xref: /minix3/external/bsd/bind/dist/bin/tests/system/smartsign/tests.sh (revision 00b67f09dd46474d133c95011a48590a8e8f94c7) 
1*00b67f09SDavid van Moolenbroek#!/bin/sh
2*00b67f09SDavid van Moolenbroek#
3*00b67f09SDavid van Moolenbroek# Copyright (C) 2010-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
4*00b67f09SDavid van Moolenbroek#
5*00b67f09SDavid van Moolenbroek# Permission to use, copy, modify, and/or distribute this software for any
6*00b67f09SDavid van Moolenbroek# purpose with or without fee is hereby granted, provided that the above
7*00b67f09SDavid van Moolenbroek# copyright notice and this permission notice appear in all copies.
8*00b67f09SDavid van Moolenbroek#
9*00b67f09SDavid van Moolenbroek# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10*00b67f09SDavid van Moolenbroek# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11*00b67f09SDavid van Moolenbroek# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12*00b67f09SDavid van Moolenbroek# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13*00b67f09SDavid van Moolenbroek# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14*00b67f09SDavid van Moolenbroek# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15*00b67f09SDavid van Moolenbroek# PERFORMANCE OF THIS SOFTWARE.
16*00b67f09SDavid van Moolenbroek
17*00b67f09SDavid van Moolenbroek# Id: tests.sh,v 1.21 2012/02/09 23:47:18 tbox Exp
18*00b67f09SDavid van Moolenbroek
19*00b67f09SDavid van MoolenbroekSYSTEMTESTTOP=..
20*00b67f09SDavid van Moolenbroek. $SYSTEMTESTTOP/conf.sh
21*00b67f09SDavid van Moolenbroek
22*00b67f09SDavid van Moolenbroekstatus=0
23*00b67f09SDavid van Moolenbroek
24*00b67f09SDavid van Moolenbroekpzone=parent.nil
25*00b67f09SDavid van Moolenbroekpfile=parent.db
26*00b67f09SDavid van Moolenbroek
27*00b67f09SDavid van Moolenbroekczone=child.parent.nil
28*00b67f09SDavid van Moolenbroekcfile=child.db
29*00b67f09SDavid van Moolenbroek
30*00b67f09SDavid van Moolenbroekecho "I:generating child's keys"
31*00b67f09SDavid van Moolenbroek# active zsk
32*00b67f09SDavid van Moolenbroekczsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone`
33*00b67f09SDavid van Moolenbroek
34*00b67f09SDavid van Moolenbroek# not yet published or active
35*00b67f09SDavid van Moolenbroekczsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
36*00b67f09SDavid van Moolenbroek
37*00b67f09SDavid van Moolenbroek# published but not active
38*00b67f09SDavid van Moolenbroekczsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
39*00b67f09SDavid van Moolenbroek
40*00b67f09SDavid van Moolenbroek# inactive
41*00b67f09SDavid van Moolenbroekczsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
42*00b67f09SDavid van Moolenbroek
43*00b67f09SDavid van Moolenbroek# active in 12 hours, inactive 12 hours after that...
44*00b67f09SDavid van Moolenbroekczsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
45*00b67f09SDavid van Moolenbroek
46*00b67f09SDavid van Moolenbroek# explicit successor to czk5
47*00b67f09SDavid van Moolenbroek# (suppressing warning about lack of removal date)
48*00b67f09SDavid van Moolenbroekczsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-`
49*00b67f09SDavid van Moolenbroek
50*00b67f09SDavid van Moolenbroek# active ksk
51*00b67f09SDavid van Moolenbroekcksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone`
52*00b67f09SDavid van Moolenbroek
53*00b67f09SDavid van Moolenbroek# published but not YET active; will be active in 20 seconds
54*00b67f09SDavid van Moolenbroekcksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
55*00b67f09SDavid van Moolenbroek# $SETTIME moved after other $KEYGENs
56*00b67f09SDavid van Moolenbroek
57*00b67f09SDavid van Moolenbroekecho I:revoking key
58*00b67f09SDavid van Moolenbroek# revoking key changes its ID
59*00b67f09SDavid van Moolenbroekcksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
60*00b67f09SDavid van Moolenbroekcksk4=`$REVOKE $cksk3`
61*00b67f09SDavid van Moolenbroek
62*00b67f09SDavid van Moolenbroekecho I:generating parent keys
63*00b67f09SDavid van Moolenbroekpzsk=`$KEYGEN -q -r $RANDFILE $pzone`
64*00b67f09SDavid van Moolenbroekpksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
65*00b67f09SDavid van Moolenbroek
66*00b67f09SDavid van Moolenbroekecho "I:setting child's activation time"
67*00b67f09SDavid van Moolenbroek# using now+30s to fix RT 24561
68*00b67f09SDavid van Moolenbroek$SETTIME -A now+30s $cksk2 > /dev/null
69*00b67f09SDavid van Moolenbroek
70*00b67f09SDavid van Moolenbroekecho I:signing child zone
71*00b67f09SDavid van Moolenbroekczoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
72*00b67f09SDavid van Moolenbroek
73*00b67f09SDavid van Moolenbroekecho I:signing parent zone
74*00b67f09SDavid van Moolenbroekpzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
75*00b67f09SDavid van Moolenbroek
76*00b67f09SDavid van Moolenbroekczactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
77*00b67f09SDavid van Moolenbroekczgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
78*00b67f09SDavid van Moolenbroekczpublished=`echo $czsk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
79*00b67f09SDavid van Moolenbroekczinactive=`echo $czsk4 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
80*00b67f09SDavid van Moolenbroekczpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
81*00b67f09SDavid van Moolenbroekczsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
82*00b67f09SDavid van Moolenbroekckactive=`echo $cksk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
83*00b67f09SDavid van Moolenbroekckpublished=`echo $cksk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
84*00b67f09SDavid van Moolenbroekckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
85*00b67f09SDavid van Moolenbroekckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)$/\1/'`
86*00b67f09SDavid van Moolenbroek
87*00b67f09SDavid van Moolenbroekpzid=`echo $pzsk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
88*00b67f09SDavid van Moolenbroekpkid=`echo $pksk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
89*00b67f09SDavid van Moolenbroek
90*00b67f09SDavid van Moolenbroekecho "I:checking dnssec-signzone output matches expectations"
91*00b67f09SDavid van Moolenbroekret=0
92*00b67f09SDavid van Moolenbroekecho "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
93*00b67f09SDavid van Moolenbroekecho "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
94*00b67f09SDavid van Moolenbroekecho "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
95*00b67f09SDavid van Moolenbroekecho "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
96*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then
97*00b67f09SDavid van Moolenbroek	echo "I: parent $pzoneout"
98*00b67f09SDavid van Moolenbroek	echo "I: child $czoneout"
99*00b67f09SDavid van Moolenbroek	echo "I:failed";
100*00b67f09SDavid van Moolenbroekfi
101*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
102*00b67f09SDavid van Moolenbroek
103*00b67f09SDavid van Moolenbroekecho "I:rechecking dnssec-signzone output with -x"
104*00b67f09SDavid van Moolenbroekret=0
105*00b67f09SDavid van Moolenbroek# use an alternate output file so -x doesn't interfere with later checks
106*00b67f09SDavid van Moolenbroekpzoneout=`$SIGNER -Sxg -r $RANDFILE -o $pzone -f ${pfile}2.signed $pfile 2>&1`
107*00b67f09SDavid van Moolenbroekczoneout=`$SIGNER -Sxg -e now+1d -X now+2d -r $RANDFILE -o $czone -f ${cfile}2.signed $cfile 2>&1`
108*00b67f09SDavid van Moolenbroekecho "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
109*00b67f09SDavid van Moolenbroekecho "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1
110*00b67f09SDavid van Moolenbroekecho "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
111*00b67f09SDavid van Moolenbroekecho "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1
112*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then
113*00b67f09SDavid van Moolenbroek	echo "I: parent $pzoneout"
114*00b67f09SDavid van Moolenbroek	echo "I: child $czoneout"
115*00b67f09SDavid van Moolenbroek	echo "I:failed";
116*00b67f09SDavid van Moolenbroekfi
117*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
118*00b67f09SDavid van Moolenbroek
119*00b67f09SDavid van Moolenbroekecho "I:checking parent zone DNSKEY set"
120*00b67f09SDavid van Moolenbroekret=0
121*00b67f09SDavid van Moolenbroekgrep "key id = $pzid" $pfile.signed > /dev/null || {
122*00b67f09SDavid van Moolenbroek	ret=1
123*00b67f09SDavid van Moolenbroek	echo "I: missing expected parent ZSK id = $pzid"
124*00b67f09SDavid van Moolenbroek}
125*00b67f09SDavid van Moolenbroekgrep "key id = $pkid" $pfile.signed > /dev/null || {
126*00b67f09SDavid van Moolenbroek	ret=1
127*00b67f09SDavid van Moolenbroek	echo "I: missing expected parent KSK id = $pkid"
128*00b67f09SDavid van Moolenbroek}
129*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
130*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
131*00b67f09SDavid van Moolenbroek
132*00b67f09SDavid van Moolenbroekecho "I:checking parent zone DS records"
133*00b67f09SDavid van Moolenbroekret=0
134*00b67f09SDavid van Moolenbroekawk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
135*00b67f09SDavid van Moolenbroekgrep -w "$ckactive" dsset.out > /dev/null || ret=1
136*00b67f09SDavid van Moolenbroekgrep -w "$ckpublished" dsset.out > /dev/null || ret=1
137*00b67f09SDavid van Moolenbroek# revoked key should not be there, hence the &&
138*00b67f09SDavid van Moolenbroekgrep -w "$ckprerevoke" dsset.out > /dev/null && ret=1
139*00b67f09SDavid van Moolenbroekgrep -w "$ckrevoked" dsset.out > /dev/null && ret=1
140*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
141*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
142*00b67f09SDavid van Moolenbroek
143*00b67f09SDavid van Moolenbroekecho "I:checking child zone DNSKEY set"
144*00b67f09SDavid van Moolenbroekret=0
145*00b67f09SDavid van Moolenbroekgrep "key id = $ckactive" $cfile.signed > /dev/null || {
146*00b67f09SDavid van Moolenbroek	ret=1
147*00b67f09SDavid van Moolenbroek	echo "I: missing expected child KSK id = $ckactive"
148*00b67f09SDavid van Moolenbroek}
149*00b67f09SDavid van Moolenbroekgrep "key id = $ckpublished" $cfile.signed > /dev/null || {
150*00b67f09SDavid van Moolenbroek	ret=1
151*00b67f09SDavid van Moolenbroek	echo "I: missing expected child prepublished KSK id = $ckpublished"
152*00b67f09SDavid van Moolenbroek}
153*00b67f09SDavid van Moolenbroekgrep "key id = $ckrevoked" $cfile.signed > /dev/null || {
154*00b67f09SDavid van Moolenbroek	ret=1
155*00b67f09SDavid van Moolenbroek	echo "I: missing expected child revoked KSK id = $ckrevoked"
156*00b67f09SDavid van Moolenbroek}
157*00b67f09SDavid van Moolenbroekgrep "key id = $czactive" $cfile.signed > /dev/null || {
158*00b67f09SDavid van Moolenbroek	ret=1
159*00b67f09SDavid van Moolenbroek	echo "I: missing expected child ZSK id = $czactive"
160*00b67f09SDavid van Moolenbroek}
161*00b67f09SDavid van Moolenbroekgrep "key id = $czpublished" $cfile.signed > /dev/null || {
162*00b67f09SDavid van Moolenbroek	ret=1
163*00b67f09SDavid van Moolenbroek	echo "I: missing expected child prepublished ZSK id = $czpublished"
