xref: /netbsd-src/external/bsd/unbound/dist/testdata/10-unbound-anchor.tdir/10-unbound-anchor.test (revision 0cd9f4ecf44538bbdd5619b5b2081449960ab3e6)

# #-- 10-unbound-anchor.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test

PRE="../.."
OPTS="-u 127.0.0.1 -P $PETAL_PORT -C ub.conf -v -a root.key -c root.pem -n petal"
DS=`cat K.+005+37348.ds`

# check that the root.key file works.
function check_works() {
	if $PRE/unbound-host -C ub.conf -f root.key -t DNSKEY -v . | grep "(secure)" >/dev/null; then
		echo OK
	else
		echo "not OK"
		cat fwd.log
		cat petal.log
		exit 1
	fi
}

# check that the root.key file works, but insecurely.
function check_insecure() {
	if $PRE/unbound-host -C ub.conf -f root.key -t DNSKEY -v . | grep "(insecure)" >/dev/null; then
		echo OK
	else
		echo "not OK"
		cat fwd.log
		cat petal.log
		exit 1
	fi
}

# test with good start key, and must do 5011 (no URL possible)
echo "*** TEST 1 ***"
echo $DS > root.key
$PRE/unbound-anchor -x "notexist.xml" -s "notexist.p7s" $OPTS
if test $? != 0; then
	echo "Exitcode not OK"
	exit 1
fi
check_works
# save for test 5
cp root.key root.key.probed

# force update with the cert.
echo "*** TEST 2 ***"
cp test_cert.pem root.pem
$PRE/unbound-anchor -F -x "root.xml" -s "root.p7s" $OPTS
if test $? != 1; then
	echo "Exitcode not OK"
	exit 1
fi
check_works

# 5011 fails
echo "*** TEST 3 ***"
echo ".	IN DS 37000 5 1 b00000000000000000000100f0000000000000b2" > root.key
$PRE/unbound-anchor -x "root.xml" -s "root.p7s" $OPTS
if test $? != 1; then
	echo "Exitcode not OK"
	exit 1
fi
check_works

# cert fails (bad p7s).
echo "*** TEST 4 ***"
echo ".	IN DS 44444 5 1 b00000000000000000000100f0000000000000b2" > root.key
$PRE/unbound-anchor -F -x "bad.xml" -s "bad.p7s" $OPTS
if test $? != 0; then
	echo "Exitcode not OK"
	exit 1
fi
if grep "DS 44444" root.key >/dev/null ; then
	echo OK
else
	echo "keyfile changed"
	exit 1
fi

# cert fails (bad name).
echo "*** TEST 4b ***"
echo ".	IN DS 44444 5 1 b00000000000000000000100f0000000000000b2" > root.key
$PRE/unbound-anchor -F -x "bad.xml" -s "bad.p7s" $OPTS -n "not-it"
if test $? != 0; then
	echo "Exitcode not OK"
	exit 1
fi
if grep "DS 44444" root.key >/dev/null ; then
	echo OK
else
	echo "keyfile changed"
	exit 1
fi

# 5011 fails, and probe-time too recent.
echo "*** TEST 5 ***"
# break the probed key.
sed -e 's/bp0KIK3J3/b00KIK0J0/' < root.key.probed > root.key
$PRE/unbound-anchor -x "notexist.xml" -s "notexist.p7s" $OPTS
if test $? != 0; then
	echo "Exitcode not OK"
	exit 1
fi
if grep "b00KIK0J0" root.key >/dev/null ; then
	echo OK
else
	echo "keyfile changed"
	exit 1
fi

# 5011 fails, and probe time is very, very old.
echo "*** TEST 6 ***"
mv root.key bla.key
# last probe was Sun Sep  9 03:46:40 2001
sed -e 's/;;last_success: .*$/;;last_success: 1000000000/' < bla.key > root.key
rm bla.key
$PRE/unbound-anchor -x "root.xml" -s "root.p7s" $OPTS
if test $? != 1; then
	echo "Exitcode not OK"
	exit 1
fi
check_works

# 5011 update probe is only needed.
echo "*** TEST 7 ***"
$PRE/unbound-anchor -x "notexist.xml" -s "notexist.p7s" $OPTS
if test $? != 0; then
	echo "Exitcode not OK"
	exit 1
fi
check_works

# root goes to insecure (0 anchors).
echo "*** TEST 8 ***"
$PRE/unbound-anchor -F -x "no_more_keys.xml" -s "no_more_keys.p7s" $OPTS
if test $? != 1; then
	echo "Exitcode not OK"
	exit 1
fi
if grep ";;REVOKED" root.key >/dev/null; then echo "REVOKED"; else
	echo "not revoked"; exit 1; fi
check_insecure

# insecure input file
echo "*** TEST 9 ***"
$PRE/unbound-anchor -x "notexist.xml" -s "notexist.p7s" $OPTS
if test $? != 0; then
	echo "Exitcode not OK"
	exit 1
fi
if grep ";;REVOKED" root.key >/dev/null; then echo "REVOKED"; else
	echo "not revoked"; exit 1; fi
check_insecure


echo "logs"
cat fwd.log
cat petal.log

exit 0