external/bsd/bind/dist/bin/tests/system/metadata/tests.sh

   1 #!/bin/sh
   2 #
   3 # Copyright (C) 2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
   4 #
   5 # Permission to use, copy, modify, and/or distribute this software for any
   6 # purpose with or without fee is hereby granted, provided that the above
   7 # copyright notice and this permission notice appear in all copies.
   8 #
   9 # THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  10 # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  11 # AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  12 # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  13 # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  14 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  15 # PERFORMANCE OF THIS SOFTWARE.
  16
  17 # Id: tests.sh,v 1.9 2011/07/08 01:43:26 each Exp
  18
  19 SYSTEMTESTTOP=..
  20 . $SYSTEMTESTTOP/conf.sh
  21
  22 pzone=parent.nil pfile=parent.db
  23 czone=child.parent.nil cfile=child.db
  24 status=0
  25 n=0
  26
  27 echo "I:setting key timers"
  28 $SETTIME -A now+15s `cat rolling.key` > /dev/null
  29
  30 inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key`
  31 ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key`
  32 pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key`
  33 postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key`
  34 prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key`
  35 rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
  36 standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
  37 zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`
  38
  39 ../../../tools/genrandom 400 $RANDFILE
  40
  41 echo "I:signing zones"
  42 $SIGNER -Sg -o $czone $cfile > /dev/null 2>&1
  43 $SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1
  44
  45 awk '$2 ~ /RRSIG/ {
  46         type = $3;
  47         getline;
  48         id = $3;
  49         if ($4 ~ /'${czone}'/) {
  50                 print type, id
  51         }
  52 }' < ${cfile}.signed > sigs
  53
  54 awk '$2 ~ /DNSKEY/ {
  55         flags = $3;
  56         while ($0 !~ /key id =/)
  57                 getline;
  58         id = $NF;
  59         print flags, id;
  60 }' < ${cfile}.signed > keys
  61
  62 echo "I:checking that KSK signed DNSKEY only ($n)"
  63 ret=0
  64 grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1
  65 grep "SOA $ksk"'$' sigs > /dev/null && ret=1
  66 n=`expr $n + 1`
  67 if [ $ret != 0 ]; then echo "I:failed"; fi
  68 status=`expr $status + $ret`
  69
  70 echo "I:checking that ZSK signed ($n)"
  71 ret=0
  72 grep "SOA $zsk"'$' sigs > /dev/null || ret=1
  73 n=`expr $n + 1`
  74 if [ $ret != 0 ]; then echo "I:failed"; fi
  75 status=`expr $status + $ret`
  76
  77 echo "I:checking that standby ZSK did not sign ($n)"
  78 ret=0
  79 grep " $standby"'$' sigs > /dev/null && ret=1
  80 n=`expr $n + 1`
  81 if [ $ret != 0 ]; then echo "I:failed"; fi
  82 status=`expr $status + $ret`
  83
  84 echo "I:checking that inactive key did not sign ($n)"
  85 ret=0
  86 grep " $inact"'$' sigs > /dev/null && ret=1
  87 n=`expr $n + 1`
  88 if [ $ret != 0 ]; then echo "I:failed"; fi
  89 status=`expr $status + $ret`
  90
  91 echo "I:checking that pending key was not published ($n)"
  92 ret=0
  93 grep " $pending"'$' keys > /dev/null && ret=1
  94 n=`expr $n + 1`
  95 if [ $ret != 0 ]; then echo "I:failed"; fi
  96 status=`expr $status + $ret`
  97
  98 echo "I:checking that standby KSK did not sign but is delegated ($n)"
  99 ret=0
 100 grep " $rolling"'$' sigs > /dev/null && ret=1
 101 grep " $rolling"'$' keys > /dev/null || ret=1
 102 egrep "DS[      ]*$rolling[     ]" ${pfile}.signed > /dev/null || ret=1
 103 n=`expr $n + 1`
 104 if [ $ret != 0 ]; then echo "I:failed"; fi
 105 status=`expr $status + $ret`
 106
 107 echo "I:checking that key was revoked ($n)"
 108 ret=0
 109 grep " $prerev"'$' keys > /dev/null && ret=1
 110 grep " $postrev"'$' keys > /dev/null || ret=1
 111 n=`expr $n + 1`
 112 if [ $ret != 0 ]; then echo "I:failed"; fi
 113 status=`expr $status + $ret`
 114
 115 echo "I:checking that revoked key self-signed ($n)"
 116 ret=0
 117 grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1
 118 grep "SOA $postrev"'$' sigs > /dev/null && ret=1
 119 n=`expr $n + 1`
 120 if [ $ret != 0 ]; then echo "I:failed"; fi
 121 status=`expr $status + $ret`
 122
 123 echo "I:waiting 20 seconds for key changes to occur"
 124 sleep 20
 125
 126 echo "I:re-signing zone"
 127 $SIGNER  -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1
 128
 129 echo "I:checking that standby KSK is now active ($n)"
 130 ret=0
 131 grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1
 132 n=`expr $n + 1`
 133 if [ $ret != 0 ]; then echo "I:failed"; fi
 134 status=`expr $status + $ret`
 135
 136 echo "I:checking update of an old-style key ($n)"
 137 ret=0
 138 # printing metadata should not work with an old-style key
 139 $SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 && ret=1
 140 $SETTIME -f `cat oldstyle.key` > /dev/null 2>&1 || ret=1
 141 # but now it should
 142 $SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 || ret=1
 143 n=`expr $n + 1`
 144 if [ $ret != 0 ]; then echo "I:failed"; fi
 145 status=`expr $status + $ret`
 146
 147 echo "I:checking warning about permissions change on key with dnssec-settime ($n)"
 148 ret=0
 149 # settime should print a warning about changing the permissions
 150 chmod 644 `cat oldstyle.key`.private
 151 $SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
 152 grep "warning" tmp.out > /dev/null 2>&1 || ret=1
 153 $SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
 154 grep "warning" tmp.out > /dev/null 2>&1 && ret=1
 155 n=`expr $n + 1`
 156 if [ $ret != 0 ]; then echo "I:failed"; fi
 157 status=`expr $status + $ret`
 158
 159 echo "I:checking warning about delete date < inactive date with dnssec-settime ($n)"
 160 ret=0
 161 # settime should print a warning about delete < inactive
 162 $SETTIME -I now+15s -D now `cat oldstyle.key` > tmp.out 2>&1 || ret=1
 163 grep "warning" tmp.out > /dev/null 2>&1 || ret=1
 164 n=`expr $n + 1`
 165 if [ $ret != 0 ]; then echo "I:failed"; fi
 166 status=`expr $status + $ret`
 167
 168 echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)"
 169 ret=0
 170 # keygen should print a warning about delete < inactive
 171 $KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
 172 grep "warning" tmp.out > /dev/null 2>&1 || ret=1
 173 n=`expr $n + 1`
 174 if [ $ret != 0 ]; then echo "I:failed"; fi
 175 status=`expr $status + $ret`
 176
 177 echo "I:checking correct behavior setting activation without publication date ($n)"
 178 ret=0
 179 key=`$KEYGEN -q -r $RANDFILE -A +1w $czone`
 180 pub=`$SETTIME -upP $key | awk '{print $2}'`
 181 act=`$SETTIME -upA $key | awk '{print $2}'`
 182 [ $pub -eq $act ] || ret=1
 183 key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone`
 184 pub=`$SETTIME -upP $key | awk '{print $2}'`
 185 act=`$SETTIME -upA $key | awk '{print $2}'`
 186 [ $pub -lt $act ] || ret=1
 187 key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone`
 188 pub=`$SETTIME -upP $key | awk '{print $2}'`
 189 [ $pub = "UNSET" ] || ret=1
 190 n=`expr $n + 1`
 191 if [ $ret != 0 ]; then echo "I:failed"; fi
 192 status=`expr $status + $ret`
 193
 194 echo "I:exit status: $status"
 195 exit $status