Add a system test with one good and one bad algorithm

The case where there would be one supported algorithm and one already
unsupported (like RSAMD5 or RSASHA1) was missing.

diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 47c2eb7f0eb6b6183f58f286bd336c449cfb5741..07429366eeb27addff5b06be49902a9fbb02cef2 100644 (file)
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -202,3 +202,7 @@ ns3.extradsunknownoid       A       10.53.0.3
 
 extended-ds-unknown-oid        NS      ns3.extended-ds-unknown-oid
 ns3.extended-ds-unknown-oid A  10.53.0.3
+
+; A secure subdomain with extra bad key
+extrabadkey            NS      ns3.extrabadkey
+ns3.extrabadkey                A       10.53.0.3

diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index e3f18af15e013e6f4b7e8a18c20b9e5de5a4c6a4..da9f5f07fc064ade7853ce3c1e0af0c38cefea90 100644 (file)
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -92,7 +92,7 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
   dnskey-nsec3-unknown managed-future future revkey \
   dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \
   rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid \
-  extended-ds-unknown-oid; do
+  extended-ds-unknown-oid extrabadkey; do
   cp "../ns3/dsset-$subdomain.example." .
 done
 

diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2
index 1a0edc14bb8286c2d22ffe984e673aa50d8adbd1..9cbc58892c844c4c9b0bc4673b5d67088c78848d 100644 (file)
--- a/bin/tests/system/dnssec/ns3/named.conf.j2
+++ b/bin/tests/system/dnssec/ns3/named.conf.j2
@@ -141,6 +141,12 @@ zone "extrakey.example" {
        allow-update { any; };
 };
 
+zone "extrabadkey.example" {
+       type primary;
+       file "extrabadkey.example.db.signed";
+       allow-update { any; };
+};
+
 zone "insecure.nsec3.example" {
        type primary;
        file "insecure.nsec3.example.db";

diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 5512888b2f43085881cd304903f7767d60f9e4a0..ea81381eb233844d51fe5fe7478117cfa05eed3a 100644 (file)
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -905,3 +905,34 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
 zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
+
+#
+#
+#
+zone=extrabadkey.example.
+infile=template.db.in
+zonefile=extrabadkey.example.db
+
+# Add KSK and ZSK that we will mangle to RSAMD5
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
+"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1
+
+# Mangle the signatures to RSAMD5 and save them for future use
+sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" <"$zonefile.signed" >"$zonefile.signed.rsamd5"
+
+# Now add normal KSK and ZSK to the zone file
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
+
+# Mangle the DNSKEY algorithm numbers and add them to the signed zone file
+cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >>"$zonefile"
+
+# Sign normally
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
+
+# Add the mangled signatures to signed zone file
+cat "$zonefile.signed.rsamd5" >>"$zonefile.signed"
+rm "$zonefile.signed.rsamd5"

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index e6d8ccc7343362dbd1aa5a9133d1917f23a39268..a27a8999873b7016d2c9b5b27d9e6de4f4a7a6ac 100644 (file)
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -1385,3 +1385,11 @@ def test_rrsigs_for_glue():
         record.rdtype == rdatatype.RRSIG and record.covers == rdatatype.A
         for record in res.answer
     )
+
+
+def test_extra_bad_algorithm():
+    msg = isctest.query.create("a.extrabadkey.example", "A")
+    res1 = isctest.query.tcp(msg, "10.53.0.3")
+    res2 = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.same_answer(res1, res2)
+    isctest.check.adflag(res2)