Commit c9accfde authored by Michał Kępień's avatar Michał Kępień

Perform basic resolution checks with a mirror zone in use

Make ns3 mirror the "root" zone from ns1 and query the former for a
properly signed record below the root.  Ensure ns1 is not queried during
resolution and that the AD bit is set in the response.
parent edbb256c
......@@ -19,3 +19,8 @@ options {
listen-on-v6 { none; };
recursion no;
};
zone "." {
type master;
file "root.db.signed";
};
......@@ -11,3 +11,5 @@ $TTL 3600
@ SOA a.root-servers.nil. hostmaster 2000010100 3600 1200 604800 3600
@ NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example NS ns2.example.
ns2.example. A 10.53.0.2
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
( cd ../ns2 && $SHELL -e sign.sh )
cp ../ns2/dsset-* .
zone=.
infile=root.db.in
zonefile=root.db
keyname1=`$KEYGEN -a RSASHA256 -f KSK $zone 2> /dev/null`
keyname2=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
keyfile_to_trusted_keys $keyname1 > trusted.conf
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA ns2 hostmaster 1 3600 1200 604800 3600
@ NS ns2
ns2 A 10.53.0.2
foo A 127.0.0.1
......@@ -29,6 +29,11 @@ options {
recursion no;
};
zone "example" {
type master;
file "example.db.signed";
};
zone "verify-axfr" {
type master;
file "verify-axfr.db.signed";
......
......@@ -14,6 +14,19 @@ SYSTEMTESTTOP=../..
keys_to_trust=""
for zonename in example; do
zone=$zonename
infile=$zonename.db.in
zonefile=$zonename.db
keyname1=`$KEYGEN -a RSASHA256 -f KSK $zone 2> /dev/null`
keyname2=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null
done
ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
......
......@@ -34,6 +34,13 @@ zone "." {
file "../../common/root.hint";
};
zone "." {
type slave;
masters { 10.53.0.1; };
mirror yes;
file "root.db.mirror";
};
zone "verify-axfr" {
type slave;
masters { 10.53.0.2; };
......@@ -71,4 +78,5 @@ zone "verify-untrusted" {
file "verify-untrusted.db.mirror";
};
include "../ns1/trusted.conf";
include "../ns2/trusted-mirror.conf";
......@@ -18,7 +18,7 @@ copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
( cd ns2 && $SHELL -e sign.sh )
( cd ns1 && $SHELL -e sign.sh )
cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed
cat ns2/verify-ixfr.db.original.signed > ns2/verify-ixfr.db.signed
......
......@@ -204,5 +204,17 @@ grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that resolution involving a mirror zone works as expected ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 foo.example A > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
# Ensure ns1 was not queried.
grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -1598,6 +1598,8 @@
./bin/tests/system/mirror/clean.sh SH 2018
./bin/tests/system/mirror/ns1/named.conf.in CONF-C 2018
./bin/tests/system/mirror/ns1/root.db.in ZONE 2018
./bin/tests/system/mirror/ns1/sign.sh SH 2018
./bin/tests/system/mirror/ns2/example.db.in ZONE 2018
./bin/tests/system/mirror/ns2/named.conf.in CONF-C 2018
./bin/tests/system/mirror/ns2/sign.sh SH 2018
./bin/tests/system/mirror/ns2/verify.db.in ZONE 2018
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment