#!/bin/sh # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # # SPDX-License-Identifier: MPL-2.0 # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. set -e # shellcheck source=conf.sh . ../conf.sh # shellcheck source=kasp.sh . ../kasp.sh # Log errors and increment $ret. log_error() { echo_i "error: $1" ret=$((ret + 1)) } # Call dig with default options. dig_with_opts() { $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } # Call rndc. rndccmd() { "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # Set zone name ($1) and policy ($2) for testing nsec3. # Also set the expected number of keys ($3) and DNSKEY TTL ($4). set_zone_policy() { ZONE=$1 POLICY=$2 NUM_KEYS=$3 DNSKEY_TTL=$4 KEYFILE_TTL=$4 # The CDS digest type in these tests are all the default, # which is SHA-256 (2). CDS_SHA256="yes" CDS_SHA384="no" } # Set expected NSEC3 parameters: flags ($1) and salt length ($2). set_nsec3param() { FLAGS=$1 SALTLEN=$2 # Reset salt. SALT="" } # Set expected default dnssec-policy keys values. set_key_default_values() { key_clear $1 set_keyrole $1 "csk" set_keylifetime $1 "0" set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256" set_keysigning $1 "yes" set_zonesigning $1 "yes" set_keystate $1 "GOAL" "omnipresent" set_keystate $1 "STATE_DNSKEY" "rumoured" set_keystate $1 "STATE_KRRSIG" "rumoured" set_keystate $1 "STATE_ZRRSIG" "rumoured" set_keystate $1 "STATE_DS" "hidden" } # Set expected rsasha1 dnssec-policy keys values. set_key_rsasha1_values() { key_clear $1 set_keyrole $1 "csk" set_keylifetime $1 "0" set_keyalgorithm $1 "5" "RSASHA1" "2048" set_keysigning $1 "yes" set_zonesigning $1 "yes" set_keystate $1 "GOAL" "omnipresent" set_keystate $1 "STATE_DNSKEY" "rumoured" set_keystate $1 "STATE_KRRSIG" "rumoured" set_keystate $1 "STATE_ZRRSIG" "rumoured" set_keystate $1 "STATE_DS" "hidden" } # Update the key states. set_key_states() { set_keystate $1 "GOAL" "$2" set_keystate $1 "STATE_DNSKEY" "$3" set_keystate $1 "STATE_KRRSIG" "$4" set_keystate $1 "STATE_ZRRSIG" "$5" set_keystate $1 "STATE_DS" "$6" } # The apex NSEC3PARAM record indicates that it is signed. _wait_for_nsec3param() { dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1 grep "${ZONE}\..*IN.*NSEC3PARAM 1 0 0.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1 grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1 return 0 } # The apex NSEC record indicates that it is signed. _wait_for_nsec() { dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC >"dig.out.test$n.wait" || return 1 grep "NS SOA" "dig.out.test$n.wait" >/dev/null || return 1 grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1 grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" >/dev/null && return 1 return 0 } # Wait for the zone to be signed. wait_for_zone_is_signed() { n=$((n + 1)) ret=0 echo_i "wait for ${ZONE} to be signed with $1 ($n)" if [ "$1" = "nsec3" ]; then retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed" else retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" fi test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) } # Test: check DNSSEC verify _check_dnssec_verify() { dig_with_opts @$SERVER "${ZONE}" AXFR >"dig.out.test$n.axfr.$ZONE" || return 1 $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" >"verify.out.test$n.$ZONE" 2>&1 || return 1 return 0 } # Test: check NSEC in answers _check_nsec_nsec3param() { dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1 grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" >/dev/null && return 1 return 0 } _check_nsec_nxdomain() { dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1 grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1 grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" >/dev/null && return 1 return 0 } check_nsec() { wait_for_zone_is_signed "nsec" n=$((n + 1)) echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" ret=0 check_keys retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "verify DNSSEC for zone ${ZONE} ($n)" ret=0 retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" ret=0 retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check NXDOMAIN response for zone ${ZONE} ($n)" ret=0 retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) } # Test: check NSEC3 parameters in answers _check_nsec3_nsec3param() { dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1 grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*0.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1 if [ -z "$SALT" ]; then SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE) fi return 0 } _check_nsec3_nxdomain() { dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1 grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*0.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1 return 0 } check_nsec3() { wait_for_zone_is_signed "nsec3" n=$((n + 1)) echo_i "check that NSEC3PARAM 1 0 0 ${SALT} is published zone ${ZONE} ($n)" ret=0 retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} 0 ${SALT} for zone ${ZONE} ($n)" ret=0 retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "verify DNSSEC for zone ${ZONE} ($n)" ret=0 retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) } start_time="$(TZ=UTC date +%s)" status=0 n=0 key_clear "KEY1" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # Zone: nsec-to-nsec3.kasp. set_zone_policy "nsec-to-nsec3.kasp" "nsec" 1 3600 set_server "ns3" "10.53.0.3" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec if [ $RSASHA1_SUPPORTED = 1 ]; then # Zone: rsasha1-to-nsec3.kasp. set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600 set_server "ns3" "10.53.0.3" set_key_rsasha1_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec # Zone: rsasha1-to-nsec3-wait.kasp. set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600 set_server "ns3" "10.53.0.3" set_key_rsasha1_values "KEY1" set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" echo_i "initial check zone ${ZONE}" check_nsec # Zone: nsec3-to-rsasha1.kasp. set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600 set_server "ns3" "10.53.0.3" set_key_rsasha1_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-to-rsasha1-ds.kasp. set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600 set_server "ns3" "10.53.0.3" set_key_rsasha1_values "KEY1" set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" echo_i "initial check zone ${ZONE}" check_nsec3 fi # Zone: nsec3.kasp. set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-dynamic.kasp. set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-change.kasp. set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Test that NSEC3PARAM TTL is equal to SOA MINIMUM. n=$((n + 1)) echo_i "check TTL of NSEC3PARAM in zone $ZONE is equal to SOA MINIMUM ($n)" ret=0 dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n" || ret=1 grep "${ZONE}\..*3600.*IN.*NSEC3PARAM" "dig.out.test$n" >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) # Update SOA MINIMUM. cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" rndccmd $SERVER reload $ZONE >rndc.reload.test$n.$ZONE || log_error "failed to call rndc reload $ZONE" _wait_for_new_soa() { dig_with_opts +noquestion "@${SERVER}" "$ZONE" SOA >"dig.out.soa.test$n" || return 1 grep "${ZONE}\..*IN.*SOA.*mname1..*..*20.*20.*.1814400.*900" "dig.out.soa.test$n" >/dev/null || return 1 } retry_quiet 10 _wait_for_new_soa || log_error "failed to update SOA record in zone $ZONE" # Zone: nsec3-dynamic-change.kasp. set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-dynamic-to-inline.kasp. set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-inline-to-dynamic.kasp. set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-to-nsec.kasp. set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-to-optout.kasp. set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-from-optout.kasp. set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600 set_nsec3param "1" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-other.kasp. set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "8" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-xfr-inline.kasp. # This is a secondary zone, where the primary is signed with NSEC3 but # the dnssec-policy dictates NSEC. set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600 set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec # Zone: nsec3-dynamic-update-inline.kasp. set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600 set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec n=$((n + 1)) echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)" ret=0 $NSUPDATE >update.out.$ZONE.test$n 2>&1 <"dig.out.nsec3param.test$n" || ret=1 grep "${ZONE}\..*900.*IN.*NSEC3PARAM" "dig.out.nsec3param.test$n" >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) # Using rndc signing -nsec3param (should fail) echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings" rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail" check_nsec3 # Zone: nsec3-dynamic-change.kasp. (reconfigured) set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "8" set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 # Zone: nsec3-dynamic-to-inline.kasp. (same) set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 # Zone: nsec3-inline-to-dynamic.kasp. (same) set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 # Zone: nsec3-to-nsec.kasp. (reconfigured) set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600 set_nsec3param "1" "8" set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec # Zone: nsec3-to-optout.kasp. (reconfigured) # DISABLED: # There is a bug in the nsec3param building code that thinks when the # optout bit is changed, the chain already exists. [GL #2216] #set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600 #set_nsec3param "1" "0" #set_key_default_values "KEY1" #echo_i "check zone ${ZONE} after reconfig" #check_nsec3 # Zone: nsec3-from-optout.kasp. (reconfigured) # DISABLED: # There is a bug in the nsec3param building code that thinks when the # optout bit is changed, the chain already exists. [GL #2216] #set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600 #set_nsec3param "0" "0" #set_key_default_values "KEY1" #echo_i "check zone ${ZONE} after reconfig" #check_nsec3 # Zone: nsec3-other.kasp. (same) set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "8" set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 # Test NSEC3 and NSEC3PARAM is the same after restart set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "check zone ${ZONE} before restart" check_nsec3 # Restart named, NSEC3 should stay the same. ret=0 echo "stop ns3" stop_server --use-rndc --port ${CONTROLPORT} ${DIR} || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) ret=0 echo "start ns3" start_server --noclean --restart --port ${PORT} ${DIR} test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) prevsalt="${SALT}" set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" SALT="${prevsalt}" echo_i "check zone ${ZONE} after restart has salt ${SALT}" check_nsec3 # Zone: nsec3-fails-to-load.kasp. (should be fixed after reload) cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db rndc_reload ns3 10.53.0.3 set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reload" check_nsec3 # Zone: nsec3-ent.kasp (regression test for #5108) n=$((n + 1)) echo_i "check query for newly empty name does not crash ($n)" set_zone_policy "nsec3-ent.kasp" set_server "ns3" "10.53.0.3" # confirm the pre-existing name still exists dig_with_opts +noquestion "@${SERVER}" c.$ZONE >"dig.out.$ZONE.test$n.1" || ret=1 grep "c\.nsec3-ent\.kasp\..*IN.*A.*10\.0\.0\.3" "dig.out.$ZONE.test$n.1" >/dev/null || ret=1 # remove a name, bump the SOA, and reload sed -e 's/1 *; serial/2/' -e '/^c/d' ns3/template.db.in >ns3/nsec3-ent.kasp.db rndc_reload ns3 10.53.0.3 # try the query again dig_with_opts +noquestion "@${SERVER}" c.$ZONE >"dig.out.$ZONE.test$n.2" || ret=1 grep "status: NXDOMAIN" "dig.out.$ZONE.test$n.2" >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check queries for new names below ENT do not crash ($n)" set_zone_policy "nsec3-ent.kasp" set_server "ns3" "10.53.0.3" # confirm the ENT name does not exist yet dig_with_opts +noquestion "@${SERVER}" x.y.z.$ZONE >"dig.out.$ZONE.test$n.1" || ret=1 grep "status: NXDOMAIN" "dig.out.$ZONE.test$n.1" >/dev/null || ret=1 # add a name with an ENT, bump the SOA, and reload sed -e 's/1 *; serial/3/' ns3/template.db.in >ns3/nsec3-ent.kasp.db echo "x.y.z A 10.0.0.4" >>ns3/nsec3-ent.kasp.db rndc_reload ns3 10.53.0.3 # try the query again dig_with_opts +noquestion "@${SERVER}" x.y.z.$ZONE >"dig.out.$ZONE.test$n.2" || ret=1 grep "x\.y\.z\.nsec3-ent\.kasp\..*IN.*A.*10\.0\.0\.4" "dig.out.$ZONE.test$n.2" >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1