use DS style trust anchors in all system tests
this adds functions in conf.sh.common to create DS-style trust anchor files. those functions are then used to create nearly all of the trust anchors in the system tests. there are a few exceptions: - some tests in dnssec and mkeys rely on detection of unsupported algorithms, which only works with key-style trust anchors, so those are used for those tests in particular. - the mirror test had a problem with the use of a CSK without a SEP bit, which still needs addressing in the future, some of these tests should be changed back to using traditional trust anchors, so that both types will be exercised going forward.
This commit is contained in:
Evan Hunt
@@ -33,12 +33,12 @@ rm $zsknopriv.private
|
||||
ksksby=`$KEYGEN -3 -a RSASHA1 -q -P now -A now+15s -fk $zone`
|
||||
kskrev=`$KEYGEN -3 -a RSASHA1 -q -R now+15s -fk $zone`
|
||||
|
||||
keyfile_to_static_keys $ksksby > trusted.conf
|
||||
keyfile_to_static_ds $ksksby > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
cp trusted.conf ../ns4/trusted.conf
|
||||
|
||||
keyfile_to_static_keys $kskrev > trusted.conf
|
||||
keyfile_to_static_ds $kskrev > trusted.conf
|
||||
cp trusted.conf ../ns5/trusted.conf
|
||||
|
||||
echo $zskact > ../active.key
|
||||
|
||||
@@ -37,7 +37,7 @@ zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone`
|
||||
$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null
|
||||
keyfile_to_static_keys $ksk > private.conf
|
||||
keyfile_to_static_ds $ksk > private.conf
|
||||
cp private.conf ../ns4/private.conf
|
||||
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null
|
||||
|
||||
|
||||
@@ -221,9 +221,9 @@ assert_int_equal() {
|
||||
}
|
||||
|
||||
# keyfile_to_keys_section: helper function for keyfile_to_*_keys() which
|
||||
# converts keyfile data into a configuration section using the supplied
|
||||
# parameters
|
||||
keyfile_to_keys_section() {
|
||||
# converts keyfile data into a key-style trust anchor configuration
|
||||
# section using the supplied parameters
|
||||
keyfile_to_keys() {
|
||||
section_name=$1
|
||||
key_prefix=$2
|
||||
shift
|
||||
@@ -241,18 +241,54 @@ keyfile_to_keys_section() {
|
||||
echo "};"
|
||||
}
|
||||
|
||||
# keyfile_to_dskeys_section: helper function for keyfile_to_*_dskeys()
|
||||
# converts keyfile data into a DS-style trust anchor configuration
|
||||
# section using the supplied parameters
|
||||
keyfile_to_dskeys() {
|
||||
section_name=$1
|
||||
key_prefix=$2
|
||||
shift
|
||||
shift
|
||||
echo "$section_name {"
|
||||
for keyname in $*; do
|
||||
$DSFROMKEY $keyname.key | \
|
||||
awk '!/^; /{
|
||||
printf "\t\""$1"\" "
|
||||
printf "'"$key_prefix "'"
|
||||
printf $4 " " $5 " " $6 " \""
|
||||
for (i=7; i<=NF; i++) printf $i
|
||||
printf "\";\n"
|
||||
}'
|
||||
done
|
||||
echo "};"
|
||||
}
|
||||
|
||||
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
|
||||
# provided to a *static* "dnssec-keys" section suitable for including in a
|
||||
# provided to a *static-key* "dnssec-keys" section suitable for including in a
|
||||
# resolver's configuration file
|
||||
keyfile_to_static_keys() {
|
||||
keyfile_to_keys_section "dnssec-keys" "static-key" $*
|
||||
keyfile_to_keys "dnssec-keys" "static-key" $*
|
||||
}
|
||||
|
||||
# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
|
||||
# provided to an *initialzing* "dnssec-keys" section suitable for including
|
||||
# provided to an *initial-key* "dnssec-keys" section suitable for including
|
||||
# in a resolver's configuration file
|
||||
keyfile_to_initial_keys() {
|
||||
keyfile_to_keys_section "dnssec-keys" "initial-key" $*
|
||||
keyfile_to_keys "dnssec-keys" "initial-key" $*
|
||||
}
|
||||
|
||||
# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
|
||||
# provided to a *static-ds* "dnssec-keys" section suitable for including in a
|
||||
# resolver's configuration file
|
||||
keyfile_to_static_ds() {
|
||||
keyfile_to_dskeys "dnssec-keys" "static-ds" $*
|
||||
}
|
||||
|
||||
# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
|
||||
# provided to an *initial-ds* "dnssec-keys" section suitable for including
|
||||
# in a resolver's configuration file
|
||||
keyfile_to_initial_ds() {
|
||||
keyfile_to_dskeys "dnssec-keys" "initial-ds" $*
|
||||
}
|
||||
|
||||
# keyfile_to_key_id: convert a key file name to a key ID
|
||||
|
||||
@@ -38,7 +38,7 @@ cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
# Configure the resolving server with a staitc key.
|
||||
keyfile_to_static_keys "$ksk" > trusted.conf
|
||||
keyfile_to_static_ds "$ksk" > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
cp trusted.conf ../ns4/trusted.conf
|
||||
@@ -47,7 +47,7 @@ cp trusted.conf ../ns7/trusted.conf
|
||||
cp trusted.conf ../ns9/trusted.conf
|
||||
|
||||
# ...or with an initializing key.
|
||||
keyfile_to_initial_keys "$ksk" > managed.conf
|
||||
keyfile_to_initial_ds "$ksk" > managed.conf
|
||||
cp managed.conf ../ns4/managed.conf
|
||||
|
||||
#
|
||||
|
||||
@@ -23,7 +23,7 @@ zonefile=root.db.signed
|
||||
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
|
||||
|
||||
# copy the KSK out first, then revoke it
|
||||
keyfile_to_initial_keys "$keyname" > revoked.conf
|
||||
keyfile_to_initial_ds "$keyname" > revoked.conf
|
||||
|
||||
"$SETTIME" -R now "${keyname}.key" > /dev/null
|
||||
|
||||
@@ -34,4 +34,4 @@ keyfile_to_initial_keys "$keyname" > revoked.conf
|
||||
|
||||
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
|
||||
|
||||
keyfile_to_static_keys "$keyname" > trusted.conf
|
||||
keyfile_to_static_ds "$keyname" > trusted.conf
|
||||
|
||||
@@ -29,7 +29,7 @@ cat $infile $key1.key $key2.key > $zonefile
|
||||
$SIGNER -P -g -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_keys $key2 > trusted.conf
|
||||
keyfile_to_static_ds $key2 > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
cp trusted.conf ../ns4/trusted.conf
|
||||
|
||||
@@ -25,5 +25,5 @@ cat $infile $key1.key $key2.key > $zonefile
|
||||
$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_keys $key1 > trusted.conf
|
||||
keyfile_to_static_ds $key1 > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
|
||||
@@ -26,7 +26,7 @@ cat $infile $key1.key $key2.key > $zonefile
|
||||
$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_keys $key1 > trusted.conf
|
||||
keyfile_to_static_ds $key1 > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
|
||||
cd ../ns2 && $SHELL sign.sh
|
||||
|
||||
@@ -24,7 +24,7 @@ $KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i
|
||||
keyname=`cat keygen.out`
|
||||
rm -f keygen.out
|
||||
|
||||
keyfile_to_static_keys $keyname > trusted.conf
|
||||
keyfile_to_static_ds $keyname > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
cp trusted.conf ../ns5/trusted.conf
|
||||
|
||||
@@ -20,5 +20,5 @@ keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
|
||||
$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out
|
||||
[ $? = 0 ] || cat signer.out
|
||||
|
||||
keyfile_to_static_keys $keyname > trusted.conf
|
||||
keyfile_to_static_ds $keyname > trusted.conf
|
||||
cp trusted.conf ../ns6/trusted.conf
|
||||
|
||||
@@ -28,5 +28,5 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
|
||||
keyfile_to_static_keys $keyname2 > trusted.conf
|
||||
keyfile_to_static_ds $keyname2 > trusted.conf
|
||||
cp trusted.conf ../ns1
|
||||
|
||||
@@ -21,13 +21,13 @@ zskkeyname=`$KEYGEN -a rsasha256 -q $zone`
|
||||
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
|
||||
|
||||
# Configure the resolving server with an initializing key.
|
||||
keyfile_to_initial_keys $keyname > managed.conf
|
||||
keyfile_to_initial_ds $keyname > managed.conf
|
||||
cp managed.conf ../ns2/managed.conf
|
||||
cp managed.conf ../ns4/managed.conf
|
||||
cp managed.conf ../ns5/managed.conf
|
||||
|
||||
# Configure a static key to be used by delv.
|
||||
keyfile_to_static_keys $keyname > trusted.conf
|
||||
keyfile_to_static_ds $keyname > trusted.conf
|
||||
|
||||
# Prepare an unsupported algorithm key.
|
||||
unsupportedkey=Kunknown.+255+00000
|
||||
|
||||
@@ -27,4 +27,6 @@ rootkey=`cat ../ns1/managed.key`
|
||||
cp "../ns1/${rootkey}.key" .
|
||||
|
||||
# Configure the resolving server with an initializing key.
|
||||
# (We use key-format trust anchors here because otherwise the
|
||||
# unsupported algorithm test won't work.)
|
||||
keyfile_to_initial_keys $unsupportedkey $rsakey $rootkey > managed.conf
|
||||
|
||||
@@ -301,7 +301,7 @@ status=`expr $status + $ret`
|
||||
echo_i "reinitialize trust anchors, add second key to bind.keys"
|
||||
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns2
|
||||
rm -f ns2/managed-keys.bind*
|
||||
keyfile_to_initial_keys ns1/$original ns1/$standby1 > ns2/managed.conf
|
||||
keyfile_to_initial_ds ns1/$original ns1/$standby1 > ns2/managed.conf
|
||||
nextpart ns2/named.run > /dev/null
|
||||
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns2
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
|
||||
$SIGNER -g -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_keys $keyname2 > trusted.conf
|
||||
keyfile_to_static_ds $keyname2 > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
cp trusted.conf ../ns4/trusted.conf
|
||||
|
||||
@@ -31,4 +31,4 @@ cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
|
||||
$SIGNER -P -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure a static key to be used by delv
|
||||
keyfile_to_static_keys $ksk > ../ns5/trusted.conf
|
||||
keyfile_to_static_ds $ksk > ../ns5/trusted.conf
|
||||
|
||||
@@ -28,7 +28,7 @@ cat $infile $keyname.key > $zonefile
|
||||
$SIGNER -P -g -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_keys $keyname > trusted.conf
|
||||
keyfile_to_static_ds $keyname > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
cp trusted.conf ../ns4/trusted.conf
|
||||
|
||||
@@ -25,7 +25,7 @@ cat $infile $keyname.key > $zonefile
|
||||
$SIGNER -P -g -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_keys $keyname > trusted.conf
|
||||
keyfile_to_static_ds $keyname > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
|
||||
|
||||
@@ -29,8 +29,8 @@ cat "$infile" "$keyname.key" > "$zonefile"
|
||||
$SIGNER -P -g -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_keys "$keyname" > trusted.conf
|
||||
keyfile_to_static_ds "$keyname" > trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
|
||||
# ...or with an initializing key.
|
||||
keyfile_to_initial_keys "$keyname" > managed.conf
|
||||
keyfile_to_initial_ds "$keyname" > managed.conf
|
||||
|
||||
@@ -16,4 +16,4 @@ set -e
|
||||
|
||||
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
|
||||
|
||||
keyfile_to_static_keys "$keyname" > trusted.conf
|
||||
keyfile_to_static_ds "$keyname" > trusted.conf
|
||||
|
||||
@@ -27,7 +27,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
|
||||
$SIGNER -g -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a trusted key.
|
||||
keyfile_to_static_keys $keyname2 > trusted.conf
|
||||
keyfile_to_static_ds $keyname2 > trusted.conf
|
||||
|
||||
zone=undelegated
|
||||
infile=undelegated.db.in
|
||||
@@ -38,5 +38,5 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
|
||||
|
||||
$SIGNER -g -o $zone $zonefile > /dev/null
|
||||
|
||||
keyfile_to_static_keys $keyname2 >> trusted.conf
|
||||
keyfile_to_static_ds $keyname2 >> trusted.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
|
||||
@@ -40,4 +40,4 @@ cat "$infile" "$keyname.key" > "$zonefile"
|
||||
$SIGNER -P -g -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_keys "$keyname" > trusted.conf
|
||||
keyfile_to_static_ds "$keyname" > trusted.conf
|
||||
|
||||
@@ -43,7 +43,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
|
||||
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo_i "signed $zone"
|
||||
|
||||
keyfile_to_static_keys $keyname2 > private.nsec.conf
|
||||
keyfile_to_static_ds $keyname2 > private.nsec.conf
|
||||
|
||||
zone=nsec3
|
||||
infile=nsec3.db.in
|
||||
@@ -72,7 +72,7 @@ cat $infile $keyname1.key $keyname2.key > $zonefile
|
||||
$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo_i "signed $zone"
|
||||
|
||||
keyfile_to_static_keys $keyname2 > private.nsec3.conf
|
||||
keyfile_to_static_ds $keyname2 > private.nsec3.conf
|
||||
|
||||
zone=.
|
||||
infile=root.db.in
|
||||
@@ -87,4 +87,4 @@ cat $infile $keyname1.key $keyname2.key $dssets >$zonefile
|
||||
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo_i "signed $zone"
|
||||
|
||||
keyfile_to_static_keys $keyname2 > trusted.conf
|
||||
keyfile_to_static_ds $keyname2 > trusted.conf
|
||||
|
||||
Reference in New Issue
Block a user