Commit 06e218c4 authored by Mark Andrews's avatar Mark Andrews

verify that dnssec-signzone generates NSEC3 records with DNAME at the apex

parent 4ccff3bb
......@@ -11,9 +11,9 @@
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
rm -f */example.bk
rm -f */named.conf
rm -f */named.memstats
rm -f */
rm -f */named.conf
rm -f */named.secroots
rm -f */tmp* */*.jnl */*.bk */*.jbk
rm -f */trusted.conf */managed.conf */revoked.conf
......@@ -27,6 +27,7 @@ rm -f keygen.err
rm -f named.secroots.test*
rm -f nosign.before
rm -f ns*/*.nta
rm -f ns*/managed-keys.bind* ns*/*.mkeys*
rm -f ns*/named.lock
rm -f ns1/
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
......@@ -47,6 +48,7 @@ rm -f ns2/
rm -f ns2/single-nsec3.db
rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
rm -f ns3/badds.example.db
rm -f ns3/dname-at-apex-nsec3.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
rm -f ns3/dnskey-unknown.example.db
......@@ -84,17 +86,16 @@ rm -f ns6/optout-tld.db
rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk
rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
rm -f nsupdate.out*
rm -f python.out.*
rm -f rndc.out.*
rm -f signer/*.db
rm -f signer/**
rm -f signer/*.signed.pre*
rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed
rm -f signer/nsec3param.out
rm -f signer/signer.out.*
rm -f signer/general/dsset*
rm -f signer/general/
rm -f signer/general/signer.out.*
rm -f signer/general/dsset*
rm -f signer/nsec3param.out
rm -f signer/signer.out.*
rm -f signing.out*
rm -f python.out.*
rm -f ns*/managed-keys.bind* ns*/*.mkeys*
......@@ -158,3 +158,5 @@ ns.managed-future A
revkey NS ns.revkey
ns.revkey A
dname-at-apex-nsec3 NS ns3
......@@ -24,7 +24,8 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-nsec3-unknown managed-future revkey
dnskey-unknown dnskey-nsec3-unknown managed-future revkey \
cp ../ns3/dsset-$subdomain.example$TP .
$TTL 600
@ SOA ns3.example. . 1 1200 1200 1814400 3600
@ NS ns3.example.
@ DNAME example.
......@@ -294,6 +294,11 @@ zone "revkey.example" {
file "revkey.example.db.signed";
zone "dname-at-apex-nsec3.example" {
type master;
file "dname-at-apex-nsec3.example.db.signed";
include "siginterval.conf";
include "trusted.conf";
......@@ -543,3 +543,14 @@ zsk1=`$KEYGEN -q -a RSASHA1 -3 $zone`
cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
# Check that NSEC3 are correctly signed and returned from below a DNAME
kskname=`$KEYGEN -q -a RSASHA256 -3fk $zone`
zskname=`$KEYGEN -q -a RSASHA256 -3 $zone`
cat $infile $kskname.key $zskname.key >$zonefile
$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1
......@@ -3569,6 +3569,14 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)"
$DIG $DIGOPTS txt dname-at-apex-nsec3.example @ > dig.out.ns3.test$n || ret=1
grep "RRSIG.NSEC3 8 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Note: after this check, ns4 will not be validating any more; do not add any
# further validation tests employing ns4 below this check.
echo_i "check that validation defaults to off when dnssec-enable is off ($n)"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment