+3173. [port] Correctly validate root DS responses. [RT #25726]
+
3172. [port] darwin 10.* and freebsd [89] are now built threaded by
default.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.34 2011/07/26 04:42:20 marka Exp $
+# $Id: tests.sh,v 1.35 2011/10/15 05:00:15 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
echo "I:checking that revoked key is present ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
-id=`expr $id + 128 % 65536`
+id=`expr $id + 128`
+[ $id -gt 65535 ] && id=`expr $id % 65536 + 1`
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking that revoked key self-signs ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
-id=`expr $id + 128 % 65536`
+id=`expr $id + 128`
+[ $id -gt 65535 ] && id=`expr $id % 65536 + 1`
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.97 2011/10/11 19:26:06 each Exp $
+# $Id: tests.sh,v 1.98 2011/10/15 05:00:15 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking that root DS queries validate ($n)"
+ret=0
+$DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
ret=0
$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns2.test$n || ret=1
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.204 2011/06/08 22:13:51 each Exp $ */
+/* $Id: validator.c,v 1.205 2011/10/15 05:00:15 marka Exp $ */
#include <config.h>
* Return ISC_R_IGNORE when the NSEC is not the appropriate one.
*/
static isc_result_t
-nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
+nsecnoexistnodata(dns_validator_t *val, dns_name_t *name, dns_name_t *nsecname,
dns_rdataset_t *nsecset, isc_boolean_t *exists,
isc_boolean_t *data, dns_name_t *wild)
{
if (order == 0) {
/*
- * The names are the same.
+ * The names are the same. If we are validating "."
+ * then atparent should not be set as there is no parent.
*/
- atparent = dns_rdatatype_atparent(val->event->type);
+ atparent = (olabels != 1) &&
+ dns_rdatatype_atparent(val->event->type);
ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
if (ns && !soa) {
projects / thirdparty / bind9.git / commitdiff
