upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-28 12:31:29 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

dnssec: use $DEFAULT_ALGORITHM

Browse source 
(cherry picked from commit d0b0139c90)
This commit is contained in:
Mark Andrews 2022-07-07 19:21:02 +10:00 committed by Michal Nowak
parent 53625cc639
commit 4ba58611c7
No known key found for this signature in database
GPG key ID: 24A3E8463AEE5E56
1 changed files with 45 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

90
bin/tests/system/dnssec/tests.sh
View file

@ -1420,14 +1420,14 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
get_rsasha1_key_ids_from_sigs() {
get_default_algorithm_key_ids_from_sigs() {
zone=$1
tr -d '\r' < signer/$zone.db.signed | \
awk '
awk -v alg=$DEFAULT_ALGORITHM_NUMBER '
NF < 8 { next }
$(NF-5) != "RRSIG" { next }
$(NF-3) != "5" { next }
$(NF-3) != alg { next }
$NF != "(" { next }
{
getline;
@ -1442,9 +1442,9 @@ echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)"
ret=0
zone=prepub
# Generate keys.
ksk=$("$KEYGEN" -K signer -f KSK -q -a RSASHA1 -b 1024 -n zone "$zone")
zsk1=$("$KEYGEN" -K signer -q -a RSASHA1 -b 1024 -n zone "$zone")
zsk2=$("$KEYGEN" -K signer -q -a RSASHA1 -b 1024 -n zone "$zone")
ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM -n zone "$zone")
zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone")
zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone")
zskid1=$(keyfile_to_key_id "$zsk1")
zskid2=$(keyfile_to_key_id "$zsk2")
(
@ -1462,8 +1462,8 @@ cp -f $zone.db.in $zone.db
$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null
echo "\$INCLUDE \"$zone.db.signed\"" >> $zone.db
)
get_rsasha1_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1"
status=$((status+ret))
@ -1482,8 +1482,8 @@ $SETTIME -A now-30d -I now -D now+30d $zsk1 > /dev/null
$SETTIME -A now $zsk2 > /dev/null
$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null
)
get_rsasha1_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -1501,8 +1501,8 @@ $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 > /dev/null
$SETTIME -A now-20d $zsk2 > /dev/null
$SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db > /dev/null
)
get_rsasha1_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -1551,8 +1551,8 @@ status=$((status+ret))
echo_i "checking that we can sign a zone with out-of-zone records ($n)"
ret=0
zone=example
key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone)
key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone)
key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example.db
@ -1565,8 +1565,8 @@ status=$((status+ret))
echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
ret=0
zone=example
key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone)
key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone)
key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example.db
@ -1590,8 +1590,8 @@ status=$((status+ret))
echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)"
ret=0
zone=example
key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone)
key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone)
key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example3.db
@ -1616,8 +1616,8 @@ status=$((status+ret))
echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)"
ret=0
zone=example
key1=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
key2=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone)
key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example.db
@ -1625,7 +1625,7 @@ $SIGNER -o example -f example.db.before example.db > /dev/null
sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed
$SIGNER -o example -f example.db.after example.db.changed > /dev/null
)
grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1
grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -1633,10 +1633,10 @@ status=$((status+ret))
echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)"
ret=0
zone=example
key1=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone)
key2=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
keyid2=$(keyfile_to_key_id "$key2")
key3=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
keyid3=$(keyfile_to_key_id "$key3")
(
cd signer || exit 1
@ -1648,8 +1648,8 @@ cat example.db.in "$key1.key" "$key3.key" > example.db
echo "\$INCLUDE \"example.db.signed\"" >> example.db
$SIGNER -D -o example example.db > /dev/null
) || ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -1660,8 +1660,8 @@ ret=0
cd signer || exit 1
$SIGNER -RD -o example example.db > /dev/null
) || ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -1678,8 +1678,8 @@ echo "\$INCLUDE \"example.db.signed\"" >> example.db
$SETTIME -I now "$key2" > /dev/null 2>&1
$SIGNER -SD -o example example.db > /dev/null
) || ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -1690,8 +1690,8 @@ ret=0
cd signer || exit 1
$SIGNER -SDQ -o example example.db > /dev/null
) || ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1
get_rsasha1_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1
get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -1851,7 +1851,7 @@ keyid=$(cat ns1/managed.key.id)
rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
cp ns4/named.secroots named.secroots.test$n
check_secroots_layout named.secroots.test$n || ret=1
linecount=$(grep -c "./${DEFAULT_ALGORITHM}/$keyid ; static" named.secroots.test$n || true)
linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true)
[ "$linecount" -eq 1 ] || ret=1
linecount=$(< named.secroots.test$n wc -l)
[ "$linecount" -eq 9 ] || ret=1
@ -2532,7 +2532,7 @@ echo_i "checking that the NSEC3 record for the apex is properly signed when a DN
ret=0
(
cd ns3 || exit 1
kskname=$($KEYGEN -q -3 -a RSASHA1 -fk update-nsec3.example)
kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example)
(
echo zone update-nsec3.example
echo server 10.53.0.3 "$PORT"
@ -2734,7 +2734,7 @@ grep -q "No signing records found" signing.out || {
sed 's/^/ns3 /' signing.out | cat_i
}
{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1
grep -q "Done signing with key .*/NSEC3RSASHA1" signing.out || {
grep -q "Done signing with key .*/$DEFAULT_ALGORITHM" signing.out || {
ret=1
sed 's/^/ns3 /' signing.out | cat_i
}
@ -2879,7 +2879,7 @@ status=$((status+ret))
# includes it anyway to avoid confusion (RT #21731)
echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)"
ret=0
key=$($KEYGEN -a RSASHA1 -q example.) || ret=1
key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1
mv "$key.key" "$key"
$DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1
grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1
@ -3786,8 +3786,8 @@ ret=0
# generate signed zone with MX and AAAA records at apex.
(
cd signer || exit 1
$KEYGEN -q -a RSASHA1 -3 -fK remove > /dev/null
$KEYGEN -q -a RSASHA1 -33 remove > /dev/null
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove > /dev/null
$KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove > /dev/null
echo > remove.db.signed
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n
)
@ -3896,7 +3896,7 @@ status=$((status+ret))
echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)"
ret=0
dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "RRSIG.NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1
grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@ -4084,10 +4084,10 @@ status=$((status+ret))
# Save some useful information
zone="updatecheck-kskonly.secure"
KSK=`cat ns2/${zone}.ksk.key`
ZSK=`cat ns2/${zone}.zsk.key`
KSK_ID=`cat ns2/${zone}.ksk.id`
ZSK_ID=`cat ns2/${zone}.zsk.id`
KSK=$(cat ns2/${zone}.ksk.key)
ZSK=$(cat ns2/${zone}.zsk.key)
KSK_ID=$(cat ns2/${zone}.ksk.id)
ZSK_ID=$(cat ns2/${zone}.zsk.id)
SECTIONS="+answer +noauthority +noadditional"
echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID"
@ -4129,7 +4129,7 @@ status=$((status+ret))
# Roll the ZSK.
zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2
ZSK_ID2=`cat ns2/$zone.zsk.id2`
ZSK_ID2=$(cat ns2/$zone.zsk.id2)
echo_i "load new ZSK $ZSK_ID2 for $zone ($n)"
ret=0
@ -4201,7 +4201,7 @@ mv ns2/$KSK.private.bak ns2/$KSK.private
# Roll the ZSK again.
zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3
ZSK_ID3=`cat ns2/$zone.zsk.id3`
ZSK_ID3=$(cat ns2/$zone.zsk.id3)
# Schedule the new ZSK (ZSK3) to become active.
echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)"