Commit 24519a23 authored by Mark Andrews's avatar Mark Andrews
Browse files

Merge branch 'michal-extend-dname-dnssec-tests-v9_12' into 'v9_12'

Extend DNAME DNSSEC tests

See merge request !1211
parents 923c0b92 4c23d842
Pipeline #7822 passed with stages
in 14 minutes and 46 seconds
......@@ -12,9 +12,9 @@
rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk
rm -f */core
rm -f */example.bk
rm -f */named.conf
rm -f */named.memstats
rm -f */named.run
rm -f */named.conf
rm -f */trusted.conf */private.conf
rm -f activate-now-publish-1day.key
rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
......@@ -24,6 +24,7 @@ rm -f digcomp.out.test*
rm -f digcomp.out.test*
rm -f missingzsk.key inactivezsk.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns*/named.lock
rm -f ns1/root.db
......@@ -32,11 +33,12 @@ rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
rm -f ns3/*.nzf
rm -f ns3/autonsec3.example.db
rm -f ns3/delzsk.example.db
rm -f ns3/dname-at-apex-nsec3.example.db
rm -f ns3/inacksk2.example.db
rm -f ns3/inacksk3.example.db
rm -f ns3/inaczsk2.example.db
rm -f ns3/inaczsk3.example.db
rm -f ns3/delzsk.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/kskonly.example.db
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
......
......@@ -82,3 +82,5 @@ ns.nsec3-to-nsec A 10.53.0.3
oldsigs NS ns.oldsigs
ns.oldsigs A 10.53.0.3
dname-at-apex-nsec3 NS ns3
......@@ -15,7 +15,8 @@ SYSTEMTESTTOP=../..
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \
dname-at-apex-nsec3
do
cp ../ns3/dsset-$subdomain.example$TP .
done
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 600
@ SOA ns3.example. . 1 1200 1200 1814400 3600
@ NS ns3.example.
@ DNAME example.
@ NSEC3PARAM 1 0 0 -
......@@ -325,3 +325,12 @@ ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
echo $zsk > ../delzsk.key
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
#
setup dname-at-apex-nsec3.example
cp $infile $zonefile
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
......@@ -289,4 +289,11 @@ zone "delzsk.example." {
auto-dnssec maintain;
};
zone "dname-at-apex-nsec3.example" {
type master;
file "dname-at-apex-nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf";
......@@ -31,3 +31,5 @@ ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2
dname-and-txt DNAME @
TXT "DNAME and TXT"
......@@ -1449,5 +1449,23 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
ret=0
$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "RRSIG NSEC3 7 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking that DNAME is not treated as a delegation when signing ($n)"
ret=0
$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -11,9 +11,9 @@
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
rm -f */example.bk
rm -f */named.conf
rm -f */named.memstats
rm -f */named.run
rm -f */named.conf
rm -f */named.secroots
rm -f */tmp* */*.jnl */*.bk */*.jbk
rm -f */trusted.conf */managed.conf */revoked.conf
......@@ -27,6 +27,7 @@ rm -f keygen.err
rm -f named.secroots.test*
rm -f nosign.before
rm -f ns*/*.nta
rm -f ns*/managed-keys.bind* ns*/*.mkeys*
rm -f ns*/named.lock
rm -f ns1/managed.key.id
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
......@@ -47,6 +48,7 @@ rm -f ns2/private.secure.example.db
rm -f ns2/single-nsec3.db
rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
rm -f ns3/badds.example.db
rm -f ns3/dname-at-apex-nsec3.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
rm -f ns3/dnskey-unknown.example.db
......@@ -84,15 +86,16 @@ rm -f ns6/optout-tld.db
rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk
rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
rm -f nsupdate.out*
rm -f python.out.*
rm -f rndc.out.*
rm -f signer/*.db
rm -f signer/*.signed.post*
rm -f signer/*.signed.pre*
rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed
rm -f signer/nsec3param.out
rm -f signer/signer.out.*
rm -f signer/general/dsset*
rm -f signer/general/signed.zone
rm -f signer/general/signer.out.*
rm -f signer/general/dsset*
rm -f signer/nsec3param.out
rm -f signer/signer.out.*
rm -f signing.out*
......@@ -158,3 +158,5 @@ ns.managed-future A 10.53.0.3
revkey NS ns.revkey
ns.revkey A 10.53.0.3
dname-at-apex-nsec3 NS ns3
......@@ -24,7 +24,8 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-nsec3-unknown managed-future revkey
dnskey-unknown dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3
do
cp ../ns3/dsset-$subdomain.example$TP .
done
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 600
@ SOA ns3.example. . 1 1200 1200 1814400 3600
@ NS ns3.example.
@ DNAME example.
......@@ -294,6 +294,11 @@ zone "revkey.example" {
file "revkey.example.db.signed";
};
zone "dname-at-apex-nsec3.example" {
type master;
file "dname-at-apex-nsec3.example.db.signed";
};
include "siginterval.conf";
include "trusted.conf";
......@@ -543,3 +543,14 @@ zsk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 $zone`
cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
#
zone=dname-at-apex-nsec3.example
infile=dname-at-apex-nsec3.example.db.in
zonefile=dname-at-apex-nsec3.example.db
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -3fk $zone`
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -3 $zone`
cat $infile $kskname.key $zskname.key >$zonefile
$SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile > /dev/null 2>&1
......@@ -3532,5 +3532,13 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)"
ret=0
$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "RRSIG.NSEC3 8 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -511,6 +511,7 @@
./bin/tests/system/autosign/ns3/autonsec3.example.db.in ZONE 2011,2016,2018
./bin/tests/system/autosign/ns3/delay.example.db ZONE 2011,2016,2018
./bin/tests/system/autosign/ns3/delzsk.example.db.in ZONE 2018
./bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in ZONE 2018
./bin/tests/system/autosign/ns3/inacksk2.example.db.in ZONE 2017,2018
./bin/tests/system/autosign/ns3/inacksk3.example.db.in ZONE 2017,2018
./bin/tests/system/autosign/ns3/inaczsk.example.db.in ZONE 2011,2016,2018
......@@ -1010,6 +1011,7 @@
./bin/tests/system/dnssec/ns3/auto-nsec.example.db.in ZONE 2011,2016,2018
./bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in ZONE 2011,2016,2018
./bin/tests/system/dnssec/ns3/bogus.example.db.in ZONE 2000,2001,2004,2007,2014,2016,2018
./bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in ZONE 2018
./bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in ZONE 2014,2016,2018
./bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in ZONE 2014,2016,2018
./bin/tests/system/dnssec/ns3/dynamic.example.db.in ZONE 2002,2004,2007,2016,2018
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment