# test dnskey query
dnskeys, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.DNSKEY, tsig=tsig)
- assert len(dnskeys) > 0
check_dnskeys(dnskeys, ksks, zsks)
- assert len(rrsigs) > 0
check_signatures(rrsigs, dns.rdatatype.DNSKEY, fqdn, ksks, zsks)
# test soa query
soa, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.SOA, tsig=tsig)
assert len(soa) == 1
assert f"{zone}. {DEFAULT_TTL} IN SOA" in soa[0].to_text()
- assert len(rrsigs) > 0
check_signatures(rrsigs, dns.rdatatype.SOA, fqdn, ksks, zsks)
# test cdnskey query
else:
assert match in rrset.to_text()
- assert len(rrsigs) > 0
check_signatures(rrsigs, qtype, fqdn, ksks, zsks)
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-# Test max-zone-ttl rejects zones with too high TTL.
-n=$((n + 1))
-echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
-ret=0
-set_zone "max-zone-ttl.kasp"
-grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" >/dev/null || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
set_keytimes_csk_policy() {
# The first key is immediately published and activated.
created=$(key_get KEY1 CREATED)
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
set_keystate "KEY1" "STATE_DS" "hidden"
-#
-# A zone with special characters.
-#
-set_zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."
-set_policy "default" "1" "3600"
-set_server "ns3" "10.53.0.3"
-# It is non-trivial to adapt the tests to deal with all possible different
-# escaping characters, so we will just try to verify the zone.
-dnssec_verify
-
#
# Zone: checkds-ksk.kasp.
#
fi
#
-# Zone: unsigned.kasp.
-#
-set_zone "unsigned.kasp"
-set_policy "none" "0" "0"
-set_server "ns3" "10.53.0.3"
-
-key_clear "KEY1"
-key_clear "KEY2"
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-# Make sure the zone file is untouched.
-n=$((n + 1))
-echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)"
-ret=0
-diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-#
-# Zone: insecure.kasp.
+# Zone: unlimited.kasp.
#
-set_zone "insecure.kasp"
-set_policy "insecure" "0" "0"
+set_zone "unlimited.kasp"
+set_policy "unlimited" "1" "1234"
set_server "ns3" "10.53.0.3"
-
key_clear "KEY1"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-#
-# Zone: unlimited.kasp.
-#
-set_zone "unlimited.kasp"
-set_policy "unlimited" "1" "1234"
-set_server "ns3" "10.53.0.3"
# Key properties.
set_keyrole "KEY1" "csk"
set_keylifetime "KEY1" "0"
assert f"zone_resigninc: zone {zone}/IN (unsigned): enter" not in "ns3/named.run"
+def test_kasp_special_characters(servers):
+ server = servers["ns3"]
+
+ # A zone with special characters.
+ isctest.log.info("check special characters")
+
+ zone = r'i-am.":\;?&[]\@!\$*+,|=\.\(\)special.kasp'
+ # It is non-trivial to adapt the tests to deal with all possible different
+ # escaping characters, so we will just try to verify the zone.
+ isctest.kasp.check_dnssec_verify(server, zone)
+
+
+def test_kasp_insecure(servers):
+ server = servers["ns3"]
+
+ # Insecure zones.
+ isctest.log.info("check insecure zones")
+
+ zone = "insecure.kasp"
+ expected = []
+ keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
+ isctest.kasp.check_keys(zone, keys, expected)
+ isctest.kasp.check_dnssecstatus(server, zone, keys, policy="insecure")
+ isctest.kasp.check_apex(server, zone, keys, [])
+ isctest.kasp.check_subdomain(server, zone, keys, [])
+
+ zone = "unsigned.kasp"
+ expected = []
+ keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
+ isctest.kasp.check_keys(zone, keys, expected)
+ isctest.kasp.check_dnssecstatus(server, zone, keys, policy=None)
+ isctest.kasp.check_apex(server, zone, keys, [])
+ isctest.kasp.check_subdomain(server, zone, keys, [])
+ # Make sure the zone file is untouched.
+ isctest.check.file_contents_equal(f"ns3/{zone}.db.infile", f"ns3/{zone}.db")
+
+
+def test_kasp_bad_maxzonettl(servers):
+ server = servers["ns3"]
+
+ # check that max-zone-ttl rejects zones with too high TTL.
+ isctest.log.info("check max-zone-ttl rejects zones with too high TTL")
+ zone = "max-zone-ttl.kasp"
+ assert f"loading from master file {zone}.db failed: out of range" in server.log
+
+
def test_kasp_dnssec_keygen():
def keygen(zone, policy, keydir=None):
if keydir is None:
projects / thirdparty / bind9.git / commitdiff
