Commit 9e67676c authored by Michał Kępień's avatar Michał Kępień

Improve and extend "auto-dnssec" tests

Just testing whether an NSEC3 record exists with the DNSKEY bit set in
its type bitmap is arguably not a solid enough test for how named
processes a signed zone with "auto-dnssec maintain;" set and extra keys
available.  Rather than querying a resolver for a record at the apex of
such a zone, get the whole zone from an authoritative server and run it
through dnssec-verify to improve the comprehensiveness of the test.

Add similar tests for signed zones which have extra keys using a
different algorithm available.

Prevent zone file duplication by making all relevant tests use the same
source file, "auto-nsec.example.db.in".
parent 37cf8f71
Pipeline #14613 passed with stages
in 17 minutes and 28 seconds
......@@ -52,7 +52,8 @@ rm -f ./ns2/single-nsec3.db
rm -f ./ns2/updatecheck-kskonly.secure.*
rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db
rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec-two-algos.example.db
rm -f ./ns3/auto-nsec3.example.db ./ns3/auto-nsec3-two-algos.example.db
rm -f ./ns3/badds.example.db
rm -f ./ns3/dname-at-apex-nsec3.example.db
rm -f ./ns3/dnskey-nsec3-unknown.example.db
......@@ -110,3 +111,4 @@ rm -f ./signer/general/signer.out.*
rm -f ./signer/nsec3param.out
rm -f ./signer/signer.out.*
rm -f ./signing.out*
rm -f ./verify.out*
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2
nosoa NS ns.nosoa
ns.nosoa A 10.53.0.7
normalthenrrsig A 10.0.0.28
rrsigonly A 10.0.0.29
......@@ -212,6 +212,13 @@ zone "auto-nsec.example" {
file "auto-nsec.example.db.signed";
};
zone "auto-nsec-two-algos.example" {
type master;
auto-dnssec maintain;
allow-update { !0.0.0.0; };
file "auto-nsec-two-algos.example.db.signed";
};
zone "auto-nsec3.example" {
type master;
auto-dnssec maintain;
......@@ -219,6 +226,13 @@ zone "auto-nsec3.example" {
file "auto-nsec3.example.db.signed";
};
zone "auto-nsec3-two-algos.example" {
type master;
auto-dnssec maintain;
allow-update { !0.0.0.0; };
file "auto-nsec3-two-algos.example.db.signed";
};
zone "insecure.below-cname.example" {
type master;
file "insecure.below-cname.example.db";
......
......@@ -416,8 +416,9 @@ cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
#
# A NSEC signed zone that will have auto-dnssec enabled and
# extra keys not in the initial signed zone.
# An NSEC-signed zone with "auto-dnssec maintain;" set which has two additional
# keys generated that are not present in the initial signed zone and are using
# the same algorithm as the two keys present in the initial signed zone.
#
zone=auto-nsec.example.
infile=auto-nsec.example.db.in
......@@ -431,11 +432,28 @@ cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
#
# A NSEC3 signed zone that will have auto-dnssec enabled and
# extra keys not in the initial signed zone.
# An NSEC-signed zone with "auto-dnssec maintain;" set which has two additional
# keys generated that are not present in the initial signed zone and are using
# a different algorithm than the two keys present in the initial signed zone.
#
zone=auto-nsec-two-algos.example.
infile=auto-nsec.example.db.in
zonefile=auto-nsec-two-algos.example.db
kskname=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone")
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
#
# An NSEC3-signed zone with "auto-dnssec maintain;" set which has two additional
# keys generated that are not present in the initial signed zone and are using
# the same algorithm as the two keys present in the initial signed zone.
#
zone=auto-nsec3.example.
infile=auto-nsec3.example.db.in
infile=auto-nsec.example.db.in
zonefile=auto-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
......@@ -445,6 +463,22 @@ zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
#
# An NSEC3-signed zone with "auto-dnssec maintain;" set which has two additional
# keys generated that are not present in the initial signed zone and are using a
# different algorithm than the two keys present in the initial signed zone.
#
zone=auto-nsec3-two-algos.example.
infile=auto-nsec.example.db.in
zonefile=auto-nsec3-two-algos.example.db
kskname=$("$KEYGEN" -q -3 -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone")
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
#
# Secure below cname test zone.
#
......
......@@ -2447,22 +2447,34 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
echo_i "checking new keys processing for a signed zone with auto-dnssec (NSEC, 1 algorithm) ($n)"
ret=0
dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1
dig_with_opts axfr auto-nsec.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
$VERIFY -o auto-nsec.example. dig.out.ns3.test$n > verify.out.$n 2>&1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
echo_i "checking new keys processing for a signed zone with auto-dnssec (NSEC, 2 algorithms) ($n)"
ret=0
dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1
dig_with_opts axfr auto-nsec-two-algos.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
$VERIFY -o auto-nsec-two-algos.example. dig.out.ns3.test$n > verify.out.$n 2>&1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking new keys processing for a signed zone with auto-dnssec (NSEC3, 1 algorithm) ($n)"
ret=0
dig_with_opts axfr auto-nsec3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
$VERIFY -o auto-nsec3.example. dig.out.ns3.test$n > verify.out.$n 2>&1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking new keys processing for a signed zone with auto-dnssec (NSEC3, 2 algorithms) ($n)"
ret=0
dig_with_opts axfr auto-nsec3-two-algos.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
$VERIFY -o auto-nsec3-two-algos.example. dig.out.ns3.test$n > verify.out.$n 2>&1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment