From: Kees Monshouwer Date: Wed, 12 Apr 2023 22:50:08 +0000 (+0200) Subject: auth: add nsec at delegation point test X-Git-Tag: auth-4.8.0-beta1~8^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f074be5c1b0b283d33de603d1ca92d914a15b33;p=thirdparty%2Fpdns.git auth: add nsec at delegation point test --- diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data index a668509735..7a262b3eda 100644 --- a/modules/tinydnsbackend/data +++ b/modules/tinydnsbackend/data @@ -20271,6 +20271,7 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400: +ns2.secure-delegated.dnssec-parent.com:5.6.7.8:3600 +something1.auth-ent.dnssec-parent.com:1.1.2.3:3600 :secure-delegated.dnssec-parent.com:43:\324\057\010\002\240\271\303\214\323\044\030\052\360\357f\203\015\012\016\205\241\325\211y\311\203N\030\310qw\236\004\010W\267:3600 +C\052.dnssec-parent.com:secure-delegated.dnssec-parent.com.:3600 Cwww.dnssec-parent.com:www.insecure.dnssec-parent.com.:3600 Zdnssec-parent.com:ns1.dnssec-parent.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600 #2000081501 auto axfr-get diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb index e70be8d883..b71ae2d51e 100644 Binary files a/modules/tinydnsbackend/data.cdb and b/modules/tinydnsbackend/data.cdb differ diff --git a/regression-tests.nobackend/tinydns-data-check/command b/regression-tests.nobackend/tinydns-data-check/command index 81e2dcd516..0139d4987d 100755 --- a/regression-tests.nobackend/tinydns-data-check/command +++ b/regression-tests.nobackend/tinydns-data-check/command @@ -8,4 +8,5 @@ for zone in `cat ../regression-tests/named.conf | grep 'zone ' | cut -f 2 -d \"` do ${MD5SUM} ../regression-tests/zones/$zone done +${MD5SUM} ../modules/tinydnsbackend/data ${MD5SUM} ../modules/tinydnsbackend/data.cdb diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result index bba64c82c8..71c0ebda7a 100644 --- a/regression-tests.nobackend/tinydns-data-check/expected_result +++ b/regression-tests.nobackend/tinydns-data-check/expected_result @@ -4,7 +4,7 @@ e5e3ee998d151fe194b98997eaa36c53 ../regression-tests/zones/test.dyndns dee3e8b568549d9450134b555ca73990 ../regression-tests/zones/sub.test.dyndns e7c0fd528e8aaedb1ea3b6daaead4de2 ../regression-tests/zones/wtest.com 42b442de632686e94bde75acf66cf524 ../regression-tests/zones/nztest.com -b06133eb32c5bdf346223563501ba8f8 ../regression-tests/zones/dnssec-parent.com +7f79c98efdb1d3d2318ac666d2fb5642 ../regression-tests/zones/dnssec-parent.com e9be89b6e5e0da8910c69e46f35d20ab ../regression-tests/zones/insecure.dnssec-parent.com 6510bf48aa3ca3501b73a1f510852a34 ../regression-tests/zones/delegated.dnssec-parent.com a63dc120391d9df0003f2ec4f461a6af ../regression-tests/zones/secure-delegated.dnssec-parent.com @@ -15,4 +15,5 @@ a98864b315f16bcf49ce577426063c42 ../regression-tests/zones/cdnskey-cds-test.com 9aeed2c26d0c3ba3baf22dfa9568c451 ../regression-tests/zones/2.0.192.in-addr.arpa 99c73e8b5db5781fec1ac3fa6a2662a9 ../regression-tests/zones/cryptokeys.org 1f9e19be0cff67330f3a0a5347654f91 ../regression-tests/zones/hiddencryptokeys.org -ab699fca1a52598202a1494cddd192ff ../modules/tinydnsbackend/data.cdb +964425367cec0d828222b144c4e1c540 ../modules/tinydnsbackend/data +f3932b1df41d683f47516455b571c358 ../modules/tinydnsbackend/data.cdb diff --git a/regression-tests/tests/axfr/expected_result b/regression-tests/tests/axfr/expected_result index d831426e48..09e9dfaeb3 100644 --- a/regression-tests/tests/axfr/expected_result +++ b/regression-tests/tests/axfr/expected_result @@ -1,3 +1,4 @@ +*.dnssec-parent.com. 3600 IN CNAME secure-delegated.dnssec-parent.com. delegated.dnssec-parent.com. 3600 IN NS ns1.delegated.dnssec-parent.com. delegated.dnssec-parent.com. 3600 IN NS ns2.delegated.dnssec-parent.com. dnssec-parent.com. 3600 IN A 9.9.9.9 diff --git a/regression-tests/tests/axfr/expected_result.dnssec b/regression-tests/tests/axfr/expected_result.dnssec index 4aac677664..6930c4ce25 100644 --- a/regression-tests/tests/axfr/expected_result.dnssec +++ b/regression-tests/tests/axfr/expected_result.dnssec @@ -1,3 +1,7 @@ +*.dnssec-parent.com. 3600 IN CNAME secure-delegated.dnssec-parent.com. +*.dnssec-parent.com. 3600 IN NSEC insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. CNAME RRSIG NSEC +*.dnssec-parent.com. 3600 IN RRSIG CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +*.dnssec-parent.com. 3600 IN RRSIG NSEC 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... delegated.dnssec-parent.com. 3600 IN NS ns1.delegated.dnssec-parent.com. delegated.dnssec-parent.com. 3600 IN NS ns2.delegated.dnssec-parent.com. delegated.dnssec-parent.com. 3600 IN NSEC insecure.dnssec-parent.com. NS RRSIG NSEC @@ -5,7 +9,7 @@ delegated.dnssec-parent.com. 3600 IN RRSIG NSEC 13 3 3600 [expiry] [inception] [ dnssec-parent.com. 3600 IN A 9.9.9.9 dnssec-parent.com. 3600 IN NS ns1.dnssec-parent.com. dnssec-parent.com. 3600 IN NS ns2.dnssec-parent.com. -dnssec-parent.com. 3600 IN NSEC insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. A NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY +dnssec-parent.com. 3600 IN NSEC *.dnssec-parent.com. A NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY dnssec-parent.com. 3600 IN RRSIG A 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... dnssec-parent.com. 3600 IN RRSIG NS 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... dnssec-parent.com. 3600 IN RRSIG NSEC 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... diff --git a/regression-tests/tests/axfr/expected_result.nsec3 b/regression-tests/tests/axfr/expected_result.nsec3 index 8b9d290b3b..15b8162179 100644 --- a/regression-tests/tests/axfr/expected_result.nsec3 +++ b/regression-tests/tests/axfr/expected_result.nsec3 @@ -1,3 +1,7 @@ +*.dnssec-parent.com. 3600 IN CNAME secure-delegated.dnssec-parent.com. +*.dnssec-parent.com. 3600 IN NSEC3 1 0 1 abcd [next owner] CNAME RRSIG +*.dnssec-parent.com. 3600 IN RRSIG CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +*.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... auth-ent.dnssec-parent.com. 3600 IN NSEC3 1 0 1 abcd [next owner] auth-ent.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... delegated.dnssec-parent.com. 3600 IN NS ns1.delegated.dnssec-parent.com. diff --git a/regression-tests/tests/axfr/expected_result.nsec3-optout b/regression-tests/tests/axfr/expected_result.nsec3-optout index c4da9a3352..ad6ce2201f 100644 --- a/regression-tests/tests/axfr/expected_result.nsec3-optout +++ b/regression-tests/tests/axfr/expected_result.nsec3-optout @@ -1,3 +1,7 @@ +*.dnssec-parent.com. 3600 IN CNAME secure-delegated.dnssec-parent.com. +*.dnssec-parent.com. 3600 IN NSEC3 1 1 1 abcd [next owner] CNAME RRSIG +*.dnssec-parent.com. 3600 IN RRSIG CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +*.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... auth-ent.dnssec-parent.com. 3600 IN NSEC3 1 1 1 abcd [next owner] auth-ent.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... delegated.dnssec-parent.com. 3600 IN NS ns1.delegated.dnssec-parent.com. diff --git a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout index 96aff471d8..680fef8692 100644 --- a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout +++ b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout @@ -2,7 +2,7 @@ 1 7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. 3600 IN RRSIG SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 -1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. 3600 IN NSEC3 1 1 1 abcd NIH4L3ODLUG7EN20PENJ8DGNU4OHC98F A NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY +1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. 3600 IN NSEC3 1 1 1 abcd K25OPIULTRKGKRMR3UC09CSK20QHT1LJ A NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY 1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 2 . 32768 IN OPT Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 diff --git a/regression-tests/tests/ent-unsigned-delegation/expected_result.dnssec b/regression-tests/tests/ent-unsigned-delegation/expected_result.dnssec index 6a7cb56858..c9444d0f6c 100644 --- a/regression-tests/tests/ent-unsigned-delegation/expected_result.dnssec +++ b/regression-tests/tests/ent-unsigned-delegation/expected_result.dnssec @@ -1,5 +1,5 @@ -1 dnssec-parent.com. 3600 IN NSEC insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. A NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY -1 dnssec-parent.com. 3600 IN RRSIG NSEC 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +1 *.dnssec-parent.com. 3600 IN NSEC insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. CNAME RRSIG NSEC +1 *.dnssec-parent.com. 3600 IN RRSIG NSEC 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. 3600 IN RRSIG SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 2 . 32768 IN OPT diff --git a/regression-tests/tests/nsec-at-delegation/command b/regression-tests/tests/nsec-at-delegation/command new file mode 100755 index 0000000000..58ee8e88e1 --- /dev/null +++ b/regression-tests/tests/nsec-at-delegation/command @@ -0,0 +1,2 @@ +#!/bin/sh +cleandig secure-delegated1.dnssec-parent.com A dnssec diff --git a/regression-tests/tests/nsec-at-delegation/description b/regression-tests/tests/nsec-at-delegation/description new file mode 100644 index 0000000000..d59bcc5845 --- /dev/null +++ b/regression-tests/tests/nsec-at-delegation/description @@ -0,0 +1 @@ +Check that we generate the right NSECs when the NSEC name is a delegation point. diff --git a/regression-tests/tests/nsec-at-delegation/expected_result b/regression-tests/tests/nsec-at-delegation/expected_result new file mode 100644 index 0000000000..19f980e090 --- /dev/null +++ b/regression-tests/tests/nsec-at-delegation/expected_result @@ -0,0 +1,9 @@ +0 secure-delegated.dnssec-parent.com. 3600 IN A 9.9.9.9 +0 secure-delegated.dnssec-parent.com. 3600 IN RRSIG A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated1.dnssec-parent.com. 3600 IN CNAME secure-delegated.dnssec-parent.com. +0 secure-delegated1.dnssec-parent.com. 3600 IN RRSIG CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +1 secure-delegated.dnssec-parent.com. 3600 IN NSEC www.dnssec-parent.com. NS DS RRSIG NSEC +1 secure-delegated.dnssec-parent.com. 3600 IN RRSIG NSEC 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +2 . 