Commit 6b470bbf authored by Mark Andrews's avatar Mark Andrews

verify that auto-dnssec maintain generates and signs NSEC3 records with DNAME at the apex

parent 06e218c4
......@@ -12,9 +12,9 @@
rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk
rm -f */core
rm -f */example.bk
rm -f */named.conf
rm -f */named.memstats
rm -f */named.run
rm -f */named.conf
rm -f */trusted.conf */private.conf
rm -f activate-now-publish-1day.key
rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
......@@ -24,6 +24,7 @@ rm -f digcomp.out.test*
rm -f digcomp.out.test*
rm -f missingzsk.key inactivezsk.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns*/named.lock
rm -f ns1/root.db
......@@ -32,11 +33,12 @@ rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
rm -f ns3/*.nzf
rm -f ns3/autonsec3.example.db
rm -f ns3/delzsk.example.db
rm -f ns3/dname-at-apex-nsec3.example.db
rm -f ns3/inacksk2.example.db
rm -f ns3/inacksk3.example.db
rm -f ns3/inaczsk2.example.db
rm -f ns3/inaczsk3.example.db
rm -f ns3/delzsk.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/kskonly.example.db
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
......@@ -64,4 +66,3 @@ rm -f nsupdate.out
rm -f settime.out.*
rm -f signing.out.*
rm -f sync.key
rm -f ns*/managed-keys.bind*
......@@ -82,3 +82,5 @@ ns.nsec3-to-nsec A 10.53.0.3
oldsigs NS ns.oldsigs
ns.oldsigs A 10.53.0.3
dname-at-apex-nsec3 NS ns3
......@@ -15,7 +15,8 @@ SYSTEMTESTTOP=../..
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \
dname-at-apex-nsec3
do
cp ../ns3/dsset-$subdomain.example$TP .
done
......
$TTL 600
@ SOA ns3.example. . 1 1200 1200 1814400 3600
@ NS ns3.example.
@ DNAME example.
@ NSEC3PARAM 1 0 0 -
......@@ -325,3 +325,12 @@ ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
echo $zsk > ../delzsk.key
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
#
setup dname-at-apex-nsec3.example
cp $infile $zonefile
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
......@@ -289,4 +289,11 @@ zone "delzsk.example." {
auto-dnssec maintain;
};
zone "dname-at-apex-nsec3.example" {
type master;
file "dname-at-apex-nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf";
......@@ -1449,5 +1449,13 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
ret=0
$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "RRSIG NSEC3 7 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment