xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/metadata/tests.sh (revision 2f62cc9c12bc202c40224f32c879f81443fee079) 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14set -e
15
16. ../conf.sh
17
18pzone=parent.nil pfile=parent.db
19czone=child.parent.nil cfile=child.db
20status=0
21n=1
22
23echo_i "setting key timers"
24$SETTIME -A now+15s $(cat rolling.key) >/dev/null
25
26inact=$(keyfile_to_key_id "$(cat inact.key)")
27ksk=$(keyfile_to_key_id "$(cat ksk.key)")
28pending=$(keyfile_to_key_id "$(cat pending.key)")
29postrev=$(keyfile_to_key_id "$(cat postrev.key)")
30prerev=$(keyfile_to_key_id "$(cat prerev.key)")
31rolling=$(keyfile_to_key_id "$(cat rolling.key)")
32standby=$(keyfile_to_key_id "$(cat standby.key)")
33zsk=$(keyfile_to_key_id "$(cat zsk.key)")
34
35echo_i "signing zones"
36$SIGNER -Sg -o $czone $cfile >/dev/null
37$SIGNER -Sg -o $pzone $pfile >/dev/null
38
39awk '$2 ~ /RRSIG/ {
40        type = $3;
41        getline;
42	id = $3;
43	if ($4 ~ /'${czone}'/) {
44		print type, id
45	}
46}' <${cfile}.signed >sigs
47
48awk '$2 ~ /DNSKEY/ {
49	flags = $3;
50	while ($0 !~ /key id =/)
51		getline;
52	id = $NF;
53	print flags, id;
54}' <${cfile}.signed >keys
55
56echo_i "checking that KSK signed DNSKEY only ($n)"
57ret=0
58grep "DNSKEY $ksk"'$' sigs >/dev/null || ret=1
59grep "SOA $ksk"'$' sigs >/dev/null && ret=1
60n=$((n + 1))
61if [ $ret != 0 ]; then echo_i "failed"; fi
62status=$((status + ret))
63
64echo_i "checking that ZSK signed ($n)"
65ret=0
66grep "SOA $zsk"'$' sigs >/dev/null || ret=1
67n=$((n + 1))
68if [ $ret != 0 ]; then echo_i "failed"; fi
69status=$((status + ret))
70
71echo_i "checking that standby ZSK did not sign ($n)"
72ret=0
73grep " $standby"'$' sigs >/dev/null && ret=1
74n=$((n + 1))
75if [ $ret != 0 ]; then echo_i "failed"; fi
76status=$((status + ret))
77
78echo_i "checking that inactive key did not sign ($n)"
79ret=0
80grep " $inact"'$' sigs >/dev/null && ret=1
81n=$((n + 1))
82if [ $ret != 0 ]; then echo_i "failed"; fi
83status=$((status + ret))
84
85echo_i "checking that pending key was not published ($n)"
86ret=0
87grep " $pending"'$' keys >/dev/null && ret=1
88n=$((n + 1))
89if [ $ret != 0 ]; then echo_i "failed"; fi
90status=$((status + ret))
91
92echo_i "checking that standby KSK did not sign but is delegated ($n)"
93ret=0
94grep " $rolling"'$' sigs >/dev/null && ret=1
95grep " $rolling"'$' keys >/dev/null || ret=1
96grep -E "DS[ 	]*$rolling[ 	]" ${pfile}.signed >/dev/null || ret=1
97n=$((n + 1))
98if [ $ret != 0 ]; then echo_i "failed"; fi
99status=$((status + ret))
100
101echo_i "checking that key was revoked ($n)"
102ret=0
103grep " $prerev"'$' keys >/dev/null && ret=1
104grep " $postrev"'$' keys >/dev/null || ret=1
105n=$((n + 1))
106if [ $ret != 0 ]; then echo_i "failed"; fi
107status=$((status + ret))
108
109echo_i "checking that revoked key self-signed ($n)"
110ret=0
111grep "DNSKEY $postrev"'$' sigs >/dev/null || ret=1
112grep "SOA $postrev"'$' sigs >/dev/null && ret=1
113n=$((n + 1))
114if [ $ret != 0 ]; then echo_i "failed"; fi
115status=$((status + ret))
116
117echo_i "waiting 20 seconds for key changes to occur"
118sleep 20
119
120echo_i "re-signing zone"
121$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed >/dev/null
122
123echo_i "checking that standby KSK is now active ($n)"
124ret=0
125grep "DNSKEY $rolling"'$' sigs >/dev/null && ret=1
126n=$((n + 1))
127if [ $ret != 0 ]; then echo_i "failed"; fi
128status=$((status + ret))
129
130echo_i "checking update of an old-style key ($n)"
131ret=0
132# printing metadata should not work with an old-style key
133$SETTIME -pall $(cat oldstyle.key) >/dev/null 2>&1 && ret=1
134$SETTIME -f $(cat oldstyle.key) >/dev/null 2>&1 || ret=1
135# but now it should
136$SETTIME -pall $(cat oldstyle.key) >/dev/null 2>&1 || ret=1
137n=$((n + 1))
138if [ $ret != 0 ]; then echo_i "failed"; fi
139status=$((status + ret))
140
