acl additional addzone allow-query auth autosign \
builtin cacheclean case catz cds chain \
checkconf checknames checkzone \
- cookie database digdelv dlv dlz dlzexternal \
+ cookie database digdelv dlz dlzexternal \
dns64 dscp dsdigest dyndb \
ednscompliance emptyzones \
fetchlimit filter-aaaa formerr forward \
# using delv insecure mode as not testing dnssec here
delv_with_opts() {
- "$DELV" +noroot +nodlv -p "$PORT" "$@"
+ "$DELV" +noroot -p "$PORT" "$@"
}
KEYID="$(cat ns2/keyid)"
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-rm -f ns*/named.run
-rm -f ns*/named.conf
-rm -f ns1/K*
-rm -f ns1/dsset-*
-rm -f ns1/*.signed
-rm -f ns1/signer.err
-rm -f ns1/root.db
-rm -f ns1/trusted.conf
-rm -f ns2/K*
-rm -f ns2/dlvset-*
-rm -f ns2/dsset-*
-rm -f ns2/*.signed
-rm -f ns2/*.pre
-rm -f ns2/signer.err
-rm -f ns2/druz.db
-rm -f ns3/K*
-rm -f ns3/*.db
-rm -f ns3/*.signed ns3/*.signed.tmp
-rm -f ns3/dlvset-*
-rm -f ns3/dsset-*
-rm -f ns3/keyset-*
-rm -f ns3/trusted*.conf
-rm -f ns3/signer.err
-rm -f ns5/trusted*.conf
-rm -f ns6/K*
-rm -f ns6/*.db
-rm -f ns6/*.signed
-rm -f ns6/dsset-*
-rm -f ns6/signer.err
-rm -f ns7/trusted*.conf ns8/trusted*.conf
-rm -f */named.memstats
-rm -f dig.out.ns*.test*
-rm -f ns*/named.lock
-rm -f ns*/managed-keys.bind*
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- query-source address 10.53.0.1;
- notify-source 10.53.0.1;
- transfer-source 10.53.0.1;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
-};
-
-zone "." { type master; file "root.signed"; };
-zone "rootservers.utld" { type master; file "rootservers.utld.db"; };
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 120
-@ SOA ns.rootservers.utld hostmaster.ns.rootservers.utld (
- 1 3600 1200 604800 60 )
-@ NS ns.rootservers.utld
-ns A 10.53.0.1
-;
-; A zone that is unsigned (utld=unsigned tld) that will include a second level
-; zone that acts as a DLV.
-;
-utld NS ns.utld
-ns.utld A 10.53.0.2
-;
-; A zone that has a bad DNSKEY RRset but has good DLV records for its child
-; zones.
-;
-druz NS ns.druz
-ns.druz A 10.53.0.2
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 120
-@ SOA ns hostmaster.ns 1 3600 1200 604800 60
-@ NS ns
-ns A 10.53.0.1
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=../..
-. $SYSTEMTESTTOP/conf.sh
-
-SYSTESTDIR=dlv
-
-(cd ../ns2 && $SHELL -e ./sign.sh || exit 1)
-
-echo_i "dlv/ns1/sign.sh"
-
-zone=.
-infile=root.db.in
-zonefile=root.db
-outfile=root.signed
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-
-echo_i "signed $zone"
-
-keyfile_to_static_keys $keyname2 > trusted.conf
-cp trusted.conf ../ns5
-cp trusted.conf ../ns7
-cp trusted.conf ../ns8
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 120
-@ SOA ns hostmaster.ns 1 3600 1200 604800 60
-@ NS ns
-ns A 10.53.0.2
-;
-rootservers NS ns.rootservers
-ns.rootservers A 10.53.0.1
-;
-;
-child1 NS ns.child1
-ns.child1 A 10.53.0.3
-;
-child2 NS ns.child2
-ns.child2 A 10.53.0.4
-;
-child3 NS ns.child3
-ns.child3 A 10.53.0.3
-;
-child4 NS ns.child4
-ns.child4 A 10.53.0.3
-;
-child5 NS ns.child5
-ns.child5 A 10.53.0.3
-;
-child6 NS ns.child6
-ns.child6 A 10.53.0.4
-;
-child7 NS ns.child7
-ns.child7 A 10.53.0.3
-;
-child8 NS ns.child8
-ns.child8 A 10.53.0.3
-;
-child9 NS ns.child9
-ns.child9 A 10.53.0.3
-;
-child10 NS ns.child10
-ns.child10 A 10.53.0.3
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. 0 NS ns.rootservers.utld.
-ns.rootservers.utld. 0 A 10.53.0.1
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
-};
-
-/* Root hints. */
-zone "." { type hint; file "hints"; };
-
-/*
- * A zone that is unsigned (utld=unsigned tld) that will include a second level
- * zone that acts as a DLV.
- */
-zone "utld" { type master; file "utld.db"; };
-
-/*
- * A zone that has a bad DNSKEY RRset but has good DLV records for its child
- * zones.
- */
-zone "druz" { type master; file "druz.signed"; };
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=../..
-. $SYSTEMTESTTOP/conf.sh
-
-SYSTESTDIR=dlv
-
-(cd ../ns3 && $SHELL -e ./sign.sh || exit 1)
-
-echo_i "dlv/ns2/sign.sh"
-
-zone=druz.
-infile=druz.db.in
-zonefile=druz.db
-outfile=druz.pre
-dlvzone=utld.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-
-$CHECKZONE -q -D -i none druz druz.pre |
-sed '/IN DNSKEY/s/\([a-z0-9A-Z+/]\{10\}\)[a-z0-9A-Z+/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed
-
-echo_i "signed $zone"
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 120
-@ SOA ns hostmaster.ns 1 3600 1200 604800 60
-@ NS ns
-ns A 10.53.0.2
-;
-rootservers NS ns.rootservers
-ns.rootservers A 10.53.0.1
-;
-dlv NS ns.dlv
-ns.dlv A 10.53.0.3
-;
-disabled-algorithm-dlv NS ns.disabled-algorithm-dlv
-ns.disabled-algorithm-dlv A 10.53.0.3
-;
-unsupported-algorithm-dlv NS ns.unsupported-algorithm-dlv
-ns.unsupported-algorithm-dlv A 10.53.0.3
-;
-child1 NS ns.child1
-ns.child1 A 10.53.0.3
-;
-child2 NS ns.child2
-ns.child2 A 10.53.0.4
-;
-child3 NS ns.child3
-ns.child3 A 10.53.0.3
-;
-child4 NS ns.child4
-ns.child4 A 10.53.0.3
-;
-child5 NS ns.child5
-ns.child5 A 10.53.0.3
-;
-child6 NS ns.child6
-ns.child6 A 10.53.0.4
-;
-child7 NS ns.child7
-ns.child7 A 10.53.0.3
-;
-child8 NS ns.child8
-ns.child8 A 10.53.0.3
-;
-child9 NS ns.child9
-ns.child9 A 10.53.0.3
-;
-child10 NS ns.child10
-ns.child10 A 10.53.0.3
-;
-disabled-algorithm NS ns.disabled-algorithm
-ns.disabled-algorithm A 10.53.0.3
-;
-unsupported-algorithm NS ns.unsupported-algorithm
-ns.unsupported-algorithm A 10.53.0.3
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 120
-@ SOA ns hostmaster.ns 1 3600 1200 604800 60
-@ NS ns
-ns A 10.53.0.3
-foo TXT foo
-bar TXT bar
-grand NS ns.grand
-ns.grand A 10.53.0.6
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 120
-@ SOA ns hostmaster.ns 1 3600 1200 604800 60
-@ NS ns
-ns A 10.53.0.3
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. 0 NS ns.rootservers.utld.
-ns.rootservers.utld. 0 A 10.53.0.1
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- query-source address 10.53.0.3;
- notify-source 10.53.0.3;
- transfer-source 10.53.0.3;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.3; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
-};
-
-/* Root hints. */
-zone "." { type hint; file "hints"; };
-
-/* DLV zone below unsigned TLD. */
-zone "dlv.utld" { type master; file "dlv.utld.signed"; };
-
-/* DLV zone signed with a disabled algorithm below unsigned TLD. */
-zone "disabled-algorithm-dlv.utld." {
- type master;
- file "disabled-algorithm-dlv.utld.signed";
-};
-
-/* DLV zone signed with an unsupported algorithm below unsigned TLD. */
-zone "unsupported-algorithm-dlv.utld." {
- type master;
- file "unsupported-algorithm-dlv.utld.signed";
-};
-
-/* Signed zone below unsigned TLD with DLV entry. */
-zone "child1.utld" { type master; file "child1.signed"; };
-
-/*
- * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
- * with a disabled algorithm.
- */
-zone "child3.utld" { type master; file "child3.signed"; };
-
-/*
- * Signed zone below unsigned TLD with DLV entry. This one is slightly
- * different because its children (the grandchildren) don't have a DS record in
- * this zone. The grandchild zones are served by ns6.
- *
- */
-zone "child4.utld" { type master; file "child4.signed"; };
-
-/*
- * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
- * with an unsupported algorithm.
