ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

improve handling of trailing dots in dnssec-keymgr and dnssec-coverage

Browse Source 
- mishandling of trailing dots caused bad behavior with the
  root zone or names like "example.com."
- fixing this exposed an error in dnssec-coverage caused the
  wrong return value if there were KSK errors but no ZSK errors
- incidentally silenced the dnssec-keygen output in the coverage
  system test
This commit is contained in:
Evan Hunt
2019-01-21 13:12:26 -08:00
parent 58e4d00c43
commit 1ccf4e6c16
7 changed files with 68 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
bin/tests/system/coverage/setup.sh
View File

@@ -20,115 +20,115 @@ ln -s $CHECKZONE named-compilezone
dir=01-ksk-inactive
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 2: ZSK goes inactive before successor is active
dir=02-zsk-inactive
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 3: KSK is unpublished before its successor is published
dir=03-ksk-unpublished
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 4: ZSK is unpublished before its successor is published
dir=04-zsk-unpublished
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 5: KSK deleted and successor published before KSK is deactivated
# and successor activated.
dir=05-ksk-unpub-active
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 6: ZSK deleted and successor published before ZSK is deactivated
# and successor activated.
dir=06-zsk-unpub-active
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 7: KSK rolled with insufficient delay after prepublication.
dir=07-ksk-ttl
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
# allow only 1 day between publication and activation
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 8: ZSK rolled with insufficient delay after prepublication.
dir=08-zsk-ttl
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
# allow only 1 day between publication and activation
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 9: KSK goes inactive before successor is active, but checking ZSKs
dir=09-check-zsk
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 10: ZSK goes inactive before successor is active, but checking KSKs
dir=10-check-ksk
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 11: ZSK goes inactive before successor is active, but after cutoff
dir=11-cutoff
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 12: Too early KSK deletion
dir=12-ksk-deletion
ksk1=`$KEYGEN -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com`
ksk2=`$KEYGEN -K $dir -S $ksk1.key example.com`
ksk1=`$KEYGEN -q -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com`
ksk2=`$KEYGEN -q -K $dir -S $ksk1.key example.com`