ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Fix a kasp system test bug

Browse Source 
In '_check_apex_dnskey' we check for each key (KEY1 to KEY4) if they
are present in the DNSKEY RRset if they should be.

However, we only grep the dig output for the first seven fields (owner,
ttl, class, type, flags, protocol, algorithm). This can be the same
for different keys.

For example, KEY1 may be KSK predecessor and KEY2 a KSK successor,
both DNSKEY records for these keys are the same up to the public key
field. This can cause test failures if KEY1 needs to be present, but
KEY2 not, because when grepping for KEY2 we will falsely detect the
key to be present (because the grep matches KEY1).

Fix the function by grepping looking for the first seven fields in the
corresponding key file and retrieve the public key part. Grep for this
in the dig output.

(cherry picked from commit 3e1d09ac66)
This commit is contained in:
Matthijs Mekking
2022-04-28 16:45:33 +02:00
parent 3625cf1f63
commit 22f3c453f0
1 changed files with 33 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
bin/tests/system/kasp.sh
View File

@@ -1008,6 +1008,15 @@ check_cds() {
status=$((status+ret))
}
_find_dnskey() {
_owner="${ZONE}."
_alg="$(key_get $1 ALG_NUM)"
_flags="$(key_get $1 FLAGS)"
_key_file="$(key_get $1 BASEFILE).key"
awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file"
}
# Test DNSKEY query.
_check_apex_dnskey() {
@@ -1015,40 +1024,49 @@ _check_apex_dnskey() {
grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1
_checksig=0
_flags="$(key_get KEY1 FLAGS)"
if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
_pubkey=$(_find_dnskey KEY1)
test -z "$_pubkey" && return 1
grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
_checksig=1
elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
_pubkey=$(_find_dnskey KEY1)
test -z "$_pubkey" && return 1
grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
fi
_flags="$(key_get KEY2 FLAGS)"
if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
_pubkey=$(_find_dnskey KEY2)
test -z "$_pubkey" && return 1
grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
_checksig=1
elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
_pubkey=$(_find_dnskey KEY2)
test -z "$_pubkey" && return 1
grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
fi
_flags="$(key_get KEY3 FLAGS)"
if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
_pubkey=$(_find_dnskey KEY3)
test -z "$_pubkey" && return 1
grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
_checksig=1
elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
_pubkey=$(_find_dnskey KEY3)
test -z "$_pubkey" && return 1
grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
fi
_flags="$(key_get KEY4 FLAGS)"
if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
_pubkey=$(_find_dnskey KEY4)
test -z "$_pubkey" && return 1
grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
_checksig=1
elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
_pubkey=$(_find_dnskey KEY4)
test -z "$_pubkey" && return 1
grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
fi
test "$_checksig" -eq 0 && return 0