diff --git a/bin/tests/system/dlv/clean.sh b/bin/tests/system/dlv/clean.sh index 7cc08433d9..9f3f1cb8c1 100644 --- a/bin/tests/system/dlv/clean.sh +++ b/bin/tests/system/dlv/clean.sh @@ -16,6 +16,7 @@ rm -f ns1/dsset-* rm -f ns1/*.signed rm -f ns1/signer.err rm -f ns1/root.db +rm -f ns1/trusted.conf rm -f ns2/K* rm -f ns2/dlvset-* rm -f ns2/dsset-* @@ -25,18 +26,19 @@ rm -f ns2/signer.err rm -f ns2/druz.db rm -f ns3/K* rm -f ns3/*.db -rm -f ns3/*.signed +rm -f ns3/*.signed ns3/*.signed.tmp rm -f ns3/dlvset-* rm -f ns3/dsset-* rm -f ns3/keyset-* -rm -f ns1/trusted.conf ns5/trusted.conf -rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf +rm -f ns3/trusted*.conf rm -f ns3/signer.err +rm -f ns5/trusted*.conf rm -f ns6/K* rm -f ns6/*.db rm -f ns6/*.signed rm -f ns6/dsset-* rm -f ns6/signer.err +rm -f ns7/trusted*.conf ns8/trusted*.conf rm -f */named.memstats rm -f dig.out.ns*.test* rm -f ns*/named.lock diff --git a/bin/tests/system/dlv/ns1/root.db.in b/bin/tests/system/dlv/ns1/root.db.in index a4d4bd9269..f4faa25d3e 100644 --- a/bin/tests/system/dlv/ns1/root.db.in +++ b/bin/tests/system/dlv/ns1/root.db.in @@ -13,7 +13,14 @@ $TTL 120 @ NS ns.rootservers.utld ns A 10.53.0.1 ; +; A zone that is unsigned (utld=unsigned tld) that will include a second level +; zone that acts as a DLV. +; utld NS ns.utld ns.utld A 10.53.0.2 +; +; A zone that has a bad DNSKEY RRset but has good DLV records for its child +; zones. +; druz NS ns.druz ns.druz A 10.53.0.2 diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh index d1bf35bb77..1c56240a44 100755 --- a/bin/tests/system/dlv/ns1/sign.sh +++ b/bin/tests/system/dlv/ns1/sign.sh @@ -34,3 +34,5 @@ echo_i "signed $zone" keyfile_to_trusted_keys $keyname2 > trusted.conf cp trusted.conf ../ns5 +cp trusted.conf ../ns7 +cp trusted.conf ../ns8 diff --git a/bin/tests/system/dlv/ns2/named.conf.in b/bin/tests/system/dlv/ns2/named.conf.in index a098365ab5..e10a9899b2 100644 --- a/bin/tests/system/dlv/ns2/named.conf.in +++ b/bin/tests/system/dlv/ns2/named.conf.in @@ -21,6 +21,17 @@ options { notify yes; }; +/* Root hints. */ zone "." { type hint; file "hints"; }; + +/* + * A zone that is unsigned (utld=unsigned tld) that will include a second level + * zone that acts as a DLV. + */ zone "utld" { type master; file "utld.db"; }; + +/* + * A zone that has a bad DNSKEY RRset but has good DLV records for its child + * zones. + */ zone "druz" { type master; file "druz.signed"; }; diff --git a/bin/tests/system/dlv/ns2/utld.db b/bin/tests/system/dlv/ns2/utld.db index 66f559d76f..4369968b0f 100644 --- a/bin/tests/system/dlv/ns2/utld.db +++ b/bin/tests/system/dlv/ns2/utld.db @@ -18,6 +18,12 @@ ns.rootservers A 10.53.0.1 dlv NS ns.dlv ns.dlv A 10.53.0.3 ; +disabled-algorithm-dlv NS ns.disabled-algorithm-dlv +ns.disabled-algorithm-dlv A 10.53.0.3 +; +unsupported-algorithm-dlv NS ns.unsupported-algorithm-dlv +ns.unsupported-algorithm-dlv A 10.53.0.3 +; child1 NS ns.child1 ns.child1 A 10.53.0.3 ; @@ -47,3 +53,9 @@ ns.child9 A 10.53.0.3 ; child10 NS ns.child10 ns.child10 A 10.53.0.3 +; +disabled-algorithm NS ns.disabled-algorithm +ns.disabled-algorithm A 10.53.0.3 +; +unsupported-algorithm NS ns.unsupported-algorithm +ns.unsupported-algorithm A 10.53.0.3 diff --git a/bin/tests/system/dlv/ns3/named.conf.in b/bin/tests/system/dlv/ns3/named.conf.in index 7a9b44d2e9..fc42a5571a 100644 --- a/bin/tests/system/dlv/ns3/named.conf.in +++ b/bin/tests/system/dlv/ns3/named.conf.in @@ -21,21 +21,121 @@ options { notify yes; }; +/* Root hints. */ zone "." { type hint; file "hints"; }; -zone "dlv.utld" { type master; file "dlv.signed"; }; -zone "child1.utld" { type master; file "child1.signed"; }; // dlv -zone "child3.utld" { type master; file "child3.signed"; }; // dlv -zone "child4.utld" { type master; file "child4.signed"; }; // dlv -zone "child5.utld" { type master; file "child5.signed"; }; // dlv -zone "child7.utld" { type master; file "child7.signed"; }; // no dlv -zone "child8.utld" { type master; file "child8.signed"; }; // no dlv -zone "child9.utld" { type master; file "child9.signed"; }; // dlv -zone "child10.utld" { type master; file "child.db.in"; }; // dlv unsigned -zone "child1.druz" { type master; file "child1.druz.signed"; }; // dlv -zone "child3.druz" { type master; file "child3.druz.signed"; }; // dlv -zone "child4.druz" { type master; file "child4.druz.signed"; }; // dlv -zone "child5.druz" { type master; file "child5.druz.signed"; }; // dlv -zone "child7.druz" { type master; file "child7.druz.signed"; }; // no dlv -zone "child8.druz" { type master; file "child8.druz.signed"; }; // no dlv -zone "child9.druz" { type master; file "child9.druz.signed"; }; // dlv -zone "child10.druz" { type master; file "child.db.in"; }; // dlv unsigned + +/* DLV zone below unsigned TLD. */ +zone "dlv.utld" { type master; file "dlv.utld.signed"; }; + +/* DLV zone signed with a disabled algorithm below unsigned TLD. */ +zone "disabled-algorithm-dlv.utld." { + type master; + file "disabled-algorithm-dlv.utld.signed"; +}; + +/* DLV zone signed with an unsupported algorithm below unsigned TLD. */ +zone "unsupported-algorithm-dlv.utld." { + type master; + file "unsupported-algorithm-dlv.utld.signed"; +}; + +/* Signed zone below unsigned TLD with DLV entry. */ +zone "child1.utld" { type master; file "child1.signed"; }; + +/* + * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed + * with a disabled algorithm. + */ +zone "child3.utld" { type master; file "child3.signed"; }; + +/* + * Signed zone below unsigned TLD with DLV entry. This one is slightly + * different because its children (the grandchildren) don't have a DS record in + * this zone. The grandchild zones are served by ns6. + * + */ +zone "child4.utld" { type master; file "child4.signed"; }; + +/* + * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed + * with an unsupported algorithm. + */ +zone "child5.utld" { type master; file "child5.signed"; }; + +/* Signed zone below unsigned TLD without DLV entry. */ +zone "child7.utld" { type master; file "child7.signed"; }; + +/* + * Signed zone below unsigned TLD without DLV entry and no DS records for the + * grandchildren. + */ +zone "child8.utld" { type master; file "child8.signed"; }; + +/* Signed zone below unsigned TLD with DLV entry. */ +zone "child9.utld" { type master; file "child9.signed"; }; + +/* Unsigned zone below an unsigned TLD with DLV entry. */ +zone "child10.utld" { type master; file "child.db.in"; }; + +/* + * Zone signed with a disabled algorithm (an algorithm that is disabled in + * one of the test resolvers) with DLV entry. + */ +zone "disabled-algorithm.utld" { + type master; + file "disabled-algorithm.utld.signed"; +}; + +/* Zone signed with an unsupported algorithm with DLV entry. */ +zone "unsupported-algorithm.utld" { + type master; + file "unsupported-algorithm.utld.signed"; +}; + +/* + * Signed zone below signed TLD with good DLV entry but no chain of + * trust. + */ +zone "child1.druz" { type master; file "child1.druz.signed"; }; + +/* + * Signed zone below signed TLD with good DLV entry but no chain of + * trust. The DLV zone is signed with a disabled algorithm. + */ +zone "child3.druz" { type master; file "child3.druz.signed"; }; + +/* + * Signed zone below signed TLD with good DLV entry but no chain of + * trust. Also there are no DS records for the grandchildren. + */ +zone "child4.druz" { type master; file "child4.druz.signed"; }; + +/* + * Signed zone below signed TLD with good DLV entry but no chain of + * trust. The DLV zone is signed with an unsupported algorithm. + */ +zone "child5.druz" { type master; file "child5.druz.signed"; }; + +/* + * Signed zone below signed TLD without DLV entry, and no chain of + * trust. + */ +zone "child7.druz" { type master; file "child7.druz.signed"; }; + +/* + * Signed zone below signed TLD without DLV entry and no DS set. Also DS + * records for the grandchildren are not included in the zone. + */ +zone "child8.druz" { type master; file "child8.druz.signed"; }; + +/* + * Signed zone below signed TLD with good DLV entry but no DS set. Also DS + * records for the grandchildren are not included in the zone. + */ +zone "child9.druz" { type master; file "child9.druz.signed"; }; + +/* + * Unsigned zone below signed TLD with good DLV entry but no chain of + * trust. + */ +zone "child10.druz" { type master; file "child.db.in"; }; diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh index fa51ae1daf..cc9979eba2 100755 --- a/bin/tests/system/dlv/ns3/sign.sh +++ b/bin/tests/system/dlv/ns3/sign.sh @@ -16,10 +16,19 @@ SYSTEMTESTTOP=../.. echo_i "dlv/ns3/sign.sh" -dlvzone=dlv.utld. +dlvzone="dlv.utld." dlvsets= dssets= +disableddlvzone="disabled-algorithm-dlv.utld." +disableddlvsets= +disableddssets= + +unsupporteddlvzone="unsupported-algorithm-dlv.utld." +unsupporteddlvsets= +unsupporteddssets= + +# Signed zone below unsigned TLD with DLV entry. zone=child1.utld. infile=child.db.in zonefile=child1.utld.db @@ -32,15 +41,17 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed +# with a disabled algorithm. zone=child3.utld. infile=child.db.in zonefile=child3.utld.db outfile=child3.signed -dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" +disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` @@ -48,10 +59,13 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below unsigned TLD with DLV entry. This one is slightly +# different because its children (the grandchildren) don't have a DS record in +# this zone. The grandchild zones are served by ns6. zone=child4.utld. infile=child.db.in zonefile=child4.utld.db @@ -63,15 +77,17 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed +# with an unsupported algorithm. zone=child5.utld. infile=child.db.in zonefile=child5.utld.db outfile=child5.signed -dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" +unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` @@ -79,10 +95,10 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" - +# Signed zone below unsigned TLD without DLV entry. zone=child7.utld. infile=child.db.in zonefile=child7.utld.db @@ -94,10 +110,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below unsigned TLD without DLV entry and no DS records for the +# grandchildren. zone=child8.utld. infile=child.db.in zonefile=child8.utld.db @@ -108,10 +126,10 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" - +# Signed zone below unsigned TLD with DLV entry. zone=child9.utld. infile=child.db.in zonefile=child9.utld.db @@ -123,9 +141,11 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Unsigned zone below an unsigned TLD with DLV entry. We still need to sign +# the zone to generate the DLV set. zone=child10.utld. infile=child.db.in zonefile=child10.utld.db @@ -137,9 +157,50 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" + +# Zone signed with a disabled algorithm (an algorithm that is disabled in +# one of the test resolvers) with DLV entry. +zone=disabled-algorithm.utld. +infile=child.db.in +zonefile=disabled-algorithm.utld.db +outfile=disabled-algorithm.utld.signed +dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +keyname1=`$KEYGEN -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -O full -l $dlvzone -o $zone -f ${outfile} $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + + +# Zone signed with an unsupported algorithm with DLV entry. +zone=unsupported-algorithm.utld. +infile=child.db.in +zonefile=unsupported-algorithm.utld.db +outfile=unsupported-algorithm.utld.signed +dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -O full -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err +awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile + +cp ${keyname2}.key ${keyname2}.tmp +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key +cp dlvset-${zone} dlvset-${zone}tmp +awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone} + +echo_i "signed $zone" + +# Signed zone below signed TLD with DLV entry and DS set. zone=child1.druz. infile=child.db.in zonefile=child1.druz.db @@ -153,16 +214,18 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is +# signed with a disabled algorithm. zone=child3.druz. infile=child.db.in zonefile=child3.druz.db outfile=child3.druz.signed -dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" -dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" +disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" +disableddssets="$disableddssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` @@ -170,10 +233,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below signed TLD with DLV entry and DS set, but missing +# DS records for the grandchildren. zone=child4.druz. infile=child.db.in zonefile=child4.druz.db @@ -186,16 +251,18 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is +# signed