diff --git a/doc/Changelog b/doc/Changelog index c59da3ff1..5ec1ff2b2 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,9 @@ +2 September 2009: Wouter + - TRAFFIC keyword for testbound. Simplifies test generation. + ${range lower val upper} to check probe timeout values. + - test with 5011-prepublish rollover and revocation. + - fix revocation of RR for autotrust, stray exclamation mark. + 1 September 2009: Wouter - testbound variable arithmetic. - autotrust probe time is randomised. diff --git a/testcode/fake_event.c b/testcode/fake_event.c index aa4093fa0..d5e31cabf 100644 --- a/testcode/fake_event.c +++ b/testcode/fake_event.c @@ -133,6 +133,7 @@ repevt_string(enum replay_event_type t) case repevt_autotrust_check: return "CHECK_AUTOTRUST"; case repevt_error: return "ERROR"; case repevt_assign: return "ASSIGN"; + case repevt_traffic: return "TRAFFIC"; default: return "UNKNOWN"; } } @@ -512,7 +513,7 @@ autotrust_check(struct replay_runtime* runtime, struct replay_moment* mom) expanded = macro_process(runtime->vars, runtime, p->str); if(!expanded) fatal_exit("could not expand macro line %d", lineno); - if(verbosity >= VERB_ALGO && strcmp(p->str, expanded) != 0) + if(verbosity >= 7 && strcmp(p->str, expanded) != 0) log_info("expanded '%s' to '%s'", p->str, expanded); if(strcmp(expanded, line) != 0) { log_err("mismatch in file %s, line %d", name, lineno); @@ -614,6 +615,9 @@ do_moment_and_advance(struct replay_runtime* runtime) moment_assign(runtime, runtime->now); advance_moment(runtime); break; + case repevt_traffic: + advance_moment(runtime); + break; default: fatal_exit("testbound: unknown event type %d", runtime->now->evt_type); @@ -626,7 +630,7 @@ run_scenario(struct replay_runtime* runtime) { struct entry* entry = NULL; struct fake_pending* pending = NULL; - int max_rounds = 50; + int max_rounds = 5000; int rounds = 0; runtime->now = runtime->scenario->mom_first; log_info("testbound: entering fake runloop"); diff --git a/testcode/replay.c b/testcode/replay.c index 322ce5c23..78dcbe5c5 100644 --- a/testcode/replay.c +++ b/testcode/replay.c @@ -322,6 +322,8 @@ replay_moment_read(char* remain, FILE* in, const char* name, int* lineno, read_file_content(in, lineno, mom); } else if(parse_keyword(&remain, "ERROR")) { mom->evt_type = repevt_error; + } else if(parse_keyword(&remain, "TRAFFIC")) { + mom->evt_type = repevt_traffic; } else if(parse_keyword(&remain, "ASSIGN")) { mom->evt_type = repevt_assign; read_assign_step(remain, mom); @@ -681,28 +683,34 @@ perform_arith(double x, char op, double y, double* res) /** do macro arithmetic on two numbers and operand */ static char* -do_macro_arith(char* at, size_t remain, char** arithstart) +do_macro_arith(char* orig, size_t remain, char** arithstart) { double x, y, result; char operator; int skip; char buf[32]; + char* at; /* not yet done? we want number operand number expanded first. */ if(!*arithstart) { /* remember start pos of expr, skip the first number */ + at = orig; *arithstart = at; while(*at && (isdigit((int)*at) || *at == '.')) at++; return at; } /* move back to start */ - remain += (size_t)(at - *arithstart); + remain += (size_t)(orig - *arithstart); at = *arithstart; /* parse operands */ if(sscanf(at, " %lf %c %lf%n", &x, &operator, &y, &skip) != 3) { - log_err("cannot parse arithmetic: %s", at); - return NULL; + *arithstart = NULL; + return do_macro_arith(orig, remain, arithstart); + } + if(isdigit((int)operator)) { + *arithstart = orig; + return at+skip; /* do nothing, but setup for later number */ } /* calculate result */ @@ -721,6 +729,24 @@ do_macro_arith(char* at, size_t remain, char** arithstart) return at; } +/** Do range macro on expanded buffer */ +static char* +do_macro_range(char* buf) +{ + double x, y, z; + if(sscanf(buf, " %lf %lf %lf", &x, &y, &z) != 3) { + log_err("range func requires 3 args: %s", buf); + return NULL; + } + if(x <= y && y <= z) { + char res[1024]; + snprintf(res, sizeof(res), "%.24g", y); + return strdup(res); + } + fatal_exit("value %.24g not in range [%.24g, %.24g]", y, x, z); + return NULL; +} + static char* macro_expand(rbtree_t* store, struct replay_runtime* runtime, char** text) { @@ -752,6 +778,10 @@ macro_expand(rbtree_t* store, struct replay_runtime* runtime, char** text) strncmp(buf, "ctime\t", 6) == 0) { at += 6; dofunc = 1; + } else if(strncmp(buf, "range ", 6) == 0 || + strncmp(buf, "range\t", 6) == 0) { + at += 6; + dofunc = 1; } /* actual macro text expansion */ @@ -778,6 +808,8 @@ macro_expand(rbtree_t* store, struct replay_runtime* runtime, char** text) /* post process functions, buf has the argument(s) */ if(strncmp(buf, "ctime", 5) == 0) { return do_macro_ctime(buf+6); + } else if(strncmp(buf, "range", 5) == 0) { + return do_macro_range(buf+6); } } return strdup(buf); @@ -949,5 +981,17 @@ void testbound_selftest(void) log_assert( v && strcmp(v, "108") == 0); free(v); + v = macro_process(store, NULL, "${1 2 33 2 1}"); + log_assert( v && strcmp(v, "1 2 33 2 1") == 0); + free(v); + + v = macro_process(store, NULL, "${123 3 + 5}"); + log_assert( v && strcmp(v, "123 8") == 0); + free(v); + + v = macro_process(store, NULL, "${123 glug 3 + 5}"); + log_assert( v && strcmp(v, "123 glug 8") == 0); + free(v); + macro_store_delete(store); } diff --git a/testcode/replay.h b/testcode/replay.h index c1236d9d2..b065a624f 100644 --- a/testcode/replay.h +++ b/testcode/replay.h @@ -70,6 +70,9 @@ * o TIME_PASSES ELAPSE [seconds] - increase 'now' time counter, can be * a floating point number. * TIME_PASSES EVAL [macro] - expanded for seconds to move time. + * o TRAFFIC - like CHECK_ANSWER, causes traffic to flow. + * actually the traffic flows before this step is taken. + * the step waits for traffic to stop. * o CHECK_AUTOTRUST [id] - followed by FILE_BEGIN [to match] FILE_END. * The file contents is macro expanded before match. * o ERROR @@ -83,11 +86,16 @@ * ${..} is macro expanded from its expression. Text substitution. * o $var replaced with its value. var is identifier [azAZ09_]* * o number is that number. + * o ${variables and arithmetic } * o +, -, / and *. Note, evaluated left-to-right. Use ${} for brackets. - * o ${time} is the current time. - * o ${ctime value} is the text ctime(value), i.e. Fri 3 Aug 2009, ... - * must have one space after 'ctime'. - * o ${timeout} is the time until next timeout in the comm_timer list. + * So again, no precedence rules, so 2+3*4 === ${2+3}*4 === 20. + * Do 2+${3*4} to get 24. + * o ${function params} + * o ${time} is the current time for the simulated unbound. + * o ${ctime value} is the text ctime(value), Fri 3 Aug 2009, ... + * o ${timeout} is the time until next timeout in comm_timer list. + * o ${range lower value upper} checks if lower<=value<=upper + * returns value if check succeeds. * * ; Example file * SCENARIO_BEGIN Example scenario @@ -187,7 +195,9 @@ struct replay_moment { /** an error happens to outbound query */ repevt_error, /** assignment to a variable */ - repevt_assign + repevt_assign, + /** cause traffic to flow */ + repevt_traffic } /** variable with what is to happen this moment */ evt_type; diff --git a/testdata/Kexample.com.