164*00b67f09SDavid van Moolenbroek}
165*00b67f09SDavid van Moolenbroekgrep "key id = $czinactive" $cfile.signed > /dev/null || {
166*00b67f09SDavid van Moolenbroek	ret=1
167*00b67f09SDavid van Moolenbroek	echo "I: missing expected child inactive ZSK id = $czinactive"
168*00b67f09SDavid van Moolenbroek}
169*00b67f09SDavid van Moolenbroek# should not be there, hence the &&
170*00b67f09SDavid van Moolenbroekgrep "key id = $ckprerevoke" $cfile.signed > /dev/null && {
171*00b67f09SDavid van Moolenbroek	ret=1
172*00b67f09SDavid van Moolenbroek	echo "I: found unexpect child pre-revoke ZSK id = $ckprerevoke"
173*00b67f09SDavid van Moolenbroek}
174*00b67f09SDavid van Moolenbroekgrep "key id = $czgenerated" $cfile.signed > /dev/null && {
175*00b67f09SDavid van Moolenbroek	ret=1
176*00b67f09SDavid van Moolenbroek	echo "I: found unexpected child generated ZSK id = $czgenerated"
177*00b67f09SDavid van Moolenbroek}
178*00b67f09SDavid van Moolenbroekgrep "key id = $czpredecessor" $cfile.signed > /dev/null && {
179*00b67f09SDavid van Moolenbroek	echo "I: found unexpected ZSK predecessor id = $czpredecessor (ignored)"
180*00b67f09SDavid van Moolenbroek}
181*00b67f09SDavid van Moolenbroekgrep "key id = $czsuccessor" $cfile.signed > /dev/null && {
182*00b67f09SDavid van Moolenbroek	echo "I: found unexpected ZSK successor id = $czsuccessor (ignored)"
183*00b67f09SDavid van Moolenbroek}
184*00b67f09SDavid van Moolenbroek#grep "key id = $czpredecessor" $cfile.signed > /dev/null && ret=1
185*00b67f09SDavid van Moolenbroek#grep "key id = $czsuccessor" $cfile.signed > /dev/null && ret=1
186*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
187*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
188*00b67f09SDavid van Moolenbroek
189*00b67f09SDavid van Moolenbroekecho "I:checking key TTLs are correct"
190*00b67f09SDavid van Moolenbroekgrep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1
191*00b67f09SDavid van Moolenbroekgrep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1
192*00b67f09SDavid van Moolenbroekgrep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
193*00b67f09SDavid van Moolenbroek$SETTIME -L 45 ${czsk2} > /dev/null
194*00b67f09SDavid van Moolenbroekgrep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
195*00b67f09SDavid van Moolenbroek$SETTIME -L 0 ${czsk2} > /dev/null
196*00b67f09SDavid van Moolenbroekgrep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
197*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
198*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
199*00b67f09SDavid van Moolenbroek
200*00b67f09SDavid van Moolenbroekecho "I:checking key TTLs were imported correctly"
201*00b67f09SDavid van Moolenbroekawk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \
202*00b67f09SDavid van Moolenbroek        ${cfile}.signed || ret=1
203*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
204*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
205*00b67f09SDavid van Moolenbroek
206*00b67f09SDavid van Moolenbroekecho "I:re-signing and checking imported TTLs again"
207*00b67f09SDavid van Moolenbroek$SETTIME -L 15 ${czsk2} > /dev/null
208*00b67f09SDavid van Moolenbroekczoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
209*00b67f09SDavid van Moolenbroekawk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
210*00b67f09SDavid van Moolenbroek        ${cfile}.signed || ret=1
211*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
212*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
213*00b67f09SDavid van Moolenbroek
214*00b67f09SDavid van Moolenbroek# There is some weirdness in Solaris 10 (Generic_120011-14), which
215*00b67f09SDavid van Moolenbroek# is why the next section has all those echo $ret > /dev/null;sync
216*00b67f09SDavid van Moolenbroek# commands
217*00b67f09SDavid van Moolenbroekecho "I:checking child zone signatures"
218*00b67f09SDavid van Moolenbroekret=0
219*00b67f09SDavid van Moolenbroek# check DNSKEY signatures first
220*00b67f09SDavid van Moolenbroekawk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
221*00b67f09SDavid van Moolenbroeksub=0
222*00b67f09SDavid van Moolenbroekgrep -w "$ckactive" dnskey.sigs > /dev/null || sub=1