- */
-zone "child5.utld" { type master; file "child5.signed"; };
-
-/* Signed zone below unsigned TLD without DLV entry. */
-zone "child7.utld" { type master; file "child7.signed"; };
-
-/*
- * Signed zone below unsigned TLD without DLV entry and no DS records for the
- * grandchildren.
- */
-zone "child8.utld" { type master; file "child8.signed"; };
-
-/* Signed zone below unsigned TLD with DLV entry. */
-zone "child9.utld" { type master; file "child9.signed"; };
-
-/* Unsigned zone below an unsigned TLD with DLV entry. */
-zone "child10.utld" { type master; file "child.db.in"; };
-
-/*
- * Zone signed with a disabled algorithm (an algorithm that is disabled in
- * one of the test resolvers) with DLV entry.
- */
-zone "disabled-algorithm.utld" {
- type master;
- file "disabled-algorithm.utld.signed";
-};
-
-/* Zone signed with an unsupported algorithm with DLV entry. */
-zone "unsupported-algorithm.utld" {
- type master;
- file "unsupported-algorithm.utld.signed";
-};
-
-/*
- * Signed zone below signed TLD with good DLV entry but no chain of
- * trust.
- */
-zone "child1.druz" { type master; file "child1.druz.signed"; };
-
-/*
- * Signed zone below signed TLD with good DLV entry but no chain of
- * trust. The DLV zone is signed with a disabled algorithm.
- */
-zone "child3.druz" { type master; file "child3.druz.signed"; };
-
-/*
- * Signed zone below signed TLD with good DLV entry but no chain of
- * trust. Also there are no DS records for the grandchildren.
- */
-zone "child4.druz" { type master; file "child4.druz.signed"; };
-
-/*
- * Signed zone below signed TLD with good DLV entry but no chain of
- * trust. The DLV zone is signed with an unsupported algorithm.
- */
-zone "child5.druz" { type master; file "child5.druz.signed"; };
-
-/*
- * Signed zone below signed TLD without DLV entry, and no chain of
- * trust.
- */
-zone "child7.druz" { type master; file "child7.druz.signed"; };
-
-/*
- * Signed zone below signed TLD without DLV entry and no DS set. Also DS
- * records for the grandchildren are not included in the zone.
- */
-zone "child8.druz" { type master; file "child8.druz.signed"; };
-
-/*
- * Signed zone below signed TLD with good DLV entry but no DS set. Also DS
- * records for the grandchildren are not included in the zone.
- */
-zone "child9.druz" { type master; file "child9.druz.signed"; };
-
-/*
- * Unsigned zone below signed TLD with good DLV entry but no chain of
- * trust.
- */
-zone "child10.druz" { type master; file "child.db.in"; };
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=../..
-. $SYSTEMTESTTOP/conf.sh
-
-(cd ../ns6 && $SHELL -e ./sign.sh)
-
-echo_i "dlv/ns3/sign.sh"
-
-dlvzone="dlv.utld"
-dlvsets=
-dssets=
-
-disableddlvzone="disabled-algorithm-dlv.utld"
-disableddlvsets=
-disableddssets=
-
-unsupporteddlvzone="unsupported-algorithm-dlv.utld"
-unsupporteddlvsets=
-unsupporteddssets=
-
-# Signed zone below unsigned TLD with DLV entry.
-zone=child1.utld
-infile=child.db.in
-zonefile=child1.utld.db
-outfile=child1.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-dsfilename=../ns6/dsset-grand.${zone}${TP}
-cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
-# with a disabled algorithm.
-zone=child3.utld
-infile=child.db.in
-zonefile=child3.utld.db
-outfile=child3.signed
-disableddlvsets="$disableddlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-dsfilename=../ns6/dsset-grand.${zone}${TP}
-cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-
-$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below unsigned TLD with DLV entry. This one is slightly
-# different because its children (the grandchildren) don't have a DS record in
-# this zone. The grandchild zones are served by ns6.
-zone=child4.utld
-infile=child.db.in
-zonefile=child4.utld.db
-outfile=child4.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
-# with an unsupported algorithm.
-zone=child5.utld
-infile=child.db.in
-zonefile=child5.utld.db
-outfile=child5.signed
-unsupporteddlvsets="$unsupporteddlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-dsfilename=../ns6/dsset-grand.${zone}${TP}
-cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-
-$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-# Signed zone below unsigned TLD without DLV entry.
-zone=child7.utld
-infile=child.db.in
-zonefile=child7.utld.db
-outfile=child7.signed
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-dsfilename=../ns6/dsset-grand.${zone}${TP}
-cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-
-$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below unsigned TLD without DLV entry and no DS records for the
-# grandchildren.
-zone=child8.utld
-infile=child.db.in
-zonefile=child8.utld.db
-outfile=child8.signed
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-# Signed zone below unsigned TLD with DLV entry.
