Commit ef9b9035 authored by Michał Kępień's avatar Michał Kępień

Merge branch '873-do-not-check-sep-bit-for-mirror-zone-trust-anchors' into 'master'

Do not check SEP bit for mirror zone trust anchors

Closes #873

See merge request !1506
parents 724663c1 2b19b851
Pipeline #9960 passed with stages
in 58 seconds
5161. [bug] Do not require the SEP bit to be set for mirror zone
trust anchors. [GL #873]
5160. [contrib] Added DNAME support to the DLZ LDAP schema. Also
fixed a compilation bug affecting several DLZ
modules. [GL #872]
......
......@@ -55,6 +55,11 @@ zone "verify-axfr" {
file "verify-axfr.db.signed";
};
zone "verify-csk" {
type master;
file "verify-csk.db.signed";
};
zone "verify-ixfr" {
type master;
file "verify-ixfr.db.signed";
......
......@@ -32,6 +32,18 @@ done
# the "root" zone on ns1.
keys_to_trust="$keys_to_trust $keyname1"
# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit
# set and add that key to the list of keys to trust.
zone=verify-csk
infile=verify.db.in
zonefile=verify-csk.db
keyname=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
cat $infile $keyname.key > $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null
keys_to_trust="$keys_to_trust $keyname"
# Prepare remaining zones used in the test.
ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
......
......@@ -56,6 +56,12 @@ zone "verify-axfr" {
file "verify-axfr.db.mirror";
};
zone "verify-csk" {
type mirror;
masters { 10.53.0.2; };
file "verify-csk.db.mirror";
};
zone "verify-ixfr" {
type mirror;
masters { 10.53.0.2; };
......
......@@ -92,11 +92,23 @@ wait_for_transfer verify-untrusted
$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted KSK DNSKEY found" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that a mirror zone signed using a CSK without the SEP bit set is accepted ($n)"
ret=0
nextpartreset ns3/named.run
wait_for_transfer verify-csk
$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ($n)"
ret=0
......
......@@ -19816,7 +19816,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
origin = dns_db_origin(db);
result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
zone->mctx, false, false);
zone->mctx, true, false);
done:
if (secroots != NULL) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment