Add tests for mkeys with unsupported algorithm

These tests check if a key with an unsupported algorithm in
managed-keys is ignored and when seeing an algorithm rollover to
an unsupported algorithm, the new key will be ignored too.

bin/tests/system/mkeys/README

@@ -19,3 +19,6 @@ managed-keys.jnl, causing RFC 5011 initialization to fail.
 
 ns5 is a validator which is prevented from getting a response from the
 root server, causing key refresh queries to fail.
+
+ns6 is a validator which has unsupported algorithms, one at start up,
+one because of an algorithm rollover.

bin/tests/system/mkeys/clean.sh

@@ -16,9 +16,10 @@ rm -f */named.conf
 rm -f */named.memstats */named.run */named.run.prev
 rm -f dig.out* delv.out* rndc.out* signer.out*
 rm -f dsset-. ns1/dsset-.
+rm -f ns1/zone.key
 rm -f ns*/managed-keys.bind*
 rm -f ns*/named.lock
 rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
 rm -f ns5/named.args
-rm -f ns6/view1.mkeys ns6/view2.mkeys
+rm -f ns7/view1.mkeys ns7/view2.mkeys
 rm -rf ns4/nope

bin/tests/system/mkeys/ns1/root.db

@@ -8,16 +8,16 @@
 ; information regarding copyright ownership.
 
 $TTL 20
-. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
-				2000042100   	; serial
-				600         	; refresh
-				600         	; retry
-				1200    	; expire
-				2       	; minimum
-				)
-.			NS	a.root-servers.nil.
-a.root-servers.nil.	A	10.53.0.1
+.                      IN SOA  gson.nominum.com. a.root.servers.nil. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+.                      NS      a.root-servers.nil.
+a.root-servers.nil.    A       10.53.0.1
 
 ; no delegation
 
-example.		TXT	"This is a test."
+example.               TXT     "This is a test."

bin/tests/system/mkeys/ns1/sign.sh

@@ -26,13 +26,18 @@ cp managed.conf ../ns2/managed.conf
 cp managed.conf ../ns4/managed.conf
 cp managed.conf ../ns5/managed.conf
 
-# Configure a trusted key statement (used by delv)
+# Configure a trusted key statement (used by delv).
 keyfile_to_trusted_keys $keyname > trusted.conf
 
+# Prepare an unsupported algorithm key.
+unsupportedkey=K.+003+28683
+cp unsupported.key "${unsupportedkey}.key"
+
 #
 #  Save keyname and keyid for managed key id test.
 #
 echo "$keyname" > managed.key
+echo "$zskkeyname" > zone.key
 keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
 keyid=`expr $keyid + 0`
 echo "$keyid" > managed.key.id

bin/tests/system/mkeys/ns1/unsupported.key

@@ -0,0 +1 @@
+.	IN	DNSKEY	257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB

bin/tests/system/mkeys/ns6/named.args

@@ -0,0 +1 @@
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20

bin/tests/system/mkeys/ns6/named.conf.in

@@ -22,8 +22,8 @@ options {
 	recursion yes;
 	notify no;
 	dnssec-enable yes;
-	dnssec-validation auto;
-	bindkeys-file "managed.conf";
+	dnssec-validation yes;
+	trust-anchor-telemetry no;
 };
 
 key rndc_key {
@@ -35,16 +35,9 @@ controls {
 	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
-view view1 {
-	zone "." {
-		type hint;
-		file "../../common/root.hint";
-	};
+zone "." {
+	type hint;
+	file "../../common/root.hint";
 };
 
-view view2 {
-	zone "." {
-		type hint;
-		file "../../common/root.hint";
-	};
-};
+include "managed.conf";

bin/tests/system/mkeys/ns6/setup.sh

@@ -0,0 +1,30 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+zonefile=root.db
+
+# an RSA key
+rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
+
+# a key with unsupported algorithm
+unsupportedkey=Kunknown.+255+00000
+cp unsupported-managed.key "${unsupportedkey}.key"
+
+# root key
+rootkey=`cat ../ns1/managed.key`
+cp "../ns1/${rootkey}.key" .
+
+# Configure the resolving server with a managed trusted key.
+keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf

bin/tests/system/mkeys/ns6/unsupported-managed.key

@@ -0,0 +1 @@
+unsupported.	IN	DNSKEY	257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6

bin/tests/system/mkeys/ns7/named.conf.in

@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS7
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-enable yes;
+	dnssec-validation auto;
+	bindkeys-file "managed.conf";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view view1 {
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+};
+
+view view2 {
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+};

bin/tests/system/mkeys/setup.sh

@@ -20,10 +20,12 @@ copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
 
 cp ns5/named1.args ns5/named.args
 
 ( cd ns1 && $SHELL sign.sh )
+( cd ns6 && $SHELL setup.sh )
 
 cp ns2/managed.conf ns2/managed1.conf
 

bin/tests/system/mkeys/tests.sh

@@ -745,7 +745,7 @@ nextpart ns5/named.run > /dev/null
 mkeys_reconfig_on 1
 wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
 mkeys_secroots_on 5
-grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
+grep '; managed' ns5/named.secroots > /dev/null || ret=1
 # ns1 should not longer REFUSE queries from ns5, so managed keys should be
 # correctly refreshed and resolving should succeed
 $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
@@ -755,17 +755,71 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
+ret=0
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
+rm -f ns6/managed-keys.bind*
+nextpart ns6/named.run > /dev/null
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
+# log when an unsupported algorithm is encountered during startup
+wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "skipping unsupported algorithm in managed-keys ($n)"
+ret=0
+mkeys_status_on 6 > rndc.out.$n 2>&1
+# there should still be only two keys listed (for . and rsasha256.)
+count=`grep -c "keyid: " rndc.out.$n`
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=`grep -c "trust" rndc.out.$n`
+[ "$count" -eq 2 ] || ret=1
+
+n=`expr $n + 1`
+echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
+ret=0
+cp ns1/root.db ns1/root.db.orig
+ksk=`cat ns1/managed.key`
+zsk=`cat ns1/zone.key`
+cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
+grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
+$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
+grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
+cp ns1/root.db.orig ns1/root.db
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "skipping unsupported algorithm in rollover ($n)"
+ret=0
+mkeys_reload_on 1
+mkeys_refresh_on 6
+mkeys_status_on 6 > rndc.out.$n 2>&1
+# there should still be only two keys listed (for . and rsasha256.)
+count=`grep -c "keyid: " rndc.out.$n`
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=`grep -c "trust" rndc.out.$n`
+[ "$count" -eq 2 ] || ret=1
+# log when an unsupported algorithm is encountered during rollover
+wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "check 'rndc managed-keys' and views ($n)"
 ret=0
-$RNDCCMD 10.53.0.6 managed-keys refresh in view1 > rndc.out.ns6.view1.test$n || ret=1
-grep "refreshing managed keys for 'view1'" rndc.out.ns6.view1.test$n > /dev/null || ret=1
-lines=`wc -l < rndc.out.ns6.view1.test$n`
+$RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1
+grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1
+lines=`wc -l < rndc.out.ns7.view1.test$n`
 [ $lines -eq 1 ] || ret=1
-$RNDCCMD 10.53.0.6 managed-keys refresh > rndc.out.ns6.view2.test$n || ret=1
-lines=`wc -l < rndc.out.ns6.view2.test$n`
-grep "refreshing managed keys for 'view1'" rndc.out.ns6.view2.test$n > /dev/null || ret=1
-grep "refreshing managed keys for 'view2'" rndc.out.ns6.view2.test$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1
+lines=`wc -l < rndc.out.ns7.view2.test$n`
+grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
+grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
 [ $lines -eq 2 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`