.conf -cp trusted.conf ../ns5 +' > trusted-dlv.conf +cp trusted-dlv.conf ../ns5 + +cp $dssets ../ns2 diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf index e3c5fc2d..eef6f452 100644 --- a/bin/tests/system/dlv/ns5/named.conf +++ b/bin/tests/system/dlv/ns5/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.8 2007-06-18 23:47:28 tbox Exp $ */ +/* $Id: named.conf,v 1.8.814.2 2011-05-26 23:47:06 tbox Exp $ */ /* * Choose a keyname that is unlikely to clash with any real key names. @@ -46,6 +46,7 @@ controls { }; include "trusted.conf"; +include "trusted-dlv.conf"; options { query-source address 10.53.0.5; diff --git a/bin/tests/system/dlv/ns6/named.conf b/bin/tests/system/dlv/ns6/named.conf index e6034ab7..5e753f6a 100644 --- a/bin/tests/system/dlv/ns6/named.conf +++ b/bin/tests/system/dlv/ns6/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2010-07-11 01:18:24 each Exp $ */ +/* $Id: named.conf,v 1.4.86.2 2011-05-26 23:47:06 tbox Exp $ */ controls { /* empty */ }; @@ -40,3 +40,11 @@ zone "grand.child7.utld" { type master; file "grand.child7.signed"; }; zone "grand.child8.utld" { type master; file "grand.child8.signed"; }; zone "grand.child9.utld" { type master; file "grand.child9.signed"; }; zone "grand.child10.utld" { type master; file "grand.child10.signed"; }; +zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; }; +zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; }; +zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; }; +zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; }; +zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; }; +zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; }; +zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; }; +zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; }; diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh index 2fea6c23..14a31a67 100755 --- a/bin/tests/system/dlv/ns6/sign.sh +++ b/bin/tests/system/dlv/ns6/sign.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,11 +14,13 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.3 2010-05-27 23:51:08 tbox Exp $ +# $Id: sign.sh,v 1.3.126.2 2011-05-26 23:47:06 tbox Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +echo "I:dlv/ns6/sign.sh" + RANDFILE=../random.data zone=grand.child1.utld. @@ -137,3 +139,120 @@ cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo "I: signed $zone" + +zone=grand.child1.druz. +infile=child.db.in +zonefile=grand.child1.druz.db +outfile=grand.child1.druz.signed + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child3.druz. +infile=child.db.in +zonefile=grand.child3.druz.db +outfile=grand.child3.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child4.druz. +infile=child.db.in +zonefile=grand.child4.druz.db +outfile=grand.child4.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child5.druz. +infile=child.db.in +zonefile=grand.child5.druz.db +outfile=grand.child5.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child7.druz. +infile=child.db.in +zonefile=grand.child7.druz.db +outfile=grand.child7.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child8.druz. +infile=child.db.in +zonefile=grand.child8.druz.db +outfile=grand.child8.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child9.druz. +infile=child.db.in +zonefile=grand.child9.druz.db +outfile=grand.child9.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + +zone=grand.child10.druz. +infile=child.db.in +zonefile=grand.child10.druz.db +outfile=grand.child10.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh index b35a87f0..e2436275 100644 --- a/bin/tests/system/dlv/setup.sh +++ b/bin/tests/system/dlv/setup.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,8 +14,8 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.6 2009-03-02 23:47:43 tbox Exp $ +# $Id: setup.sh,v 1.6.394.2 2011-05-26 23:47:05 tbox Exp $ ../../../tools/genrandom 400 random.data -(cd ns3 && sh -e sign.sh) +(cd ns1 && sh -e sign.sh) diff --git a/bin/tests/system/dlv/tests.sh b/bin/tests/system/dlv/tests.sh index 19f2175f..4ab937b3 100644 --- a/bin/tests/system/dlv/tests.sh +++ b/bin/tests/system/dlv/tests.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2010, 2011 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.6 2010-05-27 23:51:08 tbox Exp $ +# $Id: tests.sh,v 1.6.120.2 2011-05-26 23:47:05 tbox Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -42,5 +42,21 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)" +ret=0 +$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)" +ret=0 +$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bin/tests/system/dnssec/ns3/expiring.example.db.in new file mode 100644 index 00000000..8b377004 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/expiring.example.db.in @@ -0,0 +1,43 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: expiring.example.db.in,v 1.1.6.2 2011-05-19 04:42:51 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index dfb7f92a..54899379 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.38.86.7 2011-03-21 01:06:50 marka Exp $ */ +/* $Id: named.conf,v 1.38.86.8 2011-05-19 04:42:51 each Exp $ */ // NS3 @@ -213,4 +213,10 @@ zone "nsec3chain-test" { masters { 10.53.0.2; }; }; +zone "expiring.example" { + type master; + allow-update { any; }; + file "expiring.example.db.signed"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 5f6af9e4..8f4baa95 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.32.162.7 2011-03-31 15:56:44 each Exp $ +# $Id: sign.sh,v 1.32.162.8 2011-05-19 04:42:51 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -341,3 +341,13 @@ cat $infile $keyname.key >$zonefile $SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 $CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \ awk '{$2 = "3600"; print}' > $patchedfile + +zone="expiring.example." +infile="expiring.example.db.in" +zonefile="expiring.example.db" +signedfile="expiring.example.db.signed" +kskname=`$KEYGEN -q -r $RANDFILE $zone` +zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +cp $infile $zonefile +$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 +rm -f ${zskname}.private ${kskname}.private diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 42b68963..fef3f1d6 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.73.14.10 2011-03-21 20:32:14 marka Exp $ +# $Id: tests.sh,v 1.73.14.12 2011-05-26 04:25:08 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -27,6 +27,34 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" +# convert private-type records to readable form +showprivate () { + echo "-- $@ --" + $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | + while read record; do + perl -e 'my $rdata = pack("H*", @ARGV[0]); + die "invalid record" unless length($rdata) == 5; + my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); + my $action = "signing"; + $action = "removing" if $remove; + my $state = " (incomplete)"; + $state = " (complete)" if $complete; + print ("$action: alg: $alg, key: $key$state\n");' $record + done +} + +# check that signing records are marked as complete +checkprivate () { + ret=0 + x=`showprivate "$@"` + echo $x | grep incomplete >&- 2>&- && ret=1 + [ $ret = 1 ] && { + echo "$x" + echo "I:failed" + } + return $ret +} + # Check the example. domain echo "I:checking that zone transfer worked ($n)" @@ -1170,7 +1198,7 @@ ret=0 $DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC[^3].* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 +grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -1180,7 +1208,18 @@ ret=0 $DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 +grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that signing records have been marked as complete ($n)" +ret=0 +checkprivate dynamic.example 10.53.0.3 || ret=1 +checkprivate update-nsec3.example 10.53.0.3 || ret=1 +checkprivate auto-nsec3.example 10.53.0.3 || ret=1 +checkprivate expiring.example 10.53.0.3 || ret=1 +checkprivate auto-nsec.example 10.53.0.3 || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -1252,5 +1291,13 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:testing soon-to-expire RRSIGs without a replacement private key ($n)" +ret=0 +$DIG +noall +answer +dnssec +nottl -p 5300 expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 +# there must be a signature here +[ -s dig.out.ns3.test$n ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index e3ea7470..57975c9a 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.20.24.2 2011-02-28 01:20:01 tbox Exp $ +# $Id: clean.sh,v 1.20.24.3 2011-05-23 22:12:15 each Exp $ # # Clean up after zone transfer tests. @@ -35,3 +35,4 @@ rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed rm -f ns3/K* rm -f dig.out.ns3.* rm -f jp.out.ns3.* +rm -f Kxxx.* diff --git a/bin/tests/system/rpz/ns3/base.db b/bin/tests/system/rpz/ns3/base.db index 6fd07f50..8fe8b54f 100644 --- a/bin/tests/system/rpz/ns3/base.db +++ b/bin/tests/system/rpz/ns3/base.db @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: base.db,v 1.3.8.1 2011-04-27 17:43:07 each Exp $ +; $Id: base.db,v 1.3.8.2 2011-06-09 00:53:54 marka Exp $ ; RPZ test @@ -33,3 +33,4 @@ $TTL 120 ; for testing rrset replacement redirect IN A 127.0.0.1 *.redirect IN A 127.0.0.1 +*.cname-redirect IN CNAME google.com. diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1 index 13c946d5..c487c98e 100644 --- a/bin/tests/system/rpz/test1 +++ b/bin/tests/system/rpz/test1 @@ -12,13 +12,19 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test1,v 1.4 2011-01-13 19:30:41 each Exp $ +; $Id: test1,v 1.4.8.1 2011-06-09 03:14:04 marka Exp $ server 10.53.0.3 5300 +; NXDOMAIN update add a0-1.tld2.bl. 300 CNAME . -update add a3-1.tld2.bl. 300 CNAME *. + +; NODATA +update add a1-1.tld2.bl. 300 CNAME *. +; and no assert-botch +update add a1-2.tld2.bl. 300 DNAME example.com. + update add *.sub1.tld2.bl. 300 A 12.12.12.12 send diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index b33087ff..b01228a1 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.3.8.1 2011-04-27 17:43:07 each Exp $ +# $Id: tests.sh,v 1.3.8.3 2011-06-09 03:14:04 marka Exp $ # test response policy zones (RPZ) @@ -152,7 +152,9 @@ status=0 start_test "RPZ QNAME rewrites" test1 nxdomain a0-1.tld2 -nodata a3-1.tld2 +nodata a1-1.tld2 +nodata a1-2.tld2 +nodata sub.a1-2.tld2 a12 a4-1.sub1.tld2 end_test @@ -223,6 +225,7 @@ $DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1 $DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1 $DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1 $DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1 +$DIGCMD www.cname-redirect -trrsig @$s3 > /dev/null 2>&1 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then @@ -239,6 +242,7 @@ $DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1 $DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1 $DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1 $DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1 +$DIGCMD www.cname-redirect -tsig @$s3 > /dev/null 2>&1 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then @@ -247,6 +251,24 @@ if [ $ret != 0 ]; then fi status=`expr $status + $ret` +ret=0 +echo "I:checking ANY queries" +# We don't actually care about the query results; the important +# thing is the server handles SIG queries okay +$DIGCMD a3-1.tld2 -tany @$s3 > /dev/null 2>&1 +$DIGCMD a3-2.tld2 -tany @$s3 > /dev/null 2>&1 +$DIGCMD a3-5.tld2 -tany @$s3 > /dev/null 2>&1 +$DIGCMD www.redirect -tany @$s3 > /dev/null 2>&1 +$DIGCMD www.cname-redirect -tany @$s3 > /dev/null 2>&1 + +$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then + echo "I:failed"; + (cd ..; $PERL start.pl --noclean --restart rpz ns3) +fi +status=`expr $status + $ret` + + if test "$status" -eq 0; then rm -f dig.out* fi |