Commit d5833623 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Merge branch '757-unsupported-algorithms-v9_14' into 'v9_14'

Resolve "Investigate and fix what happens when managed-key algorithm is not supported"

See merge request !1816
parents ab125db9 30ec6613
Pipeline #13536 passed with stages
in 1 minute and 27 seconds
......@@ -52,6 +52,9 @@
5193. [bug] EID and NIMLOC failed to do multi-line output
correctly. [GL #899]
 
5190. [bug] Ignore trust anchors using disabled algorithms.
[GL #806]
5189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945]
 
5187. [test] Set time zone before running any tests in dnstap_test.
......
......@@ -165,23 +165,23 @@
* using it has a 'result' variable and a 'cleanup' label.
*/
#define CHECK(op) \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
} while (0)
#define TCHECK(op) \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
} while (0)
#define CHECKM(op, msg) \
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s: %s", msg, \
......@@ -194,7 +194,7 @@
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s '%s': %s", msg, file, \
......@@ -703,7 +703,8 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
static isc_result_t
dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
bool managed, dst_key_t **target, isc_mem_t *mctx)
bool managed, dst_key_t **target, const char **keynamestrp,
isc_mem_t *mctx)
{
dns_rdataclass_t viewclass;
dns_rdata_dnskey_t keystruct;
......@@ -721,12 +722,14 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
dst_key_t *dstkey = NULL;
INSIST(target != NULL && *target == NULL);
INSIST(keynamestrp != NULL && *keynamestrp == NULL);
flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
keyname = dns_fixedname_name(&fkeyname);
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
*keynamestrp = keynamestr;
if (managed) {
const char *initmethod;
......@@ -760,6 +763,8 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
if (flags > 0xffff)
CHECKM(ISC_R_RANGE, "key flags");
if (flags & DNS_KEYFLAG_REVOKE)
CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
if (proto > 0xff)
CHECKM(ISC_R_RANGE, "key protocol");
if (alg > 0xff)
......@@ -799,26 +804,118 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
return (ISC_R_SUCCESS);
cleanup:
if (result == DST_R_NOCRYPTO) {
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
return (result);
}
/*%
* Parse 'key' in the context of view configuration 'vconfig'. If successful,
* add the key to 'secroots' if both of the following conditions are true:
*
* - 'keyname_match' is NULL or it matches the owner name of 'key',
* - support for the algorithm used by 'key' is not disabled by 'resolver'
* for the owner name of 'key'.
*
* 'managed' is true for managed keys and false for trusted keys. 'mctx' is
* the memory context to use for allocating memory.
*/
static isc_result_t
process_key(const cfg_obj_t *key, const cfg_obj_t *vconfig,
dns_keytable_t *secroots, const dns_name_t *keyname_match,
dns_resolver_t *resolver, bool managed, isc_mem_t *mctx)
{
const dns_name_t *keyname = NULL;
const char *keynamestr = NULL;
dst_key_t *dstkey = NULL;
unsigned int keyalg;
isc_result_t result;
result = dstkey_fromconfig(vconfig, key, managed, &dstkey, &keynamestr,
mctx);
switch (result) {
case ISC_R_SUCCESS:
/*
* Key was parsed correctly, its algorithm is supported by the
* crypto library, and it is not revoked.
*/
keyname = dst_key_name(dstkey);
keyalg = dst_key_alg(dstkey);
break;
case DST_R_UNSUPPORTEDALG:
case DST_R_BADKEYTYPE:
/*
* Key was parsed correctly, but it cannot be used; this is not
* a fatal error - log a warning about this key being ignored,
* but do not prevent any further ones from being processed.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"ignoring %s key for '%s': %s",
managed ? "managed" : "trusted",
keynamestr, isc_result_totext(result));
return (ISC_R_SUCCESS);
case DST_R_NOCRYPTO:
/*
* Crypto support is not available.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
"ignoring %s key for '%s': no crypto support",
managed ? "managed" : "trusted",
keynamestr);
} else if (result == DST_R_UNSUPPORTEDALG) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"skipping %s key for '%s': %s",
managed ? "managed" : "trusted",
keynamestr, isc_result_totext(result));
} else {
return (result);
default:
/*
* Something unexpected happened; we have no choice but to
* indicate an error so that the configuration loading process
* is interrupted.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
"configuring %s key for '%s': %s",
managed ? "managed" : "trusted",
keynamestr, isc_result_totext(result));
result = ISC_R_FAILURE;
return (ISC_R_FAILURE);
}
/*
* If the caller requested to only load keys for a specific name and
* the owner name of this key does not match the requested name, do not
* load it.
*/
if (keyname_match != NULL && !dns_name_equal(keyname_match, keyname)) {
goto done;
}
/*
* Ensure that 'resolver' allows using the algorithm of this key for
* its owner name. If it does not, do not load the key and log a
* warning, but do not prevent further keys from being processed.
*/
if (!dns_resolver_algorithm_supported(resolver, keyname, keyalg)) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"ignoring %s key for '%s': algorithm is disabled",
managed ? "managed" : "trusted", keynamestr);
goto done;
}
if (dstkey != NULL)
/*
* Add the key to 'secroots'. This key is taken from the
* configuration, so if it's a managed key then it's an initializing
* key; that's why 'managed' is duplicated below.
*/
result = dns_keytable_add(secroots, managed, managed, &dstkey);
done:
/*
* Ensure 'dstkey' does not leak. Note that if dns_keytable_add()
* succeeds, ownership of the key structure is transferred to the key
* table, i.e. 'dstkey' is set to NULL.
*/
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
return (result);
}
......@@ -834,8 +931,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
const dns_name_t *keyname, isc_mem_t *mctx)
{
const cfg_listelt_t *elt, *elt2;
const cfg_obj_t *key, *keylist;
dst_key_t *dstkey = NULL;
const cfg_obj_t *keylist;
isc_result_t result;
dns_keytable_t *secroots = NULL;
......@@ -851,42 +947,13 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
key = cfg_listelt_value(elt2);
result = dstkey_fromconfig(vconfig, key, managed,
&dstkey, mctx);
if (result == DST_R_UNSUPPORTEDALG) {
result = ISC_R_SUCCESS;
continue;
}
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* If keyname was specified, we only add that key.
*/
if (keyname != NULL &&
!dns_name_equal(keyname, dst_key_name(dstkey)))
{
dst_key_free(&dstkey);
continue;
}
/*
* This key is taken from the configuration, so
* if it's a managed key then it's an
* initializing key; that's why 'managed'
* is duplicated below.
*/
CHECK(dns_keytable_add(secroots, managed,
managed, &dstkey));
CHECK(process_key(cfg_listelt_value(elt2), vconfig,
secroots, keyname, view->resolver,
managed, mctx));
}
}
cleanup:
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
if (secroots != NULL) {
dns_keytable_detach(&secroots);
}
......@@ -10599,7 +10666,7 @@ add_zone_tolist(dns_zone_t *zone, void *uap) {
struct zonelistentry *zle;
zle = isc_mem_get(dctx->mctx, sizeof *zle);
if (zle == NULL)
if (zle == NULL)
return (ISC_R_NOMEMORY);
zle->zone = NULL;
dns_zone_attach(zone, &zle->zone);
......
......@@ -127,6 +127,29 @@ digcomp() {
return $result
}
#
# Useful variables in test scripts
#
# Default algorithm for testing.
DEFAULT_ALGORITHM=ECDSAP256SHA256
DEFAULT_ALGORITHM_NUMBER=13
DEFAULT_BITS=256
# This is an alternative algorithm for test cases that require more than
# one algorithm (for example algorithm rollover). Must be different from
# DEFAULT_ALGORITHM.
ALTERNATIVE_ALGORITHM=RSASHA256
ALTERNATIVE_ALGORITHM_NUMBER=8
ALTERNATIVE_BITS=1280
# This is an algorithm that is used for tests against the
# "disable-algorithms" configuration option. Must be different from above
# algorithms.
DISABLED_ALGORITHM=ECDSAP384SHA384
DISABLED_ALGORITHM_NUMBER=14
DISABLED_BITS=384
#
# Useful functions in test scripts
#
......@@ -281,6 +304,45 @@ get_named_xfer_stats() {
echo "bytes=`grep "${PEER}" "${LOGFILE}" | sed -n "s/.*${ZONE}.* \([0-9][0-9]*\) bytes.*/\1/p" | tail -1`"
}
# copy_setports - Copy Configuration File and Replace Ports
#
# Convenience function to copy a configuration file, replacing the tokens
# QUERYPORT, CONTROLPORT and EXTRAPORT[1-8] with the values of the equivalent
# environment variables. (These values are set by "run.sh", which calls the
# scripts invoking this function.)
#
# Usage:
# copy_setports infile outfile
#
copy_setports() {
# The indirect method of handling the substitution of the PORT variables
# (defining "atsign" then substituting for it in the "sed" statement) is
# required to prevent the "Configure" script (in the win32utils/ directory)
# from replacing the <at>PORT<at> substitution tokens when it processes
# this file and produces conf.sh.
atsign="@"
sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \
-e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \
-e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \
-e "s/${atsign}EXTRAPORT3${atsign}/${EXTRAPORT3}/g" \
-e "s/${atsign}EXTRAPORT4${atsign}/${EXTRAPORT4}/g" \
-e "s/${atsign}EXTRAPORT5${atsign}/${EXTRAPORT5}/g" \
-e "s/${atsign}EXTRAPORT6${atsign}/${EXTRAPORT6}/g" \
-e "s/${atsign}EXTRAPORT7${atsign}/${EXTRAPORT7}/g" \
-e "s/${atsign}EXTRAPORT8${atsign}/${EXTRAPORT8}/g" \
-e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" \
-e "s/${atsign}DEFAULT_ALGORITHM${atsign}/${DEFAULT_ALGORITHM}/g" \
-e "s/${atsign}DEFAULT_ALGORITHM_NUMBER${atsign}/${DEFAULT_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}DEFAULT_BITS${atsign}/${DEFAULT_BITS}/g" \
-e "s/${atsign}ALTERNATIVE_ALGORITHM${atsign}/${ALTERNATIVE_ALGORITHM}/g" \
-e "s/${atsign}ALTERNATIVE_ALGORITHM_NUMBER${atsign}/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}ALTERNATIVE_BITS${atsign}/${ALTERNATIVE_BITS}/g" \
-e "s/${atsign}DISABLED_ALGORITHM${atsign}/${DISABLED_ALGORITHM}/g" \
-e "s/${atsign}DISABLED_ALGORITHM_NUMBER${atsign}/${DISABLED_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}DISABLED_BITS${atsign}/${DISABLED_BITS}/g" \
$1 > $2
}
#
# Export command paths
#
......
......@@ -17,16 +17,6 @@
# Find the top of the BIND9 tree.
TOP=@abs_top_builddir@
# Default algorithm for testing
DEFAULT_ALGORITHM=ECDSAP256SHA256
DEFAULT_ALGORITHM_NUMBER=13
DEFAULT_BITS=256
# must be different from DEFAULT_ALGORITHM
ALTERNATIVE_ALGORITHM=RSASHA256
ALTERNATIVE_ALGORITHM_NUMBER=8
ALTERNATIVE_BITS=1280
ARPANAME=$TOP/bin/tools/arpaname
CDS=$TOP/bin/dnssec/dnssec-cds
CHECKCONF=$TOP/bin/check/named-checkconf
......@@ -146,36 +136,5 @@ HAVEJSONSTATS=@JSONSTATS@
ZLIB=@ZLIB@
NZD=@NZD_TOOLS@
# copy_setports - Copy Configuration File and Replace Ports
# Unfortunately it has to be different on Windows.
#
# Convenience function to copy a configuration file, replacing the tokens
# QUERYPORT, CONTROLPORT and EXTRAPORT[1-8] with the values of the equivalent
# environment variables. (These values are set by "run.sh", which calls the
# scripts invoking this function.)
#
# Usage:
# copy_setports infile outfile
copy_setports() {
sed -e "s/@PORT@/${PORT}/g" \
-e "s/@EXTRAPORT1@/${EXTRAPORT1}/g" \
-e "s/@EXTRAPORT2@/${EXTRAPORT2}/g" \
-e "s/@EXTRAPORT3@/${EXTRAPORT3}/g" \
-e "s/@EXTRAPORT4@/${EXTRAPORT4}/g" \
-e "s/@EXTRAPORT5@/${EXTRAPORT5}/g" \
-e "s/@EXTRAPORT6@/${EXTRAPORT6}/g" \
-e "s/@EXTRAPORT7@/${EXTRAPORT7}/g" \
-e "s/@EXTRAPORT8@/${EXTRAPORT8}/g" \
-e "s/@CONTROLPORT@/${CONTROLPORT}/g" \
-e "s/@DEFAULT_ALGORITHM@/${DEFAULT_ALGORITHM}/g" \
-e "s/@DEFAULT_ALGORITHM_NUMBER@/${DEFAULT_ALGORITHM_NUMBER}/g" \
-e "s/@DEFAULT_BITS@/${DEFAULT_BITS}/g" \
-e "s/@ALTERNATIVE_ALGORITHM@/${ALTERNATIVE_ALGORITHM}/g" \
-e "s/@ALTERNATIVE_ALGORITHM_NUMBER@/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \
-e "s/@ALTERNATIVE_BITS@/${ALTERNATIVE_BITS}/g" \
$1 > $2
}
# The rest is shared between Windows and Unices
. $TOP/bin/tests/system/conf.sh.common
......@@ -158,42 +158,5 @@ HAVEJSONSTATS=@JSONSTATS@
ZLIB=@ZLIB@
NZD=@NZD_TOOLS@
# copy_setports - Copy Configuration File and Replace Ports
# Unfortunately it has to be different on Windows.
#
# Convenience function to copy a configuration file, replacing the tokens
# QUERYPORT, CONTROLPORT and EXTRAPORT[1-8] with the values of the equivalent
# environment variables. (These values are set by "run.sh", which calls the
# scripts invoking this function.)
#
# Usage:
# copy_setports infile outfile
copy_setports() {
# The indirect method of handling the substitution of the PORT variables
# (defining "atsign" then substituting for it in the "sed" statement) is
# required because to prevent the "Configure" script (in the the
# bin9/win32utils directory) replacing the the <at>PORT<at> substitution
# tokens when it processes this file and produces conf.sh.
atsign="@"
sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \
-e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \
-e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \
-e "s/${atsign}EXTRAPORT3${atsign}/${EXTRAPORT3}/g" \
-e "s/${atsign}EXTRAPORT4${atsign}/${EXTRAPORT4}/g" \
-e "s/${atsign}EXTRAPORT5${atsign}/${EXTRAPORT5}/g" \
-e "s/${atsign}EXTRAPORT6${atsign}/${EXTRAPORT6}/g" \
-e "s/${atsign}EXTRAPORT7${atsign}/${EXTRAPORT7}/g" \
-e "s/${atsign}EXTRAPORT8${atsign}/${EXTRAPORT8}/g" \
-e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" \
-e "s/${atsign}DEFAULT_ALGORITHM${atsign}/${DEFAULT_ALGORITHM}/g" \
-e "s/${atsign}DEFAULT_ALGORITHM_NUMBER${atsign}/${DEFAULT_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}DEFAULT_BITS${atsign}/${DEFAULT_BITS}/g" \
-e "s/${atsign}ALTERNATIVE_ALGORITHM${atsign}/${ALTERNATIVE_ALGORITHM}/g" \
-e "s/${atsign}ALTERNATIVE_ALGORITHM_NUMBER${atsign}/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}ALTERNATIVE_BITS${atsign}/${ALTERNATIVE_BITS}/g" \
$1 > $2
}
# The rest is shared between Windows and Unices
. $TOP/bin/tests/system/conf.sh.common
......@@ -16,6 +16,7 @@ rm -f ns1/dsset-*
rm -f ns1/*.signed
rm -f ns1/signer.err
rm -f ns1/root.db
rm -f ns1/trusted.conf
rm -f ns2/K*
rm -f ns2/dlvset-*
rm -f ns2/dsset-*
......@@ -25,18 +26,19 @@ rm -f ns2/signer.err
rm -f ns2/druz.db
rm -f ns3/K*
rm -f ns3/*.db
rm -f ns3/*.signed
rm -f ns3/*.signed ns3/*.signed.tmp
rm -f ns3/dlvset-*
rm -f ns3/dsset-*
rm -f ns3/keyset-*
rm -f ns1/trusted.conf ns5/trusted.conf
rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
rm -f ns3/trusted*.conf
rm -f ns3/signer.err
rm -f ns5/trusted*.conf
rm -f ns6/K*
rm -f ns6/*.db
rm -f ns6/*.signed
rm -f ns6/dsset-*
rm -f ns6/signer.err
rm -f ns7/trusted*.conf ns8/trusted*.conf
rm -f */named.memstats
rm -f dig.out.ns*.test*
rm -f ns*/named.lock
......
......@@ -13,7 +13,14 @@ $TTL 120
@ NS ns.rootservers.utld
ns A 10.53.0.1
;
; A zone that is unsigned (utld=unsigned tld) that will include a second level
; zone that acts as a DLV.
;
utld NS ns.utld
ns.utld A 10.53.0.2
;
; A zone that has a bad DNSKEY RRset but has good DLV records for its child
; zones.
;
druz NS ns.druz
ns.druz A 10.53.0.2
......@@ -34,3 +34,5 @@ echo_i "signed $zone"
keyfile_to_trusted_keys $keyname2 > trusted.conf
cp trusted.conf ../ns5
cp trusted.conf ../ns7
cp trusted.conf ../ns8
......@@ -22,6 +22,17 @@ options {
dnssec-enable yes;
};
/* Root hints. */
zone "." { type hint; file "hints"; };
/*
* A zone that is unsigned (utld=unsigned tld) that will include a second level
* zone that acts as a DLV.