223*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:missing ckactive $ckactive (dnskey)"; ret=1; fi
224*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
225*00b67f09SDavid van Moolenbroeksync
226*00b67f09SDavid van Moolenbroeksub=0
227*00b67f09SDavid van Moolenbroekgrep -w "$ckrevoked" dnskey.sigs > /dev/null || sub=1
228*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:missing ckrevoke $ckrevoke (dnskey)"; ret=1; fi
229*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
230*00b67f09SDavid van Moolenbroeksync
231*00b67f09SDavid van Moolenbroeksub=0
232*00b67f09SDavid van Moolenbroekgrep -w "$czactive" dnskey.sigs > /dev/null || sub=1
233*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:missing czactive $czactive (dnskey)"; ret=1; fi
234*00b67f09SDavid van Moolenbroek# should not be there:
235*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
236*00b67f09SDavid van Moolenbroeksync
237*00b67f09SDavid van Moolenbroeksub=0
238*00b67f09SDavid van Moolenbroekgrep -w "$ckprerevoke" dnskey.sigs > /dev/null && sub=1
239*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found ckprerevoke $ckprerevoke (dnskey)"; ret=1; fi
240*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
241*00b67f09SDavid van Moolenbroeksync
242*00b67f09SDavid van Moolenbroeksub=0
243*00b67f09SDavid van Moolenbroekgrep -w "$ckpublished" dnskey.sigs > /dev/null && sub=1
244*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found ckpublished $ckpublished (dnskey)"; ret=1; fi
245*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
246*00b67f09SDavid van Moolenbroeksync
247*00b67f09SDavid van Moolenbroeksub=0
248*00b67f09SDavid van Moolenbroekgrep -w "$czpublished" dnskey.sigs > /dev/null && sub=1
249*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found czpublished $czpublished (dnskey)"; ret=1; fi
250*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
251*00b67f09SDavid van Moolenbroeksync
252*00b67f09SDavid van Moolenbroeksub=0
253*00b67f09SDavid van Moolenbroekgrep -w "$czinactive" dnskey.sigs > /dev/null && sub=1
254*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found czinactive $czinactive (dnskey)"; ret=1; fi
255*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
256*00b67f09SDavid van Moolenbroeksync
257*00b67f09SDavid van Moolenbroeksub=0
258*00b67f09SDavid van Moolenbroekgrep -w "$czgenerated" dnskey.sigs > /dev/null && sub=1
259*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found czgenerated $czgenerated (dnskey)"; ret=1; fi
260*00b67f09SDavid van Moolenbroek# now check other signatures first
261*00b67f09SDavid van Moolenbroekawk '$2 == "RRSIG" && $3 != "DNSKEY" { getline; print $3 }' $cfile.signed | sort -un > other.sigs
262*00b67f09SDavid van Moolenbroek# should not be there:
263*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
264*00b67f09SDavid van Moolenbroeksync
265*00b67f09SDavid van Moolenbroeksub=0
266*00b67f09SDavid van Moolenbroekgrep -w "$ckactive" other.sigs > /dev/null && sub=1
267*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found ckactive $ckactive (other)"; ret=1; fi
268*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
269*00b67f09SDavid van Moolenbroeksync
270*00b67f09SDavid van Moolenbroeksub=0
271*00b67f09SDavid van Moolenbroekgrep -w "$ckpublished" other.sigs > /dev/null && sub=1
272*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found ckpublished $ckpublished (other)"; ret=1; fi
273*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
274*00b67f09SDavid van Moolenbroeksync
275*00b67f09SDavid van Moolenbroeksub=0
276*00b67f09SDavid van Moolenbroekgrep -w "$ckprerevoke" other.sigs > /dev/null && sub=1
277*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found ckprerevoke $ckprerevoke (other)"; ret=1; fi
278*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
279*00b67f09SDavid van Moolenbroeksync
280*00b67f09SDavid van Moolenbroeksub=0
281*00b67f09SDavid van Moolenbroekgrep -w "$ckrevoked" other.sigs > /dev/null && sub=1
282*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found ckrevoked $ckrevoked (other)"; ret=1; fi
283*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
284*00b67f09SDavid van Moolenbroeksync