+005+16486.ds b/testdata/Kexample.com.+005+16486.ds new file mode 100644 index 000000000..a4eb57d04 --- /dev/null +++ b/testdata/Kexample.com.+005+16486.ds @@ -0,0 +1 @@ +example.com. 3600 IN DS 16486 5 1 9adff86d0a468b5989a686df8076269b3a31ba54 ; xokit-zevek-tydyg-kydoh-nydap-kicet-zybil-konon-ruvef-covuh-gyxex diff --git a/testdata/Kexample.com.+005+16486.key b/testdata/Kexample.com.+005+16486.key new file mode 100644 index 000000000..b5b2395e9 --- /dev/null +++ b/testdata/Kexample.com.+005+16486.key @@ -0,0 +1 @@ +example.com. 3600 IN DNSKEY 257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} diff --git a/testdata/Kexample.com.+005+16486.private b/testdata/Kexample.com.+005+16486.private new file mode 100644 index 000000000..c7ea159d2 --- /dev/null +++ b/testdata/Kexample.com.+005+16486.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: qz9wCEIVe8FSBNI1kK9CnSkvHV1j7utdHSEfj/cRSBaayZthSkjWoPTGHAoP+hgYTACbb3V/JYn1zShXFcMQrw== +PublicExponent: AQAB +PrivateExponent: lT++xpPB4ZAFicojgSweZJbmRzODy1E6YA7kUTbFywrrClEi6vjb88AshqZsPuDnI4iOZ2Cy56qN9SZTD2WokQ== +Prime1: 29ChQQp9Dd7jH8L+QxEowJGOxwo2WD8rLOjvdz7FBos= +Prime2: x3AbQo22FBaEbB1Z6rM31WsLNhNNgHvD2G1gpXD2Ru0= +Exponent1: Sj0eGQ9nyOV8I+ABa7lB4DfI1uRWElvTQymwpr9mX50= +Exponent2: ZnWUu6NcKIPM8lI98JK0G4OL1fMivOBYpCbFIRmgnJ0= +Coefficient: N2jmFfQh8jhGIlrUvOlJFdDnAFNxEy/C5gXRJpNHHBM= diff --git a/testdata/Kexample.com.+005+60946.ds b/testdata/Kexample.com.+005+60946.ds new file mode 100644 index 000000000..154703f8b --- /dev/null +++ b/testdata/Kexample.com.+005+60946.ds @@ -0,0 +1 @@ +example.com. 3600 IN DS 60946 5 1 f48a5c8c1eceb7df2d68d1ad29151a77d5650505 ; xutam-pulim-seles-votit-zorek-mygep-tipyc-hakol-luhik-hecib-hoxax diff --git a/testdata/Kexample.com.+005+60946.key b/testdata/Kexample.com.+005+60946.key new file mode 100644 index 000000000..3fe8ae674 --- /dev/null +++ b/testdata/Kexample.com.+005+60946.key @@ -0,0 +1 @@ +example.com. 3600 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} diff --git a/testdata/Kexample.com.+005+60946.private b/testdata/Kexample.com.+005+60946.private new file mode 100644 index 000000000..79e0aff8c --- /dev/null +++ b/testdata/Kexample.com.+005+60946.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: 6JpSJQilYx9jPkvSx8lNlae430jIFfh6b1WOyipBOw4PUcNCk1vhu68mjuk3ZoELE1Lt7Q4vx7aZUHoItn7x6Q== +PublicExponent: AQAB +PrivateExponent: Y21D28y8VYifNYvXx8rGvUf6gIdt7+ZM/7ZE2SoCxCjHkHQqWh9k1l5xEjCDZ7YOyFyQAbowMhEsr6C+11UvOQ== +Prime1: /4r1mlWLh3x1afMpWPxIfeNFsRHeyujk7GBuCZ0MlkM= +Prime2: 6QTa08YMv3JQrdEe8n+zZvMDkOhS/1wltFBn+mt9cmM= +Exponent1: 4AWFDBiEanEsSYaXL+By+JF+Lh3Zb4696Y8byCe6uhs= +Exponent2: p7bo0bgggMMEsrZrcdrcA2Mx0+CDrGxkbu3YiPNI7UU= +Coefficient: ahJU2OH7E2Q1yhzja925x7g4r289nD/GGIHz47e0ysk= diff --git a/testdata/autotrust_init.rpl b/testdata/autotrust_init.rpl index 1c6eeb2e2..7b9bd78f6 100644 --- a/testdata/autotrust_init.rpl +++ b/testdata/autotrust_init.rpl @@ -99,7 +99,9 @@ RANGE_END ; set date/time to Aug 24 09:46:40 (2009). STEP 5 TIME_PASSES ELAPSE 1251100000 STEP 6 ASSIGN t0 = ${time} -STEP 7 ASSIGN probe = ${timeout} +; get probe time and check it. 4800 is about 10% less than 5400. And more than +; the 3600 that a failure timeout would have. +STEP 7 ASSIGN probe = ${range 4800 ${timeout} 5400} ; the auto probing should have been done now. @@ -159,27 +161,9 @@ FILE_END ; wait and see if autotrust probes (the unchanged) domain again. STEP 40 TIME_PASSES EVAL ${$probe} -; do something to make time pass so that processing is performed. -STEP 50 QUERY -ENTRY_BEGIN -REPLY RD DO -SECTION QUESTION -. IN NS -ENTRY_END +STEP 50 TRAFFIC -STEP 60 CHECK_ANSWER -ENTRY_BEGIN -MATCH all -REPLY QR RD RA NOERROR -SECTION QUESTION -. IN NS -SECTION ANSWER -. 3600 IN NS k.root-servers.net. -SECTION ADDITIONAL -k.root-servers.net. 3600 IN A 193.0.14.129 -ENTRY_END - -STEP 65 ASSIGN probe2 = ${timeout} +STEP 65 ASSIGN probe2 = ${range 4800 ${timeout} 5400} STEP 70 CHECK_AUTOTRUST example.com FILE_BEGIN diff --git a/testdata/autotrust_rollover.rpl b/testdata/autotrust_rollover.rpl new file mode 100644 index 000000000..9ff66841a --- /dev/null +++ b/testdata/autotrust_rollover.rpl @@ -0,0 +1,323 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + log-time-ascii: yes +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +; initial content (say from dig example.com DNSKEY > example.com.key) +AUTOTRUST_FILE example.com +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} +example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +AUTOTRUST_END +CONFIG_END + +SCENARIO_BEGIN Test autotrust with prepublish rollover + +; K-ROOT +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id copy_query +REPLY QR AA +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS k.root-servers.net. +SECTION ADDITIONAL +k.root-servers.net IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. KSK 55582 +RANGE_BEGIN 0 10 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 3600 IN A 10.20.30.40 +www.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899} +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899} +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899} +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 1 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} +; ZSK 1 +example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +; signatures +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 30899 example.com. b/HK231jIQLX8IhlZfup3r0yhpXaasbPE6LzxoEVVvWaTZWcLmeV8jDIcn0qO7Yvs7bIJN20lwVAV0GcHH3hWQ== ;{id = 30899} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 55582 example.com. PCHme1QLoULxqjhg5tMlpR0qJlBfstEUVq18TtNoKQe9le1YhJ9caheXcTWoK+boLhXxg9u6Yyvq8FboQh0OjA== ;{id = 55582} +ENTRY_END +RANGE_END + +; ns.example.com. KSK 55582 and 60946 +RANGE_BEGIN 11 40 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 1 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} +; KSK 2 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} +; ZSK 1 +example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +; signatures +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 30899 example.com. rkaCUpTFPWVu4Om5oMTR+39Mct6ZMs56xrE0rbxMMOokfvIQheIxsAEc5BFJeA/2y5WTewl6diCD6yQXCybrDg== ;{id = 30899} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 55582 example.com. CoMon+lWPAsUvgfpCTDPx8Zn8dQpky3lu2O6T+oJ2Mat9a/u1YwGhSQHGPn7ZNG/4vKM97tx84sSlUGz3geD1w== ;{id = 55582} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 60946 example.com. o+Cbs7DcYPYlSLd4hi3vkSVQpXGnKgKSi9MpHGfu1Uahv5190U2DUOxP1du/HOYbf+IHYL8zLbMZjVEG5wgnTg== ;{id = 60946} +ENTRY_END +RANGE_END + +; ns.example.com. KSK 55582 and 60946 (signatures updated) +RANGE_BEGIN 41 50 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 1 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} +; KSK 2 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} +; ZSK 1 +example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +; signatures +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 30899 example.com. rkaCUpTFPWVu4Om5oMTR+39Mct6ZMs56xrE0rbxMMOokfvIQheIxsAEc5BFJeA/2y5WTewl6diCD6yQXCybrDg== ;{id = 30899} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 55582 example.com. v/HJbdpeVMpbhwYXrT1EDGpAFMvEgdKQII1cAbP6o8KHYNKDh8TIJ25/pXe3daEXfej6/Z5kpqJ79okPKUoi1Q== ;{id = 55582} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 60946 example.com. HgXol1hdvbomOM1CFRW8qsHd3D0qOnN72EeMHTcpxIBBiuNLKZn4n1M14Voxj3vo0eAMNuG/y7EjQkxKvSsaDA== ;{id = 60946} +ENTRY_END +RANGE_END + +; ns.example.com. KSK 55582-REVOKED and 60946 +RANGE_BEGIN 51 60 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 1 +example.com. 10800 IN DNSKEY 385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b} +; KSK 2 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} +; ZSK 1 +example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +; signatures +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 30899 example.com. qLKZUJEi3ajSJ4/b7xl0BwhzW6JtjsojpZ+2nUx1PvaeQVoTmyWxjxc2tAmJGcBPqMqzeY470xvyMDvGTOiQCQ== ;{id = 30899} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 55710 example.com. EW2YB+2yNX9LTNDPVwkcGnRTTx38pOiwBaixdwxmDgqWKXLDLM6Kd2Xv9tveS39RnSZ5H1inRXE55q+rL6Re3g== ;{id = 55710} +; wrong keytag: +;example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 55582 example.com. nH/6HauVJI4GGz78UoK/38cOOrEqsYZP0jFzfCC3OyIlclVTjAFvjVPlVMGK7sA5Nw1v20YtFTQkXZgbrRuInQ== ;{id = 55582} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 60946 example.com. xKSBZr4vOsEUKlVoNb6SOV69DM7xFOJI4gPFKq5Tv4APIMJ/9G3odoDmNcLCVyYGzhoDik5hciJnZio6UHgzAA== ;{id = 60946} +ENTRY_END +RANGE_END + +; ns.example.com. KSK 60946 +RANGE_BEGIN 61 70 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 2 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} +; ZSK 1 +example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +; signatures +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20101224111500 20101118111500 30899 example.com. TfFGz1kDtkn3ixbKMJvQDZ0uGw/eW+inIiPqQVPQtO2WiocKrnYnzwv/AqwnFvEar70dF15/zffNIF+ipOS5/g== ;{id = 30899} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20101224111500 20101118111500 60946 example.com. X0Ci//w0czN/J5RvypHGqp56n1tLdapi92ODAqjM7QpZXbSHaJ7wfPG1PZzvdxHUZUVyf8uy2stjg/XoLGHMWA== ;{id = 60946} +ENTRY_END +RANGE_END + +; set date/time to Aug 24 09:46:40 (2009). +STEP 5 TIME_PASSES ELAPSE 1251100000 +STEP 6 TRAFFIC ; the initial probe +STEP 7 ASSIGN t0 = ${time} +STEP 8 ASSIGN probe0 = ${range 4800 ${timeout} 5400} + +; the auto probing should have been done now. +STEP 10 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t0} ;;${ctime $t0} +;;last_success: ${$t0} ;;${ctime $t0} +;;next_probe_time: ${$t0 + $probe0} ;;${ctime $t0 + $probe0} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} +FILE_END + +; key prepublished. First poll. 30 days later +STEP 11 TIME_PASSES EVAL ${30*24*3600} +STEP 12 TRAFFIC +STEP 13 ASSIGN t1 = ${time} +STEP 14 ASSIGN probe1 = ${range 4800 ${timeout} 5400} +STEP 15 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t1} ;;${ctime $t1} +;;last_success: ${$t1} ;;${ctime $t1} +;;next_probe_time: ${$t1 + $probe1} ;;${ctime $t1 + $probe1} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1} +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} +FILE_END + +; Second poll. 10 days later +STEP 21 TIME_PASSES EVAL ${10*24*3600} +STEP 22 TRAFFIC +STEP 23 ASSIGN t2 = ${time} +STEP 24 ASSIGN probe2 = ${range 4800 ${timeout} 5400} +STEP 25 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t2} ;;${ctime $t2} +;;last_success: ${$t2} ;;${ctime $t2} +;;next_probe_time: ${$t2 + $probe2} ;;${ctime $t2 + $probe2} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=2 ;;lastchange=${$t1} ;;${ctime $t1} +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} +FILE_END + +; Third poll. 10 days later +STEP 31 TIME_PASSES EVAL ${10*24*3600} +STEP 32 TRAFFIC +STEP 33 ASSIGN t3 = ${time} +STEP 34 ASSIGN probe3 = ${range 4800 ${timeout} 5400} +STEP 35 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t3} ;;${ctime $t3} +;;last_success: ${$t3} ;;${ctime $t3} +;;next_probe_time: ${$t3 + $probe3} ;;${ctime $t3 + $probe3} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=3 ;;lastchange=${$t1} ;;${ctime $t1} +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} +FILE_END + +; 11 days later, hold down has lapsed. +STEP 41 TIME_PASSES EVAL ${11*24*3600} +STEP 42 TRAFFIC +STEP 43 ASSIGN t4 = ${time} +STEP 44 ASSIGN probe4 = ${range 4800 ${timeout} 5400} +STEP 45 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t4} ;;${ctime $t4} +;;last_success: ${$t4} ;;${ctime $t4} +;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4} +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} +FILE_END + +; 30 days later, the old key is revoked +STEP 51 TIME_PASSES EVAL ${30*24*3600} +STEP 52 TRAFFIC +STEP 53 ASSIGN t5 = ${time} +STEP 54 ASSIGN probe5 = ${range 4800 ${timeout} 5400} +STEP 55 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t5} ;;${ctime $t5} +;;last_success: ${$t5} ;;${ctime $t5} +;;next_probe_time: ${$t5 + $probe5} ;;${ctime $t5 + $probe5} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4} +example.com. 10800 IN DNSKEY 385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=${$t5} ;;${ctime $t5} +FILE_END + +; 370 days later, the old key is removed from storage +STEP 61 TIME_PASSES EVAL ${370*24*3600} +STEP 62 TRAFFIC +STEP 63 ASSIGN t6 = ${time} +STEP 64 ASSIGN probe6 = ${range 4800 ${timeout} 5400} +STEP 65 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${$t6} ;;${ctime $t6} +;;last_success: ${$t6} ;;${ctime $t6} +;;next_probe_time: ${$t6 + $probe6} ;;${ctime $t6 + $probe6} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4} +FILE_END + + +SCENARIO_END diff --git a/validator/autotrust.c b/validator/autotrust.c index ba669f95b..6b2283ab9 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -157,8 +157,7 @@ verbose_key(struct autr_ta* ta, enum verbosity_value level, int keytag = (int)ldns_calc_keytag(ta->rr); char msg[MAXSYSLOGMSGLEN]; vsnprintf(msg, sizeof(msg), format, args); - verbose(level, "autotrust %s key %d %s", str?str:"??", - keytag, msg); + verbose(level, "%s key %d %s", str?str:"??", keytag, msg); free(str); } va_end(args); @@ -908,6 +907,7 @@ rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, size_t i) { enum sec_status sec; + verbose(VERB_ALGO, "seen REVOKE flag, check self-signed, rr %d", i); sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, i); return (sec == sec_status_secure); } @@ -934,7 +934,7 @@ revoke_dnskey(struct autr_ta* ta, int off) ldns_rdf* rdf; uint16_t flags; log_assert(ta && ta->rr); - if(!ldns_rr_get_type(ta->rr) != LDNS_RR_TYPE_DNSKEY) + if(ldns_rr_get_type(ta->rr) != LDNS_RR_TYPE_DNSKEY) return; rdf = ldns_rr_dnskey_flags(ta->rr); flags = ldns_read_uint16(ldns_rdf_data(rdf));