141echo_i "checking warning about permissions change on key with dnssec-settime ($n)"
142ret=0
143# settime should print a warning about changing the permissions
144chmod 644 $(cat oldstyle.key).private
145$SETTIME -P none $(cat oldstyle.key) >settime1.test$n 2>&1 || ret=1
146grep "warning: Permissions on the file.*have changed" settime1.test$n >/dev/null 2>&1 || ret=1
147$SETTIME -P none $(cat oldstyle.key) >settime2.test$n 2>&1 || ret=1
148grep "warning: Permissions on the file.*have changed" settime2.test$n >/dev/null 2>&1 && ret=1
149n=$((n + 1))
150if [ $ret != 0 ]; then echo_i "failed"; fi
151status=$((status + ret))
152
153echo_i "checking warning about delete date < inactive date with dnssec-settime ($n)"
154ret=0
155# settime should print a warning about delete < inactive
156$SETTIME -I now+15s -D now $(cat oldstyle.key) >tmp.out 2>&1 || ret=1
157grep "warning" tmp.out >/dev/null 2>&1 || ret=1
158n=$((n + 1))
159if [ $ret != 0 ]; then echo_i "failed"; fi
160status=$((status + ret))
161
162echo_i "checking no warning about delete date < inactive date with dnssec-settime when delete date is unset ($n)"
163ret=0
164$SETTIME -D none $(cat oldstyle.key) >tmp.out 2>&1 || ret=1
165$SETTIME -p all $(cat oldstyle.key) >tmp.out 2>&1 || ret=1
166grep "warning" tmp.out >/dev/null 2>&1 && ret=1
167n=$((n + 1))
168if [ $ret != 0 ]; then echo_i "failed"; fi
169status=$((status + ret))
170
171echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)"
172ret=0
173# keygen should print a warning about delete < inactive
174$KEYGEN -q -a ${DEFAULT_ALGORITHM} -I now+15s -D now $czone >tmp.out 2>&1 || ret=1
175grep "warning" tmp.out >/dev/null 2>&1 || ret=1
176n=$((n + 1))
177if [ $ret != 0 ]; then echo_i "failed"; fi
178status=$((status + ret))
179
180echo_i "checking correct behavior setting activation without publication date ($n)"
181ret=0
182key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w $czone)
183pub=$($SETTIME -upP $key | awk '{print $2}')
184act=$($SETTIME -upA $key | awk '{print $2}')
185[ $pub -eq $act ] || ret=1
186key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w -i 1d $czone)
187pub=$($SETTIME -upP $key | awk '{print $2}')
188act=$($SETTIME -upA $key | awk '{print $2}')
189[ $pub -lt $act ] || ret=1
190key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w -P never $czone)
191pub=$($SETTIME -upP $key | awk '{print $2}')
192[ $pub = "UNSET" ] || ret=1
193n=$((n + 1))
194if [ $ret != 0 ]; then echo_i "failed"; fi
195status=$((status + ret))
196
197echo_i "checking calculation of dates for a successor key ($n)"
198ret=0
199oldkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone)
200newkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone)
201$SETTIME -A -2d -I +2d $oldkey >settime1.test$n 2>&1 || ret=1
202$SETTIME -i 1d -S $oldkey $newkey >settime2.test$n 2>&1 || ret=1
203$SETTIME -pA $newkey | grep "1970" >/dev/null && ret=1
204n=$((n + 1))
205if [ $ret != 0 ]; then echo_i "failed"; fi
206status=$((status + ret))
207
208key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $czone)
209
210echo_i "checking -p output time is accepted ($n)"
211t=$($SETTIME -pA $key | sed 's/.*: //')
212$SETTIME -Psync "$t" $key >settime2.test$n 2>&1 || ret=1
213n=$((n + 1))
214if [ $ret != 0 ]; then echo_i "failed"; fi
215status=$((status + ret))
216
217echo_i "checking -up output time is accepted ($n)"
218t=$($SETTIME -upA $key | sed 's/.*: //')
219$SETTIME -Dsync "$t" $key >settime2.test$n 2>&1 || ret=1
220n=$((n + 1))
221if [ $ret != 0 ]; then echo_i "failed"; fi
222status=$((status + ret))
223
224echo_i "checking -p unset time is accepted ($n)"
225# The Delete timing metadata is unset.
226t=$($SETTIME -pD $key | sed 's/.*: //')
227$SETTIME -Psync "$t" $key >settime2.test$n 2>&1 || ret=1
228n=$((n + 1))
229if [ $ret != 0 ]; then echo_i "failed"; fi
230status=$((status + ret))
231
232echo_i "exit status: $status"
233[ $status -eq 0 ] || exit 1
234