-zone=child9.utld
-infile=child.db.in
-zonefile=child9.utld.db
-outfile=child9.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-# Unsigned zone below an unsigned TLD with DLV entry. We still need to sign
-# the zone to generate the DLV set.
-zone=child10.utld
-infile=child.db.in
-zonefile=child10.utld.db
-outfile=child10.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Zone signed with a disabled algorithm (an algorithm that is disabled in
-# one of the test resolvers) with DLV entry.
-zone=disabled-algorithm.utld
-infile=child.db.in
-zonefile=disabled-algorithm.utld.db
-outfile=disabled-algorithm.utld.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f ${outfile} $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Zone signed with an unsupported algorithm with DLV entry.
-zone=unsupported-algorithm.utld
-infile=child.db.in
-zonefile=unsupported-algorithm.utld.db
-outfile=unsupported-algorithm.utld.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
-awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
-
-cp ${keyname2}.key ${keyname2}.tmp
-awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
-cp dlvset-${zone}${TP} dlvset-${zone}tmp
-awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone}${TP}
-
-echo_i "signed $zone"
-
-# Signed zone below signed TLD with DLV entry and DS set.
-zone=child1.druz
-infile=child.db.in
-zonefile=child1.druz.db
-outfile=child1.druz.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-dssets="$dssets dsset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-dsfilename=../ns6/dsset-grand.${zone}${TP}
-cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is
-# signed with a disabled algorithm.
-zone=child3.druz
-infile=child.db.in
-zonefile=child3.druz.db
-outfile=child3.druz.signed
-disableddlvsets="$disableddlvsets dlvset-${zone}${TP}"
-disableddssets="$disableddssets dsset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-dsfilename=../ns6/dsset-grand.${zone}${TP}
-cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-
-$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below signed TLD with DLV entry and DS set, but missing
-# DS records for the grandchildren.
-zone=child4.druz
-infile=child.db.in
-zonefile=child4.druz.db
-outfile=child4.druz.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-dssets="$dssets dsset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is
-# signed with an unsupported algorithm algorithm.
-zone=child5.druz
-infile=child.db.in
-zonefile=child5.druz.db
-outfile=child5.druz.signed
-unsupporteddlvsets="$unsupporteddlvsets dlvset-${zone}${TP}"
-unsupporteddssets="$unsupportedssets dsset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-dsfilename=../ns6/dsset-grand.${zone}${TP}
-cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-
-$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below signed TLD without DLV entry, but with normal DS set.
-zone=child7.druz
-infile=child.db.in
-zonefile=child7.druz.db
-outfile=child7.druz.signed
-dssets="$dssets dsset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-dsfilename=../ns6/dsset-grand.${zone}${TP}
-cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-
-$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below signed TLD without DLV entry and no DS set. Also DS
-# records for the grandchildren are not included in the zone.
-zone=child8.druz
-infile=child.db.in
-zonefile=child8.druz.db
-outfile=child8.druz.signed
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Signed zone below signed TLD with DLV entry but no DS set. Also DS
-# records for the grandchildren are not included in the zone.
-zone=child9.druz
-infile=child.db.in
-zonefile=child9.druz.db
-outfile=child9.druz.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-# Unsigned zone below signed TLD with DLV entry and DS set. We still need to
-# sign the zone to generate the DS sets.
-zone=child10.druz
-infile=child.db.in
-zonefile=child10.druz.db
-outfile=child10.druz.signed
-dlvsets="$dlvsets dlvset-${zone}${TP}"
-dssets="$dssets dsset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-cp $dssets ../ns2
-cp $disableddssets ../ns2
-cp $unsupporteddssets ../ns2
-
-# DLV zones
-infile=dlv.db.in
-for zone in dlv.utld disabled-algorithm-dlv.utld unsupported-algorithm-dlv.utld
-do
- zonefile="${zone}.db"
- outfile="${zone}.signed"
-
- case $zone in
- "dlv.utld")
- algorithm=$DEFAULT_ALGORITHM
- bits=$DEFAULT_BITS
- dlvfiles=$dlvsets
- ;;
- "disabled-algorithm-dlv.utld")
- algorithm=$DISABLED_ALGORITHM
- bits=$DISABLED_BITS
- dlvfiles=$disableddlvsets
- ;;
- "unsupported-algorithm-dlv.utld")
- algorithm=$DEFAULT_ALGORITHM
- bits=$DEFAULT_BITS
- dlvfiles=$unsupporteddlvsets
- ;;
- esac
-
- keyname1=`$KEYGEN -a $algorithm -b $bits -n zone $zone 2> /dev/null`
- keyname2=`$KEYGEN -f KSK -a $algorithm -b $bits -n zone $zone 2> /dev/null`
-
- cat $infile $dlvfiles $keyname1.key $keyname2.key >$zonefile
-
- case $zone in
- "dlv.utld")
- $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
- keyfile_to_static_keys $keyname2 > ../ns5/trusted-dlv.conf
- ;;
- "disabled-algorithm-dlv.utld")
- $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
- keyfile_to_static_keys $keyname2 > ../ns8/trusted-dlv-disabled.conf
- ;;
- "unsupported-algorithm-dlv.utld")
- cp ${keyname2}.key ${keyname2}.tmp
- $SIGNER -O full -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
- awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
- awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
- keyfile_to_static_keys $keyname2 > ../ns7/trusted-dlv-unsupported.conf
- ;;
- esac
-
- echo_i "signed $zone"
-done
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 120
-@ SOA ns hostmaster.ns 1 3600 1200 604800 60
-@ NS ns
-ns A 10.53.0.3
-;
-rootservers NS ns.rootservers
-ns.rootservers A 10.53.0.1
-;
-child1 NS ns.child1
-ns.child1 A 10.53.0.3
-;
-child2 NS ns.child2
-ns.child2 A 10.53.0.4
-;
-child3 NS ns.child3
-ns.child3 A 10.53.0.3
-;
-child4 NS ns.child4
-ns.child4 A 10.53.0.3
-;
-child5 NS ns.child5
-ns.child5 A 10.53.0.3
-;
-child6 NS ns.child5
-ns.child6 A 10.53.0.4
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. 0 NS ns.rootservers.utld.
-ns.rootservers.utld. 0 A 10.53.0.1
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- query-source address 10.53.0.4;
- notify-source 10.53.0.4;
- transfer-source 10.53.0.4;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.4; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
-};
-
-zone "." { type hint; file "hints"; };
-zone "child2.utld" { type master; file "child.db"; };
-zone "child6.utld" { type master; file "child.db"; };
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. 0 NS ns.rootservers.utld.
-ns.rootservers.utld. 0 A 10.53.0.1
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-include "trusted.conf";
-include "trusted-dlv.conf";
-
-options {
- query-source address 10.53.0.5;
- notify-source 10.53.0.5;
- transfer-source 10.53.0.5;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.5; };
- listen-on-v6 { none; };
- recursion yes;
- notify yes;
- dnssec-validation yes;
- dnssec-lookaside "." trust-anchor "dlv.utld";
- disable-algorithms "utld." { @DISABLED_ALGORITHM@; };
-};
-
-zone "." { type hint; file "hints"; };
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
- algorithm hmac-sha256;
- secret "34f88008d07deabbe65bd01f1d233d47";
-};
-
-options {
- default-server 10.53.0.5;
- default-port 5353;
-};
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 120
-@ SOA ns hostmaster.ns6 1 3600 1200 604800 60
-@ NS ns
-ns A 10.53.0.6
-foo TXT foo
-bar TXT bar
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. 0 NS ns.rootservers.utld.
-ns.rootservers.utld. 0 A 10.53.0.1
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- query-source address 10.53.0.6;
- notify-source 10.53.0.6;
- transfer-source 10.53.0.6;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.6; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
-};
-
-zone "." { type hint; file "hints"; };
-zone "grand.child1.utld" { type master; file "grand.child1.signed"; };
-zone "grand.child3.utld" { type master; file "grand.child3.signed"; };
-zone "grand.child4.utld" { type master; file "grand.child4.signed"; };
-zone "grand.child5.utld" { type master; file "grand.child5.signed"; };
-zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
-zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
-zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
-zone "grand.child10.utld" { type master; file "grand.child10.signed"; };
-zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; };
-zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; };
-zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; };
-zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; };
-zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; };
-zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; };
-zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; };
-zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; };
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=../..
-. $SYSTEMTESTTOP/conf.sh
-
-SYSTESTDIR=dlv
-
-echo_i "dlv/ns6/sign.sh"
-
-zone=grand.child1.utld.
-infile=child.db.in
-zonefile=grand.child1.utld.db
-outfile=grand.child1.signed
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child3.utld.
-infile=child.db.in
-zonefile=grand.child3.utld.db
-outfile=grand.child3.signed
-dlvzone=dlv.utld.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child4.utld.
-infile=child.db.in
-zonefile=grand.child4.utld.db
-outfile=grand.child4.signed
-dlvzone=dlv.utld.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child5.utld.
-infile=child.db.in
-zonefile=grand.child5.utld.db
-outfile=grand.child5.signed
-dlvzone=dlv.utld.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child7.utld.
-infile=child.db.in
-zonefile=grand.child7.utld.db
-outfile=grand.child7.signed
-dlvzone=dlv.utld.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child8.utld.