with an unsupported algorithm algorithm. zone=child5.druz. infile=child.db.in zonefile=child5.druz.db outfile=child5.druz.signed -dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" -dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" +unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" +unsupporteddssets="$unsupportedssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` @@ -203,10 +270,11 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below signed TLD without DLV entry, but with normal DS set. zone=child7.druz. infile=child.db.in zonefile=child7.druz.db @@ -219,10 +287,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below signed TLD without DLV entry and no DS set. Also DS +# records for the grandchildren are not included in the zone. zone=child8.druz. infile=child.db.in zonefile=child8.druz.db @@ -233,10 +303,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" +# Signed zone below signed TLD with DLV entry but no DS set. Also DS +# records for the grandchildren are not included in the zone. zone=child9.druz. infile=child.db.in zonefile=child9.druz.db @@ -248,9 +320,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" + +# Unsigned zone below signed TLD with DLV entry and DS set. We still need to +# sign the zone to generate the DS sets. zone=child10.druz. infile=child.db.in zonefile=child10.druz.db @@ -263,24 +338,60 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo_i "signed $zone" - -zone=dlv.utld. -infile=dlv.db.in -zonefile=dlv.utld.db -outfile=dlv.signed - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile - -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - -keyfile_to_trusted_keys $keyname2 > trusted-dlv.conf -cp trusted-dlv.conf ../ns5 - cp $dssets ../ns2 +cp $disableddssets ../ns2 +cp $unsupporteddssets ../ns2 + +# DLV zones +infile=dlv.db.in +for zone in dlv.utld. disabled-algorithm-dlv.utld. unsupported-algorithm-dlv.utld. +do + zonefile="${zone}db" + outfile="${zone}signed" + + case $zone in + "dlv.utld.") + algorithm=$DEFAULT_ALGORITHM + bits=$DEFAULT_BITS + dlvfiles=$dlvsets + ;; + "disabled-algorithm-dlv.utld.") + algorithm=$DISABLED_ALGORITHM + bits=$DISABLED_BITS + dlvfiles=$disableddlvsets + ;; + "unsupported-algorithm-dlv.utld.") + algorithm=$DEFAULT_ALGORITHM + bits=$DEFAULT_BITS + dlvfiles=$unsupporteddlvsets + ;; + esac + + keyname1=`$KEYGEN -a $algorithm -b $bits -n zone $zone 2> /dev/null` + keyname2=`$KEYGEN -f KSK -a $algorithm -b $bits -n zone $zone 2> /dev/null` + + cat $infile $dlvfiles $keyname1.key $keyname2.key >$zonefile + + case $zone in + "dlv.utld.") + $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err + keyfile_to_trusted_keys $keyname2 > ../ns5/trusted-dlv.conf + ;; + "disabled-algorithm-dlv.utld.") + $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err + keyfile_to_trusted_keys $keyname2 > ../ns8/trusted-dlv-disabled.conf + ;; + "unsupported-algorithm-dlv.utld.") + cp ${keyname2}.key ${keyname2}.tmp + $SIGNER -O full -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err + awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile + awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key + keyfile_to_trusted_keys $keyname2 > ../ns7/trusted-dlv-unsupported.conf + ;; + esac + + echo_i "signed $zone" +done diff --git a/bin/tests/system/dlv/ns5/named.conf.in b/bin/tests/system/dlv/ns5/named.conf.in index 489306e3c7..88ef997771 100644 --- a/bin/tests/system/dlv/ns5/named.conf.in +++ b/bin/tests/system/dlv/ns5/named.conf.in @@ -24,6 +24,7 @@ options { notify yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor "dlv.utld"; + disable-algorithms "utld." { @DISABLED_ALGORITHM@; }; }; zone "." { type hint; file "hints"; }; diff --git a/bin/tests/system/dlv/ns7/hints b/bin/tests/system/dlv/ns7/hints new file mode 100644 index 0000000000..cdf0f26f78 --- /dev/null +++ b/bin/tests/system/dlv/ns7/hints @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 0 NS ns.rootservers.utld. +ns.rootservers.utld. 0 A 10.53.0.1 + diff --git a/bin/tests/system/dlv/ns7/named.conf.in b/bin/tests/system/dlv/ns7/named.conf.in new file mode 100644 index 0000000000..fd9c7c8aaa --- /dev/null +++ b/bin/tests/system/dlv/ns7/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "trusted.conf"; +include "trusted-dlv-unsupported.conf"; + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-enable yes; + dnssec-validation yes; + dnssec-lookaside "." trust-anchor "unsupported-algorithm-dlv.utld"; +}; + +zone "." { type hint; file "hints"; }; + diff --git a/bin/tests/system/dlv/ns8/hints b/bin/tests/system/dlv/ns8/hints new file mode 100644 index 0000000000..cdf0f26f78 --- /dev/null +++ b/bin/tests/system/dlv/ns8/hints @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 0 NS ns.rootservers.utld. +ns.rootservers.utld. 0 A 10.53.0.1 + diff --git a/bin/tests/system/dlv/ns8/named.conf.in b/bin/tests/system/dlv/ns8/named.conf.in new file mode 100644 index 0000000000..6e58019fe1 --- /dev/null +++ b/bin/tests/system/dlv/ns8/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "trusted.conf"; +include "trusted-dlv-disabled.conf"; + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-enable yes; + dnssec-validation yes; + dnssec-lookaside "." trust-anchor "disabled-algorithm-dlv.utld"; + disable-algorithms "disabled-algorithm-dlv.utld." { @DISABLED_ALGORITHM@; }; +}; + +zone "." { type hint; file "hints"; }; + diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh index e4737d47d5..e1bd565745 100644 --- a/bin/tests/system/dlv/setup.sh +++ b/bin/tests/system/dlv/setup.sh @@ -20,5 +20,7 @@ copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf (cd ns1 && $SHELL -e sign.sh) diff --git a/bin/tests/system/dlv/tests.sh b/bin/tests/system/dlv/tests.sh index fdf31d954e..a3046303a7 100644 --- a/bin/tests/system/dlv/tests.sh +++ b/bin/tests/system/dlv/tests.sh @@ -19,37 +19,93 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" -echo_i "checking that DNSKEY reference by DLV validates as secure ($n)" +echo_i "checking that unsigned TLD zone DNSKEY referenced by DLV validates as secure ($n)" ret=0 $DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that child DNSKEY reference by DLV validates as secure ($n)" +echo_i "checking that unsigned TLD child zone DNSKEY referenced by DLV validates as secure ($n)" ret=0 $DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)" +echo_i "checking that no chain of trust SOA referenced by DLV validates as secure ($n)" ret=0 $DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)" +echo_i "checking that no chain of trust child SOA referenced by DLV validates as secure ($n)" ret=0 $DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +# Test that a child zone that is signed with an unsupported algorithm, +# referenced by a good DLV zone, yields an insecure response. +echo_i "checking that unsupported algorithm TXT referenced by DLV validates as insecure ($n)" +ret=0 +$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +grep -q "foo\.unsupported-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test that a child zone that is signed with a disabled algorithm, +# referenced by a good DLV zone, yields an insecure response. +echo_i "checking that disabled algorithm TXT referenced by DLV validates as insecure ($n)" +ret=0 +$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +grep -q "foo\.disabled-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test that a child zone that is signed with a known algorithm, referenced by +# a DLV zone that is signed with a disabled algorithm, yields a bogus +# response. +echo_i "checking that good signed TXT referenced by disabled algorithm DLV validates as bogus ($n)" +ret=0 +$DIG $DIGOPTS foo.child3.utld txt @10.53.0.8 > dig.out.ns8.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +grep -q "foo\.child3\.utld\..*TXT.*\"foo\"" dig.out.ns8.test$n && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test that a child zone that is signed with a known algorithm, referenced by +# a DLV zone that is signed with an unsupported algorithm, yields a bogus +# response. +echo_i "checking that good signed TXT referenced by unsupported algorithm DLV validates as bogus ($n)" +ret=0 +$DIG $DIGOPTS foo.child5.utld txt @10.53.0.7 > dig.out.ns7.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns7.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns7.test$n > /dev/null && ret=1 +grep -q "foo\.child5\.utld\..*TXT.*\"foo\"" dig.out.ns7.test$n && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1