285*00b67f09SDavid van Moolenbroeksub=0
286*00b67f09SDavid van Moolenbroekgrep -w "$czpublished" other.sigs > /dev/null && sub=1
287*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found czpublished $czpublished (other)"; ret=1; fi
288*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
289*00b67f09SDavid van Moolenbroeksync
290*00b67f09SDavid van Moolenbroeksub=0
291*00b67f09SDavid van Moolenbroekgrep -w "$czinactive" other.sigs > /dev/null && sub=1
292*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found czinactive $czinactive (other)"; ret=1; fi
293*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
294*00b67f09SDavid van Moolenbroeksync
295*00b67f09SDavid van Moolenbroeksub=0
296*00b67f09SDavid van Moolenbroekgrep -w "$czgenerated" other.sigs > /dev/null && sub=1
297*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found czgenerated $czgenerated (other)"; ret=1; fi
298*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
299*00b67f09SDavid van Moolenbroeksync
300*00b67f09SDavid van Moolenbroeksub=0
301*00b67f09SDavid van Moolenbroekgrep -w "$czpredecessor" other.sigs > /dev/null && sub=1
302*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found czpredecessor $czpredecessor (other)"; ret=1; fi
303*00b67f09SDavid van Moolenbroekecho $ret > /dev/null
304*00b67f09SDavid van Moolenbroeksync
305*00b67f09SDavid van Moolenbroeksub=0
306*00b67f09SDavid van Moolenbroekgrep -w "$czsuccessor" other.sigs > /dev/null && sub=1
307*00b67f09SDavid van Moolenbroekif [ $sub != 0 ]; then echo "I:found czsuccessor $czsuccessor (other)"; ret=1; fi
308*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then
309*00b67f09SDavid van Moolenbroek    sed 's/^/I:dnskey sigs: /' < dnskey.sigs
310*00b67f09SDavid van Moolenbroek    sed 's/^/I:other sigs: /' < other.sigs
311*00b67f09SDavid van Moolenbroek    echo "I:failed";
312*00b67f09SDavid van Moolenbroekfi
313*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
314*00b67f09SDavid van Moolenbroek
315*00b67f09SDavid van Moolenbroekecho "I:checking RRSIG expiry date correctness"
316*00b67f09SDavid van Moolenbroekdnskey_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
317*00b67f09SDavid van Moolenbroek              awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' |
318*00b67f09SDavid van Moolenbroek              cut -c1-10`
319*00b67f09SDavid van Moolenbroeksoa_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
320*00b67f09SDavid van Moolenbroek           awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' |
321*00b67f09SDavid van Moolenbroek           cut -c1-10`
322*00b67f09SDavid van Moolenbroek[ $dnskey_expiry -gt $soa_expiry ] || ret=1
323*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
324*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
325*00b67f09SDavid van Moolenbroek
326*00b67f09SDavid van Moolenbroekecho "I:waiting 30 seconds for key activation"
327*00b67f09SDavid van Moolenbroeksleep 30
328*00b67f09SDavid van Moolenbroekecho "I:re-signing child zone"
329*00b67f09SDavid van Moolenbroekczoneout2=`$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed 2>&1`
330*00b67f09SDavid van Moolenbroekmv $cfile.new $cfile.signed
331*00b67f09SDavid van Moolenbroek
332*00b67f09SDavid van Moolenbroekecho "I:checking dnssec-signzone output matches expectations"
333*00b67f09SDavid van Moolenbroekret=0
334*00b67f09SDavid van Moolenbroekecho "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
335*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
336*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
337*00b67f09SDavid van Moolenbroek
338*00b67f09SDavid van Moolenbroekecho "I:checking child zone signatures again"
339*00b67f09SDavid van Moolenbroekret=0
340*00b67f09SDavid van Moolenbroekawk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
341*00b67f09SDavid van Moolenbroekgrep -w "$ckpublished" dnskey.sigs > /dev/null || ret=1
342*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
343*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
344*00b67f09SDavid van Moolenbroek
345*00b67f09SDavid van Moolenbroekecho "I:exit status: $status"
346*00b67f09SDavid van Moolenbroekexit $status
347