1# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2# 3# This Source Code Form is subject to the terms of the Mozilla Public 4# License, v. 2.0. If a copy of the MPL was not distributed with this 5# file, You can obtain one at http://mozilla.org/MPL/2.0/. 6# 7# See the COPYRIGHT file distributed with this work for additional 8# information regarding copyright ownership. 9 10SYSTEMTESTTOP=../.. 11. $SYSTEMTESTTOP/conf.sh 12 13SYSTESTDIR=verify 14 15dumpit () { 16 echo_d "${debug}: dumping ${1}" 17 cat "${1}" | cat_d 18} 19setup () { 20 echo_i "setting up $2 zone: $1" 21 debug="$1" 22 zone="$1" 23 file="$1.$2" 24 n=`expr ${n:-0} + 1` 25} 26 27# A unsigned zone should fail validation. 28setup unsigned bad 29cp unsigned.db unsigned.bad 30 31# A set of nsec zones. 32setup zsk-only.nsec good 33$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n 34$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 35 36setup ksk-only.nsec good 37$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n 38$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 39 40setup ksk+zsk.nsec good 41$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 42$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 43$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 44 45setup ksk+zsk.nsec.apex-dname good 46zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 47ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 48cp unsigned.db ${file}.tmp 49echo "@ DNAME data" >> ${file}.tmp 50$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n 51 52# A set of nsec3 zones. 53setup zsk-only.nsec3 good 54$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n 55$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 56 57setup ksk-only.nsec3 good 58$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n 59$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 60 61setup ksk+zsk.nsec3 good 62$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 63$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 64$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 65 66setup ksk+zsk.optout good 67$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 68$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 69$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 70 71setup ksk+zsk.nsec3.apex-dname good 72zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 73ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 74cp unsigned.db ${file}.tmp 75echo "@ DNAME data" >> ${file}.tmp 76$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n 77 78# 79# generate an NSEC record like 80# aba NSEC FOO ... 81# then downcase all the FOO records so the next name in the database 82# becomes foo when the zone is loaded. 83# 84setup nsec-next-name-case-mismatch good 85ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 86zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg2.out$n` || dumpit kg2.out$n 87cat << EOF > ${zone}.tmp 88\$TTL 0 89@ IN SOA foo . ( 1 28800 7200 604800 1800 ) 90@ NS foo 91\$include $ksk.key 92\$include $zsk.key 93FOO AAAA ::1 94FOO A 127.0.0.2 95aba CNAME FOO 96EOF 97$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n 2>&1 || dumpit s.out$n 98sed 's/^FOO\./foo\./' < ${file}.tmp > ${file} 99 100# A set of zones with only DNSKEY records. 101setup zsk-only.dnskeyonly bad 102key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n 103cat unsigned.db $key1.key > ${file} 104 105setup ksk-only.dnskeyonly bad 106key1=`$KEYGEN -a rsasha256 -fK ${zone} 2>kg.out` || dumpit kg.out$n 107cat unsigned.db $key1.key > ${file} 108 109setup ksk+zsk.dnskeyonly bad 110key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n 111key2=`$KEYGEN -a rsasha256 -fK ${zone} 2>kg.out` || dumpit kg.out$n 112cat unsigned.db $key1.key $key2.key > ${file} 113 114# A set of zones with expired records 115s="-s -2678400" 116setup zsk-only.nsec.expired bad 117$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n 118$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 119 120setup ksk-only.nsec.expired bad 121$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n 122$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 123 124setup ksk+zsk.nsec.expired bad 125$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 126$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 127$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 128 129setup zsk-only.nsec3.expired bad 130$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n 131$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 132 133setup ksk-only.nsec3.expired bad 134$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n 135$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 136 137setup ksk+zsk.nsec3.expired bad 138$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 139$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 140$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n 141 142# ksk expired 143setup ksk+zsk.nsec.ksk-expired bad 144zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 145ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 146cat unsigned.db $ksk.key $zsk.key > $file 147$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n 148$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 149now=`date -u +%Y%m%d%H%M%S` 150exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` 151[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file 152 153setup ksk+zsk.nsec3.ksk-expired bad 154zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 155ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 156cat unsigned.db $ksk.key $zsk.key > $file 157$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n 158$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 159now=`date -u +%Y%m%d%H%M%S` 160exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` 161[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file 162 163# broken nsec chain 164setup ksk+zsk.nsec.broken-chain bad 165zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 166ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 167cat unsigned.db $ksk.key $zsk.key > $file 168$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 169awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp 170$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n 171 172# bad nsec bitmap 173setup ksk+zsk.nsec.bad-bitmap bad 174zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 175ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 176cat unsigned.db $ksk.key $zsk.key > $file 177$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 178awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp 179$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n 180 181# extra NSEC record out side of zone 182setup ksk+zsk.nsec.out-of-zone-nsec bad 183zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 184ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 185cat unsigned.db $ksk.key $zsk.key > $file 186$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 187echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} 188$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n 189 190# extra NSEC record below bottom of zone 191setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad 192zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 193ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 194cat unsigned.db $ksk.key $zsk.key > $file 195$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 196echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} 197$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n 198# dnssec-signzone signs any node with a NSEC record. 199awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file} 200 201# extra NSEC record below DNAME 202setup ksk+zsk.nsec.below-dname-nsec bad 203zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 204ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 205cat unsigned.db $ksk.key $zsk.key > $file 206$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 207echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file} 208$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n 209 210# missing NSEC3 record at empty node 211# extract the hash fields from the empty node's NSEC 3 record then fix up 212# the NSEC3 chain to remove it 213setup ksk+zsk.nsec3.missing-empty bad 214zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 215ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 216cat unsigned.db $ksk.key $zsk.key > $file 217$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 218a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}` 219b=`awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}` 220awk ' 221$4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; } 222$4 == "NSEC3" && NF == 9 { next; } 223{ print; }' ${file} > ${file}.tmp 224$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n 225 226# extra NSEC3 record 227setup ksk+zsk.nsec3.extra-nsec3 bad 228zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 229ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 230cat unsigned.db $ksk.key $zsk.key > $file 231$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n 232awk ' 233BEGIN { 234 ZONE="'${zone}'."; 235} 236$4 == "NSEC3" && NF == 9 { 237 $1 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3H." ZONE; 238 $9 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3I"; 239 print; 240}' ${file} > ${file}.tmp 241cat ${file}.tmp >> ${file} 242rm -f ${file}.tmp 243$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n 244