From 41bdb5b9fe10cae075cb27b417fdb4aa1c1538c4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 9 Nov 2022 16:01:42 +0000 Subject: [PATCH] Add islands of trust to mkeys test This adds an island of trust that is reachable from the root where the trust anchors are added to island.conf. This add an island of trust that is not reachable from the root where the trust anchors are added to private.conf. --- bin/tests/system/mkeys/clean.sh | 9 ++++- bin/tests/system/mkeys/ns1/named1.conf.in | 10 +++++ bin/tests/system/mkeys/ns1/named2.conf.in | 10 +++++ bin/tests/system/mkeys/ns1/named3.conf.in | 10 +++++ bin/tests/system/mkeys/ns1/root.db | 3 ++ bin/tests/system/mkeys/ns1/sign.sh | 18 +++++++++ bin/tests/system/mkeys/ns1/sub.tld.db | 21 +++++++++++ bin/tests/system/mkeys/ns1/tld.db | 23 ++++++++++++ bin/tests/system/mkeys/ns4/named.conf.in | 5 +++ bin/tests/system/mkeys/ns4/sign.sh | 24 ++++++++++++ bin/tests/system/mkeys/ns4/sub.foo.db | 21 +++++++++++ bin/tests/system/mkeys/ns5/foo.db | 23 ++++++++++++ bin/tests/system/mkeys/ns5/named.conf.in | 8 ++++ bin/tests/system/mkeys/setup.sh | 1 + bin/tests/system/mkeys/tests.sh | 46 +++++++++++++++++++++-- 15 files changed, 227 insertions(+), 5 deletions(-) create mode 100644 bin/tests/system/mkeys/ns1/sub.tld.db create mode 100644 bin/tests/system/mkeys/ns1/tld.db create mode 100644 bin/tests/system/mkeys/ns4/sign.sh create mode 100644 bin/tests/system/mkeys/ns4/sub.foo.db create mode 100644 bin/tests/system/mkeys/ns5/foo.db diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh index 102cb3710f..3f297a22a2 100644 --- a/bin/tests/system/mkeys/clean.sh +++ b/bin/tests/system/mkeys/clean.sh @@ -12,17 +12,22 @@ # information regarding copyright ownership. rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk +rm -f */island.conf +rm -f */private.conf rm -f */managed*.conf ns1/managed.key ns1/managed.key.id rm -f */managed-keys.bind* */named.secroots rm -f */named.conf -rm -f ns3/broken.conf rm -f */named.memstats */named.run */named.run.prev rm -f dig.out* delv.out* rndc.out* signer.out* rm -f dsset-. ns1/dsset-. -rm -f ns1/zone.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock +rm -f ns1/dsset-sub.tld. +rm -f ns1/dsset-tld. rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp +rm -f ns1/zone.key +rm -f ns3/broken.conf +rm -f ns4/dsset-sub.foo. rm -f ns5/named.args rm -f ns7/view1.mkeys ns7/view2.mkeys rm -rf ns4/nope diff --git a/bin/tests/system/mkeys/ns1/named1.conf.in b/bin/tests/system/mkeys/ns1/named1.conf.in index a63b54b4d2..0b3f068a27 100644 --- a/bin/tests/system/mkeys/ns1/named1.conf.in +++ b/bin/tests/system/mkeys/ns1/named1.conf.in @@ -47,3 +47,13 @@ zone "." { allow-update { any; }; auto-dnssec maintain; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/named2.conf.in b/bin/tests/system/mkeys/ns1/named2.conf.in index 729251bb32..4271668ea9 100644 --- a/bin/tests/system/mkeys/ns1/named2.conf.in +++ b/bin/tests/system/mkeys/ns1/named2.conf.in @@ -45,3 +45,13 @@ zone "." { type primary; file "root.db.signed"; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/named3.conf.in b/bin/tests/system/mkeys/ns1/named3.conf.in index 0f5d11f110..686177edb0 100644 --- a/bin/tests/system/mkeys/ns1/named3.conf.in +++ b/bin/tests/system/mkeys/ns1/named3.conf.in @@ -39,3 +39,13 @@ zone "." { type primary; file "root.db.signed"; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db index ae5c1251c4..bc83788672 100644 --- a/bin/tests/system/mkeys/ns1/root.db +++ b/bin/tests/system/mkeys/ns1/root.db @@ -23,3 +23,6 @@ a.root-servers.nil. A 10.53.0.1 ; no delegation example. TXT "This is a test." + +tld. NS ns.tld. +ns.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 3fb598ce72..626e18f776 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -13,6 +13,24 @@ . ../../conf.sh +zone=sub.tld +zonefile=sub.tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > island.conf +cp island.conf ../ns5/island.conf + +zone=tld +zonefile=tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null + zone=. zonefile=root.db diff --git a/bin/tests/system/mkeys/ns1/sub.tld.db b/bin/tests/system/mkeys/ns1/sub.tld.db new file mode 100644 index 0000000000..35d436112d --- /dev/null +++ b/bin/tests/system/mkeys/ns1/sub.tld.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.tld. IN SOA marka.isc.org. ns.sub.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns1/tld.db b/bin/tests/system/mkeys/ns1/tld.db new file mode 100644 index 0000000000..5c54e0e9db --- /dev/null +++ b/bin/tests/system/mkeys/ns1/tld.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +tld. IN SOA marka.isc.org. ns.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +tld. NS ns.tld. +ns.tld. A 10.53.0.1 +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns4/named.conf.in b/bin/tests/system/mkeys/ns4/named.conf.in index fc200ce282..5c2370887b 100644 --- a/bin/tests/system/mkeys/ns4/named.conf.in +++ b/bin/tests/system/mkeys/ns4/named.conf.in @@ -41,3 +41,8 @@ zone "." { type hint; file "../../common/root.hint"; }; + +zone "sub.foo" { + type primary; + file "sub.foo.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns4/sign.sh b/bin/tests/system/mkeys/ns4/sign.sh new file mode 100644 index 0000000000..d364e8e363 --- /dev/null +++ b/bin/tests/system/mkeys/ns4/sign.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +zone=sub.foo +zonefile=sub.foo.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > private.conf +cp private.conf ../ns5/private.conf diff --git a/bin/tests/system/mkeys/ns4/sub.foo.db b/bin/tests/system/mkeys/ns4/sub.foo.db new file mode 100644 index 0000000000..7bc31047b6 --- /dev/null +++ b/bin/tests/system/mkeys/ns4/sub.foo.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff --git a/bin/tests/system/mkeys/ns5/foo.db b/bin/tests/system/mkeys/ns5/foo.db new file mode 100644 index 0000000000..092a1c3b0e --- /dev/null +++ b/bin/tests/system/mkeys/ns5/foo.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +foo. NS ns.foo. +ns.foo. A 10.53.0.5 +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff --git a/bin/tests/system/mkeys/ns5/named.conf.in b/bin/tests/system/mkeys/ns5/named.conf.in index 167938c04e..757d61495a 100644 --- a/bin/tests/system/mkeys/ns5/named.conf.in +++ b/bin/tests/system/mkeys/ns5/named.conf.in @@ -41,3 +41,11 @@ zone "." { type hint; file "../../common/root.hint"; }; + +zone "foo" { + type primary; + file "foo.db"; +}; + +include "island.conf"; +include "private.conf"; diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh index 3d4337071b..d1a30a21c9 100644 --- a/bin/tests/system/mkeys/setup.sh +++ b/bin/tests/system/mkeys/setup.sh @@ -31,6 +31,7 @@ copy_setports ns7/named.conf.in ns7/named.conf cp ns5/named1.args ns5/named.args ( cd ns1 && $SHELL sign.sh ) +( cd ns4 && $SHELL sign.sh ) ( cd ns6 && $SHELL setup.sh ) cp ns2/managed.conf ns2/managed1.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index 295034d2ab..062149602c 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -722,7 +722,9 @@ ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns5 nextpart ns5/named.run > /dev/null start_server --noclean --restart --port "${PORT}" ns5 -wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1 # ns5/named.run will contain logs from both the old instance and the new # instance. In order for the test to pass, both must attempt a fetch. count=$(grep -c "Creating key fetch" ns5/named.run) || true @@ -730,6 +732,23 @@ count=$(grep -c "Creating key fetch" ns5/named.run) || true if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# one indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + n=$((n+1)) echo_i "check key refreshes are resumed after root servers become available ($n)" ret=0 @@ -741,7 +760,9 @@ rm -f ns5/managed-keys.bind* cp ns5/named2.args ns5/named.args nextpart ns5/named.run > /dev/null start_server --noclean --restart --port "${PORT}" ns5 -wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 # ns1 should still REFUSE queries from ns5, so resolving should be impossible @@ -754,7 +775,9 @@ copy_setports ns1/named3.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl nextpart ns5/named.run > /dev/null mkeys_reconfig_on 1 || ret=1 -wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 grep '; managed' ns5/named.secroots > /dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be @@ -835,5 +858,22 @@ grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# theee lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1