Added gen-autotrust_addpend_2exceed (and gen-common)

2024-09-21 06:37:08 +00:00 · 2023-01-31 17:25:37 +01:00 · 2023-01-31 17:25:37 +01:00 · e5fd7dbcd1
commit e5fd7dbcd1
parent ceef1639d4
4 changed files with 495 additions and 22 deletions
--- a/testdata/gen/autotrust_addpend_2exceed.rpl.in
+++ b/testdata/gen/autotrust_addpend_2exceed.rpl.in
@ -0,0 +1,306 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	log-time-ascii: yes
+	fake-sha1: yes
+	trust-anchor-signaling: no
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+; initial content (say from dig example.com DNSKEY > example.com.key) 
+AUTOTRUST_FILE example.com
+PUBKEY1
+PUBKEY2
+AUTOTRUST_END
+CONFIG_END
+
+SCENARIO_BEGIN Test autotrust with ADDPEND twice and exceeded time
+; should work even though not signed with old key at latest time.
+
+; K-ROOT
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id copy_query
+REPLY QR AA
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS k.root-servers.net.
+SECTION ADDITIONAL
+k.root-servers.net IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.  KSK PUBKEY1_ID
+RANGE_BEGIN 0 10
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com.	3600	IN	A	10.20.30.40
+SIG1a_PUBKEY2
+SECTION AUTHORITY
+example.com.	3600	IN	NS	ns.example.com.
+SIG1b_PUBKEY2
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+SIG1c_PUBKEY2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 1
+PUBKEY1
+; ZSK 1
+PUBKEY2
+; signatures
+SIG2_PUBKEY2
+SIG2_PUBKEY1
+ENTRY_END
+RANGE_END
+
+; ns.example.com.  KSK PUBKEY1_ID and PUBKEY3_ID
+RANGE_BEGIN 11 40
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 1
+PUBKEY1
+; KSK 2
+PUBKEY3
+; ZSK 1
+PUBKEY2
+; signatures
+SIG3_PUBKEY2
+SIG3_PUBKEY1
+SIG3_PUBKEY3
+ENTRY_END
+RANGE_END
+
+; ns.example.com.  KSK PUBKEY3_ID
+RANGE_BEGIN 41 50
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 2
+PUBKEY3
+; ZSK 1
+PUBKEY2
+; signatures
+SIG4_PUBKEY2
+SIG4_PUBKEY3
+ENTRY_END
+RANGE_END
+
+; ns.example.com.  KSK PUBKEY1_ID-REVOKED and PUBKEY3_ID
+RANGE_BEGIN 51 60
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 1
+PUBKEY4
+; KSK 2
+PUBKEY3
+; ZSK 1
+PUBKEY2
+; signatures
+SIG5_PUBKEY2
+SIG5_PUBKEY4
+; wrong keytag:
+SIG5_PUBKEY1
+SIG5_PUBKEY3
+ENTRY_END
+RANGE_END
+
+; ns.example.com.  KSK PUBKEY3_ID
+RANGE_BEGIN 61 70
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 2
+PUBKEY3
+; ZSK 1
+PUBKEY2
+; signatures
+SIG6_PUBKEY2
+SIG6_PUBKEY3
+ENTRY_END
+RANGE_END
+
+; set date/time to Aug 24 07:46:40  (2009).
+STEP 5 TIME_PASSES ELAPSE 1251100000
+STEP 6 TRAFFIC   ; the initial probe
+STEP 7 ASSIGN t0 = ${time}
+STEP 8 ASSIGN probe0 = ${range 4800 ${timeout} 5400}
+
+; the auto probing should have been done now.
+STEP 10 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t0} ;;${ctime $t0}
+;;last_success: ${$t0} ;;${ctime $t0}
+;;next_probe_time: ${$t0 + $probe0} ;;${ctime $t0 + $probe0}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY1 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
+FILE_END
+
+; key prepublished.  First poll. 30 days later
+STEP 11 TIME_PASSES EVAL ${30*24*3600}
+STEP 12 TRAFFIC
+STEP 13 ASSIGN t1 = ${time}
+STEP 14 ASSIGN probe1 = ${range 4800 ${timeout} 5400}
+STEP 15 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t1} ;;${ctime $t1}
+;;last_success: ${$t1} ;;${ctime $t1}
+;;next_probe_time: ${$t1 + $probe1} ;;${ctime $t1 + $probe1}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1}
+PUBKEY1 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
+FILE_END
+
+; Second poll. 10 days later
+STEP 21 TIME_PASSES EVAL ${10*24*3600}
+STEP 22 TRAFFIC
+STEP 23 ASSIGN t2 = ${time}
+STEP 24 ASSIGN probe2 = ${range 4800 ${timeout} 5400}
+STEP 25 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t2} ;;${ctime $t2}
+;;last_success: ${$t2} ;;${ctime $t2}
+;;next_probe_time: ${$t2 + $probe2} ;;${ctime $t2 + $probe2}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=1 [ ADDPEND ] ;;count=2 ;;lastchange=${$t1} ;;${ctime $t1}
+PUBKEY1 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
+FILE_END
+
+; t3 is removed third poll time.
+
+; 21 days later, hold down has lapsed.
+STEP 41 TIME_PASSES EVAL ${21*24*3600}
+STEP 42 TRAFFIC
+STEP 43 ASSIGN t4 = ${time}
+STEP 44 ASSIGN probe4 = ${range 4800 ${timeout} 5400}
+STEP 45 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t4} ;;${ctime $t4}
+;;last_success: ${$t4} ;;${ctime $t4}
+;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
+PUBKEY1 ;;state=3 [ MISSING ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
+FILE_END
+
+; 30 days later, the old key is revoked
+STEP 51 TIME_PASSES EVAL ${30*24*3600}
+STEP 52 TRAFFIC
+STEP 53 ASSIGN t5 = ${time}
+STEP 54 ASSIGN probe5 = ${range 4800 ${timeout} 5400}
+STEP 55 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t5} ;;${ctime $t5}
+;;last_success: ${$t5} ;;${ctime $t5}
+;;next_probe_time: ${$t5 + $probe5} ;;${ctime $t5 + $probe5}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
+PUBKEY4 ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=${$t5} ;;${ctime $t5}
+FILE_END
+
+; 370 days later, the old key is removed from storage
+STEP 61 TIME_PASSES EVAL ${370*24*3600}
+STEP 62 TRAFFIC
+STEP 63 ASSIGN t6 = ${time}
+STEP 64 ASSIGN probe6 = ${range 4800 ${timeout} 5400}
+STEP 65 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${$t6} ;;${ctime $t6}
+;;last_success: ${$t6} ;;${ctime $t6}
+;;next_probe_time: ${$t6 + $probe6} ;;${ctime $t6 + $probe6}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+PUBKEY3 ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
+FILE_END
+
+
+SCENARIO_END
--- a/testdata/gen/gen-autotrust_10key
+++ b/testdata/gen/gen-autotrust_10key
@ -1,14 +1,9 @@
 #!/bin/sh

-KEYDIR=keys
+. ./gen-common
+
 KEYNAME=autotrust_10key

-LDNS_KEYGEN=ldns-keygen
-LDNS_SIGNZONE=ldns-signzone
-SECALG=8	# RSA/SHA-256
-
-TMPZONE=tmpzone
-
 replace_keys()
 {
 	pubkey1=$(cat "$KEYDIR/$KEYNAME-1.key")
@ -42,23 +37,10 @@ replace_keys()

 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13
 do
-	if [ -f "$KEYDIR/$KEYNAME-$i.key" ]
-	then
-		continue	# Key already exists, remove to regenerate
-	fi
-	mkdir -p "$KEYDIR"
-	keyname=$($LDNS_KEYGEN -a $SECALG -b 2048 -k example.com.)
-	< "$keyname".key sed 's/IN/3600	IN/' > "$KEYDIR/$KEYNAME-$i.key"
-	rm -f "$keyname".key
-	mv "$keyname".private "$KEYDIR/$KEYNAME-$i.private"
-	mv "$keyname".ds "$KEYDIR/$KEYNAME-$i.ds"
+	gen_key_ksk "$KEYDIR/$KEYNAME-$i"
 done

-echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE
-cat "$KEYDIR/$KEYNAME"-*.key >> $TMPZONE
-$LDNS_SIGNZONE -e 20091124111500 -i 20091018111500 $TMPZONE "$KEYDIR/$KEYNAME-2"
-sig1=$(grep 'RRSIG[ 	]*DNSKEY' < $TMPZONE.signed )
-rm -f "$TMPZONE" "$TMPZONE.signed"
+sig1=$(sig_keys 2 20091124111500 20091018111500 1 2 3 4 5 6 7 8 9 10 11 12 13)

 < autotrust_10key.rpl.in \
 	replace_keys |
--- a/testdata/gen/gen-autotrust_addpend_2exceed
+++ b/testdata/gen/gen-autotrust_addpend_2exceed
@ -0,0 +1,78 @@
+#!/bin/sh
+
+. ./gen-common
+
+KEYNAME=autotrust_addpend_2exceed
+
+replace_keys()
+{
+	pubkey1=$(cat "$KEYDIR/$KEYNAME-1.key")
+	pubkey2=$(cat "$KEYDIR/$KEYNAME-2.key")
+	pubkey3=$(cat "$KEYDIR/$KEYNAME-3.key")
+	pubkey4=$(cat "$KEYDIR/$KEYNAME-4.key")
+
+	pubkey1_id=$(key_id "$pubkey1")
+	pubkey3_id=$(key_id "$pubkey3")
+	
+	sed "s@PUBKEY1_ID@$pubkey1_id@ ; \
+		s@PUBKEY3_ID@$pubkey3_id@ ; \
+		s@PUBKEY1@$pubkey1@ ; \
+		s@PUBKEY2@$pubkey2@ ; \
+		s@PUBKEY3@$pubkey3@ ; \
+		s@PUBKEY4@$pubkey4@"
+}
+
+gen_key_ksk "$KEYDIR/$KEYNAME-1"
+gen_key_zsk "$KEYDIR/$KEYNAME-2"
+gen_key_ksk "$KEYDIR/$KEYNAME-3"
+gen_key_ksk_revoked "$KEYDIR/$KEYNAME-1" "$KEYDIR/$KEYNAME-4"
+
+
+echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE
+echo 'www.example.com. 3600 IN A 10.20.30.40' >>$TMPZONE
+echo 'example.com. 3600 IN NS ns.example.com.' >>$TMPZONE
+echo 'ns.example.com. 3600 IN A 1.2.3.4' >>$TMPZONE
+$LDNS_SIGNZONE -e 20090924111500 -i 20090821111500 $TMPZONE "$KEYDIR/$KEYNAME-2"
+sig1a_pubkey2=$(grep 'www.example.com.*RRSIG[ 	]*A' < $TMPZONE.signed )
+sig1b_pubkey2=$(grep 'IN[ 	]*RRSIG[ 	]*NS[ 	]' < $TMPZONE.signed )
+sig1c_pubkey2=$(grep 'ns.example.com.*RRSIG[ 	]*A' < $TMPZONE.signed )
+rm -f "$TMPZONE" "$TMPZONE.signed"
+
+sig2_pubkey2=$(sig_keys 2 20090924111500 20090821111500 1 2)
+sig2_pubkey1=$(sig_keys 1 20090924111500 20090821111500 1 2)
+
+sig3_pubkey2=$(sig_keys 2 20091024111500 20090921111500 1 3 2)
+sig3_pubkey1=$(sig_keys 1 20091024111500 20090921111500 1 3 2)
+sig3_pubkey3=$(sig_keys 3 20091024111500 20090921111500 1 3 2)
+
+sig4_pubkey2=$(sig_keys 2 20091124111500 20091018111500 3 2)
+sig4_pubkey3=$(sig_keys 3 20091124111500 20091018111500 3 2)
+
+sig5_pubkey2=$(sig_keys 2 20091224111500 20091118111500 4 3 2)
+sig5_pubkey4=$(sig_keys 4 20091224111500 20091118111500 4 3 2)
+sig5_pubkey1=$(sig_keys 1 20091224111500 20091118111500 4 3 2)
+sig5_pubkey3=$(sig_keys 3 20091224111500 20091118111500 4 3 2)
+
+sig6_pubkey2=$(sig_keys 2 20101224111500 20101118111500 3 2)
+sig6_pubkey3=$(sig_keys 3 20101224111500 20101118111500 3 2)
+
+< $KEYNAME.rpl.in \
+	sed "s@SIG1a_PUBKEY2@$sig1a_pubkey2@ ; \
+		s@SIG1b_PUBKEY2@$sig1b_pubkey2@ ; \
+		s@SIG1c_PUBKEY2@$sig1c_pubkey2@ ; \
+		s@SIG2_PUBKEY2@$sig2_pubkey2@ ; \
+		s@SIG2_PUBKEY1@$sig2_pubkey1@ ; \
+		s@SIG3_PUBKEY2@$sig3_pubkey2@ ; \
+		s@SIG3_PUBKEY1@$sig3_pubkey1@ ; \
+		s@SIG3_PUBKEY3@$sig3_pubkey3@ ; \
+		s@SIG4_PUBKEY2@$sig4_pubkey2@ ; \
+		s@SIG4_PUBKEY3@$sig4_pubkey3@ ; \
+		s@SIG5_PUBKEY2@$sig5_pubkey2@ ; \
+		s@SIG5_PUBKEY4@$sig5_pubkey4@ ; \
+		s@SIG5_PUBKEY1@$sig5_pubkey1@ ; \
+		s@SIG5_PUBKEY3@$sig5_pubkey3@ ; \
+		s@SIG6_PUBKEY2@$sig6_pubkey2@ ; \
+		s@SIG6_PUBKEY3@$sig6_pubkey3@ ; \
+	" |
+	replace_keys \
+	> ../$KEYNAME.rpl
--- a/testdata/gen/gen-common
+++ b/testdata/gen/gen-common
@ -0,0 +1,107 @@
+#!/bin/sh
+
+KEYDIR=keys
+
+LDNS_KEYGEN=ldns-keygen
+LDNS_SIGNZONE=ldns-signzone
+SECALG=8	# RSA/SHA-256
+SECBITS=2048
+
+TMPZONE=tmpzone
+
+key_id()
+{
+	expr "$1" : '.*{id = \([0-9]*\).*'
+}
+
+gen_key_ksk()
+{
+	if [ $# -ne 1 ]; then
+		echo >&2 "Usage: gen_key_ksk <file-name>"
+		exit 1
+	fi
+
+	key_file="$1"
+
+
+	if [ -f "$key_file.key" ]
+	then
+		return		# Key already exists, remove to regenerate
+	fi
+	mkdir -p "$KEYDIR"
+	tmp_keyname=$($LDNS_KEYGEN -a $SECALG -b $SECBITS -k example.com.)
+	sed 's/IN/10800	IN/' < "$tmp_keyname".key > "$key_file.key"
+	rm -f "$tmp_keyname".key
+	mv "$tmp_keyname".private "$key_file.private"
+	mv "$tmp_keyname".ds "$key_file.ds"
+}
+
+gen_key_ksk_revoked()
+{
+	if [ $# -ne 2 ]; then
+		echo >&2 "Usage: gen_key_ksk_revoked <orig-file-name> <file-name>"
+		exit 1
+	fi
+
+	orig_key_file="$1"
+	key_file="$2"
+
+
+	if [ -f "$key_file.key" ]
+	then
+		return		# Key already exists, remove to regenerate
+	fi
+	cp "$orig_key_file".key "$key_file".key
+	cp "$orig_key_file".private "$key_file.private"
+	mv "$orig_key_file".ds "$key_file.ds"
+	ldns-revoke "$key_file.key"
+}
+
+gen_key_zsk()
+{
+	if [ $# -ne 1 ]; then
+		echo >&2 "Usage: gen_key_zsk <file-name>"
+		exit 1
+	fi
+
+	key_file="$1"
+
+
+	if [ -f "$key_file.key" ]
+	then
+		return		# Key already exists, remove to regenerate
+	fi
+	mkdir -p "$KEYDIR"
+	tmp_keyname=$($LDNS_KEYGEN -a $SECALG -b $SECBITS example.com.)
+	sed 's/IN/10800	IN/' < "$tmp_keyname".key > "$key_file.key"
+	rm -f "$tmp_keyname".key
+	mv "$tmp_keyname".private "$key_file.private"
+}
+
+sig_keys()
+{
+	if [ $# -lt 4 ]; then
+		echo >&2 'Usage: sig_keys <sig-key-nr> <endtime> <starttime> <key-nr>...'
+		exit 1
+	fi
+	sig_key_nr="$1"
+	shift
+	endtime="$1"
+	shift
+	starttime="$1"
+	shift
+	echo 'example.com. IN SOA host.example.com. user.example.com. (1 7200 3600 2419200 3600)' > $TMPZONE
+	while [ "$1" != "" ]
+	do
+		cat "$KEYDIR/$KEYNAME"-$1.key >> $TMPZONE
+		shift
+	done
+	$LDNS_SIGNZONE -e $endtime -i $starttime $TMPZONE "$KEYDIR/$KEYNAME-$sig_key_nr"
+	#echo '--- signed zone ---' >&2
+	#cat $TMPZONE.signed >&2
+	#echo '--- end signed zone ---' >&2
+	sig=$(grep 'RRSIG[ 	]*DNSKEY' < $TMPZONE.signed )
+	rm -f "$TMPZONE" "$TMPZONE.signed"
+	echo "$sig"
+}
+