32768 IN OPT +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='secure-delegated1.dnssec-parent.com.', qtype=A diff --git a/regression-tests/tests/nsec-at-delegation/expected_result.narrow b/regression-tests/tests/nsec-at-delegation/expected_result.narrow new file mode 100644 index 0000000000..dafbed6491 --- /dev/null +++ b/regression-tests/tests/nsec-at-delegation/expected_result.narrow @@ -0,0 +1,9 @@ +0 secure-delegated.dnssec-parent.com. 3600 IN A 9.9.9.9 +0 secure-delegated.dnssec-parent.com. 3600 IN RRSIG A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated1.dnssec-parent.com. 3600 IN CNAME secure-delegated.dnssec-parent.com. +0 secure-delegated1.dnssec-parent.com. 3600 IN RRSIG CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +1 1an9kidorpirlabrh3be2n8k5taoe1v0.dnssec-parent.com. 3600 IN NSEC3 1 [flags] 1 abcd 1AN9KIDORPIRLABRH3BE2N8K5TAOE1V2 +1 1an9kidorpirlabrh3be2n8k5taoe1v0.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +2 . 32768 IN OPT +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='secure-delegated1.dnssec-parent.com.', qtype=A diff --git a/regression-tests/tests/nsec-at-delegation/expected_result.nsec3 b/regression-tests/tests/nsec-at-delegation/expected_result.nsec3 new file mode 100644 index 0000000000..e65ad7a677 --- /dev/null +++ b/regression-tests/tests/nsec-at-delegation/expected_result.nsec3 @@ -0,0 +1,9 @@ +0 secure-delegated.dnssec-parent.com. 3600 IN A 9.9.9.9 +0 secure-delegated.dnssec-parent.com. 3600 IN RRSIG A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated1.dnssec-parent.com. 3600 IN CNAME secure-delegated.dnssec-parent.com. +0 secure-delegated1.dnssec-parent.com. 3600 IN RRSIG CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +1 u97st412oa8b4bgjc1dgtb4qi5di8dmv.dnssec-parent.com. 3600 IN NSEC3 1 [flags] 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 +1 u97st412oa8b4bgjc1dgtb4qi5di8dmv.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +2 . 32768 IN OPT +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='secure-delegated1.dnssec-parent.com.', qtype=A diff --git a/regression-tests/tests/nsec-at-delegation/expected_result.nsec3-optout b/regression-tests/tests/nsec-at-delegation/expected_result.nsec3-optout new file mode 100644 index 0000000000..aee66ded27 --- /dev/null +++ b/regression-tests/tests/nsec-at-delegation/expected_result.nsec3-optout @@ -0,0 +1,9 @@ +0 secure-delegated.dnssec-parent.com. 3600 IN A 9.9.9.9 +0 secure-delegated.dnssec-parent.com. 3600 IN RRSIG A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated1.dnssec-parent.com. 3600 IN CNAME secure-delegated.dnssec-parent.com. +0 secure-delegated1.dnssec-parent.com. 3600 IN RRSIG CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +1 qoqsriqrvi1g1ql3tpph2248q9ldpepf.dnssec-parent.com. 3600 IN NSEC3 1 [flags] 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A RRSIG +1 qoqsriqrvi1g1ql3tpph2248q9ldpepf.dnssec-parent.com. 3600 IN RRSIG NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +2 . 32768 IN OPT +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='secure-delegated1.dnssec-parent.com.', qtype=A diff --git a/regression-tests/tests/nsec-at-delegation/skip.nodnssec b/regression-tests/tests/nsec-at-delegation/skip.nodnssec new file mode 100644 index 0000000000..e69de29bb2 diff --git a/regression-tests/zones/dnssec-parent.com b/regression-tests/zones/dnssec-parent.com index 0800ccf1eb..f32469bbf7 100644 --- a/regression-tests/zones/dnssec-parent.com +++ b/regression-tests/zones/dnssec-parent.com @@ -25,3 +25,4 @@ insecure-delegated.ent.ent.auth-ent IN NS ns.example.com. something1.auth-ent IN A 1.1.2.3 insecure IN NS ns.example.com. www IN CNAME www.insecure +* IN CNAME secure-delegated