*/
zone "utld" { type master; file "utld.db"; };
/*
* A zone that has a bad DNSKEY RRset but has good DLV records for its child
* zones.
*/
zone "druz" { type master; file "druz.signed"; };
......@@ -18,6 +18,12 @@ ns.rootservers A 10.53.0.1
dlv NS ns.dlv
ns.dlv A 10.53.0.3
;
disabled-algorithm-dlv NS ns.disabled-algorithm-dlv
ns.disabled-algorithm-dlv A 10.53.0.3
;
unsupported-algorithm-dlv NS ns.unsupported-algorithm-dlv
ns.unsupported-algorithm-dlv A 10.53.0.3
;
child1 NS ns.child1
ns.child1 A 10.53.0.3
;
......@@ -47,3 +53,9 @@ ns.child9 A 10.53.0.3
;
child10 NS ns.child10
ns.child10 A 10.53.0.3
;
disabled-algorithm NS ns.disabled-algorithm
ns.disabled-algorithm A 10.53.0.3
;
unsupported-algorithm NS ns.unsupported-algorithm
ns.unsupported-algorithm A 10.53.0.3
......@@ -22,21 +22,121 @@ options {
dnssec-enable yes;
};
/* Root hints. */
zone "." { type hint; file "hints"; };
zone "dlv.utld" { type master; file "dlv.signed"; };
zone "child1.utld" { type master; file "child1.signed"; }; // dlv
zone "child3.utld" { type master; file "child3.signed"; }; // dlv
zone "child4.utld" { type master; file "child4.signed"; }; // dlv
zone "child5.utld" { type master; file "child5.signed"; }; // dlv
zone "child7.utld" { type master; file "child7.signed"; }; // no dlv
zone "child8.utld" { type master; file "child8.signed"; }; // no dlv
zone "child9.utld" { type master; file "child9.signed"; }; // dlv
zone "child10.utld" { type master; file "child.db.in"; }; // dlv unsigned
zone "child1.druz" { type master; file "child1.druz.signed"; }; // dlv
zone "child3.druz" { type master; file "child3.druz.signed"; }; // dlv
zone "child4.druz" { type master; file "child4.druz.signed"; }; // dlv
zone "child5.druz" { type master; file "child5.druz.signed"; }; // dlv
zone "child7.druz" { type master; file "child7.druz.signed"; }; // no dlv
zone "child8.druz" { type master; file "child8.druz.signed"; }; // no dlv
zone "child9.druz" { type master; file "child9.druz.signed"; }; // dlv
zone "child10.druz" { type master; file "child.db.in"; }; // dlv unsigned
/* DLV zone below unsigned TLD. */
zone "dlv.utld" { type master; file "dlv.utld.signed"; };
/* DLV zone signed with a disabled algorithm below unsigned TLD. */
zone "disabled-algorithm-dlv.utld." {
type master;
file "disabled-algorithm-dlv.utld.signed";
};
/* DLV zone signed with an unsupported algorithm below unsigned TLD. */
zone "unsupported-algorithm-dlv.utld." {
type master;
file "unsupported-algorithm-dlv.utld.signed";
};
/* Signed zone below unsigned TLD with DLV entry. */
zone "child1.utld" { type master; file "child1.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
* with a disabled algorithm.
*/
zone "child3.utld" { type master; file "child3.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry. This one is slightly
* different because its children (the grandchildren) don't have a DS record in
* this zone. The grandchild zones are served by ns6.
*
*/
zone "child4.utld" { type master; file "child4.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
* with an unsupported algorithm.
*/
zone "child5.utld" { type master; file "child5.signed"; };
/* Signed zone below unsigned TLD without DLV entry. */
zone "child7.utld" { type master; file "child7.signed"; };
/*
* Signed zone below unsigned TLD without DLV entry and no DS records for the
* grandchildren.
*/
zone "child8.utld" { type master; file "child8.signed"; };
/* Signed zone below unsigned TLD with DLV entry. */
zone "child9.utld" { type master; file "child9.signed"; };
/* Unsigned zone below an unsigned TLD with DLV entry. */
zone "child10.utld" { type master; file "child.db.in"; };
/*
* Zone signed with a disabled algorithm (an algorithm that is disabled in
* one of the test resolvers) with DLV entry.
*/
zone "disabled-algorithm.utld" {
type master;
file "disabled-algorithm.utld.signed";
};
/* Zone signed with an unsupported algorithm with DLV entry. */
zone "unsupported-algorithm.utld" {
type master;