3341. [func] New "dnssec-verify" command checks a signed zone
to ensure correctness of signatures and of NSEC/NSEC3
chains. [RT #23673]
This commit is contained in:
Mark Andrews
@@ -21,256 +21,228 @@ SYSTEMTESTTOP=../..
|
||||
|
||||
RANDFILE=../random.data
|
||||
|
||||
zone=secure.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
dumpit () {
|
||||
echo "D:${debug}: dumping ${1}"
|
||||
cat "${1}" | sed 's/^/D:/'
|
||||
}
|
||||
|
||||
setup () {
|
||||
echo "I:setting up zone: $1"
|
||||
debug="$1"
|
||||
zone="$1"
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
n=`expr ${n:-0} + 1`
|
||||
}
|
||||
|
||||
setup secure.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# NSEC3/NSEC test zone
|
||||
#
|
||||
zone=secure.nsec3.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup secure.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# NSEC3/NSEC3 test zone
|
||||
#
|
||||
zone=nsec3.nsec3.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup nsec3.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# OPTOUT/NSEC3 test zone
|
||||
#
|
||||
zone=optout.nsec3.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup optout.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# A nsec3 zone (non-optout).
|
||||
#
|
||||
zone=nsec3.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup nsec3.example
|
||||
cat $infile dsset-*.${zone}. > $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# An NSEC3 zone, with NSEC3 parameters set prior to signing
|
||||
#
|
||||
zone=autonsec3.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup autonsec3.example
|
||||
cat $infile > $zonefile
|
||||
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone`
|
||||
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
echo $ksk > ../autoksk.key
|
||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone`
|
||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
echo $zsk > ../autozsk.key
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# OPTOUT/NSEC test zone
|
||||
#
|
||||
zone=secure.optout.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup secure.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# OPTOUT/NSEC3 test zone
|
||||
#
|
||||
zone=nsec3.optout.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup nsec3.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# OPTOUT/OPTOUT test zone
|
||||
#
|
||||
zone=optout.optout.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup optout.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# A optout nsec3 zone.
|
||||
#
|
||||
zone=optout.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup optout.example
|
||||
cat $infile dsset-*.${zone}. > $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# A RSASHA256 zone.
|
||||
#
|
||||
zone=rsasha256.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup rsasha256.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# A RSASHA512 zone.
|
||||
#
|
||||
zone=rsasha512.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup rsasha512.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# NSEC-only zone.
|
||||
#
|
||||
zone=nsec.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup nsec.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}.
|
||||
|
||||
#
|
||||
# Signature refresh test zone. Signatures are set to expire long
|
||||
# in the past; they should be updated by autosign.
|
||||
#
|
||||
zone=oldsigs.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
setup oldsigs.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -r $RANDFILE $zone > /dev/null
|
||||
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1
|
||||
$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
#
|
||||
# NSEC3->NSEC transition test zone.
|
||||
#
|
||||
zone=nsec3-to-nsec.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
#cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
|
||||
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
|
||||
setup nsec3-to-nsec.example
|
||||
$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
#
|
||||
# secure-to-insecure transition test zone; used to test removal of
|
||||
# keys via nsupdate
|
||||
#
|
||||
zone=secure-to-insecure.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -q -r $RANDFILE $zone > /dev/null
|
||||
$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1
|
||||
setup secure-to-insecure.example
|
||||
$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
#
|
||||
# another secure-to-insecure transition test zone; used to test
|
||||
# removal of keys on schedule.
|
||||
#
|
||||
zone=secure-to-insecure2.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
setup secure-to-insecure2.example
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
echo $ksk > ../del1.key
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
echo $zsk > ../del2.key
|
||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1
|
||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
#
|
||||
# Introducing a pre-published key test.
|
||||
#
|
||||
zone=prepub.example
|
||||
zonefile="${zone}.db"
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
|
||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1
|
||||
setup prepub.example
|
||||
infile="secure-to-insecure2.example.db.in"
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
#
|
||||
# Key TTL tests.
|
||||
#
|
||||
|
||||
# no default key TTL; DNSKEY should get SOA TTL
|
||||
zone=ttl1.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
|
||||
setup ttl1.example
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# default key TTL should be used
|
||||
zone=ttl2.example
|
||||
zonefile="${zone}.db"
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > /dev/null
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > /dev/null
|
||||
setup ttl2.example
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# mismatched key TTLs, should use shortest
|
||||
zone=ttl3.example
|
||||
zonefile="${zone}.db"
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > /dev/null
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > /dev/null
|
||||
setup ttl3.example
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# existing DNSKEY RRset, should retain TTL
|
||||
zone=ttl4.example
|
||||
zonefile="${zone}.db"
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > /dev/null
|
||||
setup ttl4.example
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
cat ${infile} K${zone}.+*.key > $zonefile
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > /dev/null
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
|
||||
#
|
||||
# A zone with a DNSKEY RRset that is published before it's activated
|
||||
#
|
||||
zone=delay.example
|
||||
zonefile="${zone}.db"
|
||||
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone`
|
||||
setup delay.example
|
||||
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
echo $ksk > ../delayksk.key
|
||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone`
|
||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
echo $zsk > ../delayzsk.key
|
||||
|
||||
#
|
||||
# A zone with signatures that are already expired, and the private ZSK
|
||||
# is missing.
|
||||
#
|
||||
zone=nozsk.example
|
||||
zonefile="${zone}.db"
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
|
||||
setup nozsk.example
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
|
||||
echo $zsk > ../missingzsk.key
|
||||
rm -f ${zsk}.private
|
||||
|
||||
@@ -278,19 +250,17 @@ rm -f ${zsk}.private
|
||||
# A zone with signatures that are already expired, and the private ZSK
|
||||
# is inactive.
|
||||
#
|
||||
zone=inaczsk.example
|
||||
zonefile="${zone}.db"
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
|
||||
setup inaczsk.example
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
|
||||
echo $zsk > ../inactivezsk.key
|
||||
$SETTIME -I now $zsk > /dev/null
|
||||
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
|
||||
|
||||
#
|
||||
# A zone that is set to 'auto-dnssec maintain' during a recofnig
|
||||
#
|
||||
zone=reconf.example
|
||||
zonefile="${zone}.db"
|
||||
setup reconf.example
|
||||
cp secure.example.db.in $zonefile
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
|
||||
Reference in New Issue
Block a user