-infile=child.db.in
-zonefile=grand.child8.utld.db
-outfile=grand.child8.signed
-dlvzone=dlv.utld.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child9.utld.
-infile=child.db.in
-zonefile=grand.child9.utld.db
-outfile=grand.child9.signed
-dlvzone=dlv.utld.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-zone=grand.child10.utld.
-infile=child.db.in
-zonefile=grand.child10.utld.db
-outfile=grand.child10.signed
-dlvzone=dlv.utld.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-zone=grand.child1.druz.
-infile=child.db.in
-zonefile=grand.child1.druz.db
-outfile=grand.child1.druz.signed
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child3.druz.
-infile=child.db.in
-zonefile=grand.child3.druz.db
-outfile=grand.child3.druz.signed
-dlvzone=dlv.druz.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child4.druz.
-infile=child.db.in
-zonefile=grand.child4.druz.db
-outfile=grand.child4.druz.signed
-dlvzone=dlv.druz.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child5.druz.
-infile=child.db.in
-zonefile=grand.child5.druz.db
-outfile=grand.child5.druz.signed
-dlvzone=dlv.druz.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child7.druz.
-infile=child.db.in
-zonefile=grand.child7.druz.db
-outfile=grand.child7.druz.signed
-dlvzone=dlv.druz.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child8.druz.
-infile=child.db.in
-zonefile=grand.child8.druz.db
-outfile=grand.child8.druz.signed
-dlvzone=dlv.druz.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-
-zone=grand.child9.druz.
-infile=child.db.in
-zonefile=grand.child9.druz.db
-outfile=grand.child9.druz.signed
-dlvzone=dlv.druz.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-zone=grand.child10.druz.
-infile=child.db.in
-zonefile=grand.child10.druz.db
-outfile=grand.child10.druz.signed
-dlvzone=dlv.druz.
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. 0 NS ns.rootservers.utld.
-ns.rootservers.utld. 0 A 10.53.0.1
-
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-include "trusted.conf";
-include "trusted-dlv-unsupported.conf";
-
-options {
- query-source address 10.53.0.7;
- notify-source 10.53.0.7;
- transfer-source 10.53.0.7;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.7; };
- listen-on-v6 { none; };
- recursion yes;
- notify yes;
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside "." trust-anchor "unsupported-algorithm-dlv.utld";
-};
-
-zone "." { type hint; file "hints"; };
-
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. 0 NS ns.rootservers.utld.
-ns.rootservers.utld. 0 A 10.53.0.1
-
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-include "trusted.conf";
-include "trusted-dlv-disabled.conf";
-
-options {
- query-source address 10.53.0.8;
- notify-source 10.53.0.8;
- transfer-source 10.53.0.8;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.8; };
- listen-on-v6 { none; };
- recursion yes;
- notify yes;
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside "." trust-anchor "disabled-algorithm-dlv.utld";
- disable-algorithms "disabled-algorithm-dlv.utld." { @DISABLED_ALGORITHM@; };
-};
-
-zone "." { type hint; file "hints"; };
-
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-$SHELL clean.sh
-
-copy_setports ns1/named.conf.in ns1/named.conf
-copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
-copy_setports ns4/named.conf.in ns4/named.conf
-copy_setports ns5/named.conf.in ns5/named.conf
-copy_setports ns6/named.conf.in ns6/named.conf
-copy_setports ns7/named.conf.in ns7/named.conf
-copy_setports ns8/named.conf.in ns8/named.conf
-
-(cd ns1 && $SHELL -e sign.sh)
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-status=0
-n=0
-
-rm -f dig.out.*
-
-DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
-
-echo_i "checking that unsigned TLD zone DNSKEY referenced by DLV validates as secure ($n)"
-ret=0
-$DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
-grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-echo_i "checking that unsigned TLD child zone DNSKEY referenced by DLV validates as secure ($n)"
-ret=0
-$DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
-grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-echo_i "checking that no chain of trust SOA referenced by DLV validates as secure ($n)"
-ret=0
-$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
-grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-echo_i "checking that no chain of trust child SOA referenced by DLV validates as secure ($n)"
-ret=0
-$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
-grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-# Test that a child zone that is signed with an unsupported algorithm,
-# referenced by a good DLV zone, yields an insecure response.
-echo_i "checking that unsupported algorithm TXT referenced by DLV validates as insecure ($n)"
-ret=0
-$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
-grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
-grep -q "foo\.unsupported-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-# Test that a child zone that is signed with a disabled algorithm,
-# referenced by a good DLV zone, yields an insecure response.
-echo_i "checking that disabled algorithm TXT referenced by DLV validates as insecure ($n)"
-ret=0
-$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
-grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
-grep -q "foo\.disabled-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-# Test that a child zone that is signed with a known algorithm, referenced by
-# a DLV zone that is signed with a disabled algorithm, yields a bogus
-# response.
-echo_i "checking that good signed TXT referenced by disabled algorithm DLV validates as bogus ($n)"
-ret=0
-$DIG $DIGOPTS foo.child3.utld txt @10.53.0.8 > dig.out.ns8.test$n || ret=1
-grep "status: SERVFAIL" dig.out.ns8.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
-grep -q "foo\.child3\.utld\..*TXT.*\"foo\"" dig.out.ns8.test$n && ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-# Test that a child zone that is signed with a known algorithm, referenced by
-# a DLV zone that is signed with an unsupported algorithm, yields a bogus
-# response.
-echo_i "checking that good signed TXT referenced by unsupported algorithm DLV validates as bogus ($n)"
-ret=0
-$DIG $DIGOPTS foo.child5.utld txt @10.53.0.7 > dig.out.ns7.test$n || ret=1
-grep "status: SERVFAIL" dig.out.ns7.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns7.test$n > /dev/null && ret=1
-grep -q "foo\.child5\.utld\..*TXT.*\"foo\"" dig.out.ns7.test$n && ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
ns5 is a caching-only server, configured with the an incorrect trusted
key for the root. It is used for testing failure cases.
-ns6 is a caching-only server configured to use DLV.
+ns6 is an caching and authoritative server used for testing unusual
+server behaviors such as disabled DNSSEC algorithms.
ns7 is used for checking non-cacheable answers.
ns8 is a caching-only server, configured with unsupported and disabled
algorithms. It is used for testing failure cases.
+
+ns9 is a forwarding-only server.
set -e
-rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/dlvset-* ./*/signedkey-* ./*/*.signed
+rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed
rm -f ./*/example.bk
rm -f ./*/named.conf
rm -f ./*/named.memstats
rm -f ./ns2/cds-kskonly.secure.db
rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl
rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
-rm -f ./ns2/dlv.db
rm -f ./ns2/in-addr.arpa.db
rm -f ./ns2/nsec3chain-test.db
-rm -f ./ns2/private.secure.example.db
rm -f ./ns2/single-nsec3.db
rm -f ./ns2/updatecheck-kskonly.secure.*
rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
example. NS ns2.example.
ns2.example. A 10.53.0.2
-dlv. NS ns2.dlv.
-ns2.dlv. A 10.53.0.2
algroll. NS ns2.algroll.
ns2.algroll. A 10.53.0.2
managed. NS ns2.managed.
echo_i "ns1/sign.sh"
cp "../ns2/dsset-example$TP" .
-cp "../ns2/dsset-dlv$TP" .
cp "../ns2/dsset-in-addr.arpa$TP" .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 300 ; 5 minutes
-@ IN SOA mname1. . (
- 2000042407 ; serial
- 20 ; refresh (20 seconds)
- 20 ; retry (20 seconds)
- 1814400 ; expire (3 weeks)
- 3600 ; minimum (1 hour)
- )
- NS ns2
-ns2 A 10.53.0.2
file "../../common/root.hint";
};
-zone "dlv" {
- type master;
- file "dlv.db.signed";
-};
-
zone "trusted" {
type master;
file "trusted.db.signed";
allow-update { any; };
};
-zone "private.secure.example" {
- type master;
- file "private.secure.example.db.signed";
- allow-update { any; };
-};
-
zone "insecure.secure.example" {
type master;
file "insecure.secure.example.db";
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
-# Sign the privately secure file
-
-privzone=private.secure.example
-privinfile=private.secure.example.db.in
-privzonefile=private.secure.example.db
-
-privkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$privzone")
-
-cat "$privinfile" "$privkeyname.key" > "$privzonefile"
-
-"$SIGNER" -P -g -o "$privzone" -l dlv "$privzonefile" > /dev/null 2>&1
-
-# Sign the DLV secure zone.
-
-dlvzone=dlv.
-dlvinfile=dlv.db.in
-dlvzonefile=dlv.db
-dlvsetfile="dlvset-${privzone}${TP}"
-
-dlvkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$dlvzone")
-
-cat "$dlvinfile" "$dlvkeyname.key" "$dlvsetfile" > "$dlvzonefile"
-
-"$SIGNER" -P -g -o "$dlvzone" "$dlvzonefile" > /dev/null 2>&1
-
# Sign the badparam secure file
zone=badparam.
notify yes;
disable-algorithms . { @ALTERNATIVE_ALGORITHM@; };
dnssec-validation yes;
- dnssec-lookaside . trust-anchor dlv;
};
zone "." {
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
-echo_i "checking that positive validation in a privately secure zone works ($n)"
-ret=0
-dig_with_opts +noauth a.private.secure.example. a @10.53.0.2 \
- > dig.out.ns2.test$n || ret=1
-dig_with_opts +noauth a.private.secure.example. a @10.53.0.4 \
- > dig.out.ns4.test$n || ret=1
-digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
-echo_i "checking that negative validation in a privately secure zone works ($n)"
-ret=0
-dig_with_opts +noauth q.private.secure.example. a @10.53.0.2 \
- > dig.out.ns2.test$n || ret=1
-dig_with_opts +noauth q.private.secure.example. a @10.53.0.4 \
- > dig.out.ns4.test$n || ret=1
-digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
echo_i "checking that lookups succeed after disabling an algorithm ($n)"
ret=0
dig_with_opts +noauth example. SOA @10.53.0.2 \
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
-echo_i "checking privately secure to nxdomain works ($n)"
-ret=0
-dig_with_opts +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
- > dig.out.ns4.test$n || ret=1
-grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
-echo_i "checking privately secure wildcard to nxdomain works ($n)"
-ret=0
-dig_with_opts +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
- > dig.out.ns4.test$n || ret=1
-grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
echo_i "checking a non-cachable NODATA works ($n)"
ret=0
dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
-#
-# private.secure.example is served by the same server as its
-# grand parent and there is not a secure delegation from secure.example
-# to private.secure.example. In addition secure.example is using a
-# algorithm which the validation does not support.
-#
-echo_i "checking dnssec-lookaside-validation works ($n)"
-ret=0
-dig_with_opts private.secure.example. SOA @10.53.0.6 \
- > dig.out.ns6.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
echo_i "checking that we can load a rfc2535 signed zone ($n)"
ret=0
dig_with_opts rfc2535.example. SOA @10.53.0.2 \
echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)"
ret=0
dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1
-dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1
+dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1
digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
n=$((n+1))
SYSTESTDIR=filter-aaaa
-dlvsets=
-
zone=signed.
infile=signed.db.in
zonefile=signed.db.signed
SYSTESTDIR=filter-aaaa
-dlvsets=
-
zone=signed.
infile=signed.db.in
zonefile=signed.db.signed
zone "." { type master; file "root.db.signed"; };
-zone "dlv" { type master; file "dlv.db.signed"; };
-
zone "nsec" { type master; file "nsec.db.signed"; };
zone "private.nsec" { type master; file "private.nsec.db.signed"; };
@ SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400
@ NS a.root-servers.nil
a.root-servers.nil A 10.53.0.1
-dlv NS a.root-servers.nil
nsec NS a.root-servers.nil
nsec3 NS a.root-servers.nil
dssets=
-zone=dlv
-infile=dlv.db.in
-zonefile=dlv.db
-outfile=dlv.db.signed
-dssets="$dssets dsset-${zone}${TP}"
-
-keyname1=`$KEYGEN -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
-
-cat $infile $keyname1.key $keyname2.key > $zonefile
-
-$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
zone=nsec
infile=nsec.db.in
zonefile=nsec.db
recursion yes;
dnssec-validation yes;
notify yes;
- dnssec-lookaside . trust-anchor dlv;
};
include "../ns1/trusted.conf";
./bin/tests/system/digdelv/setup.sh SH 2018,2019
./bin/tests/system/digdelv/tests.sh SH 2015,2016,2017,2018,2019
./bin/tests/system/ditch.pl PERL 2015,2016,2018,2019
-./bin/tests/system/dlv/clean.sh SH 2004,2007,2010,2011,2012,2014,2016,2018,2019
-./bin/tests/system/dlv/ns1/sign.sh SH 2011,2012,2014,2016,2018,2019
-./bin/tests/system/dlv/ns2/sign.sh SH 2011,2012,2014,2016,2018,2019
-./bin/tests/system/dlv/ns3/sign.sh SH 2004,2007,2009,2010,2011,2012,2014,2016,2018,2019
-./bin/tests/system/dlv/ns6/sign.sh SH 2010,2011,2012,2014,2016,2018,2019
-./bin/tests/system/dlv/setup.sh SH 2004,2007,2009,2011,2012,2014,2016,2017,2018,2019
-./bin/tests/system/dlv/tests.sh SH 2004,2007,2010,2011,2012,2016,2018,2019
./bin/tests/system/dlz/clean.sh SH 2010,2012,2014,2016,2018,2019
./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= TXT.BRIEF 2015,2016,2018,2019
./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= TXT.BRIEF 2015,2016,2018,2019
projects / thirdparty / bind9.git / commitdiff
