Commit ccac107d authored by Mark Andrews's avatar Mark Andrews

verify that auto-dnssec maintain generates and signs NSEC3 records with DNAME at the apex

(cherry picked from commit 6b470bbf)
parent 4731ee6a
......@@ -12,6 +12,7 @@
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f */core
rm -f */example.bk
rm -f */named.conf
rm -f */named.memstats
rm -f */named.run
rm -f */named.conf
......@@ -23,6 +24,7 @@ rm -f digcomp.out.test*
rm -f digcomp.out.test*
rm -f missingzsk.key inactivezsk.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns*/named.lock
rm -f ns1/root.db
......@@ -31,11 +33,12 @@ rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
rm -f ns3/*.nzf
rm -f ns3/autonsec3.example.db
rm -f ns3/delzsk.example.db
rm -f ns3/dname-at-apex-nsec3.example.db
rm -f ns3/inacksk2.example.db
rm -f ns3/inacksk3.example.db
rm -f ns3/inaczsk2.example.db
rm -f ns3/inaczsk3.example.db
rm -f ns3/delzsk.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
rm -f ns3/nsec.example.db
......
......@@ -82,3 +82,5 @@ ns.nsec3-to-nsec A 10.53.0.3
oldsigs NS ns.oldsigs
ns.oldsigs A 10.53.0.3
dname-at-apex-nsec3 NS ns3
......@@ -15,7 +15,8 @@ SYSTEMTESTTOP=../..
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \
dname-at-apex-nsec3
do
cp ../ns3/dsset-$subdomain.example$TP .
done
......
$TTL 600
@ SOA ns3.example. . 1 1200 1200 1814400 3600
@ NS ns3.example.
@ DNAME example.
@ NSEC3PARAM 1 0 0 -
......@@ -316,3 +316,12 @@ ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
zsk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
echo $zsk > ../delzsk.key
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
#
setup dname-at-apex-nsec3.example
cp $infile $zonefile
ksk=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
......@@ -281,4 +281,11 @@ zone "delzsk.example." {
auto-dnssec maintain;
};
zone "dname-at-apex-nsec3.example" {
type master;
file "dname-at-apex-nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf";
......@@ -1424,5 +1424,13 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
ret=0
$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "RRSIG NSEC3 7 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 600
@ SOA ns3.example. . 1 1200 1200 1814400 3600
@ NS ns3.example.
......
......@@ -609,6 +609,7 @@
./bin/tests/system/autosign/ns3/autonsec3.example.db.in ZONE 2011,2016,2018
./bin/tests/system/autosign/ns3/delay.example.db ZONE 2011,2016,2018
./bin/tests/system/autosign/ns3/delzsk.example.db.in ZONE 2018
./bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in ZONE 2018
./bin/tests/system/autosign/ns3/inacksk2.example.db.in ZONE 2017,2018
./bin/tests/system/autosign/ns3/inacksk3.example.db.in ZONE 2017,2018
./bin/tests/system/autosign/ns3/inaczsk.example.db.in ZONE 2011,2016,2018
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment