inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
+{% if "nsec3-xfr-inline.kasp" in zones %}
zone "nsec3-xfr-inline.kasp" {
type primary;
file "nsec3-xfr-inline.kasp.db";
dnssec-policy "nsec3";
};
+{% endif %}{# nsec3-xfr-inline.kasp #}
{% set nsec3_from_optout = "optout" if not reconfiged else "nsec3" %}
{% set nsec3_to_optout = "nsec3" if not reconfiged else "optout" %}
+{% if "nsec-to-nsec3.kasp" in zones %}
/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
zone "nsec-to-nsec3.kasp" {
type primary;
file "nsec-to-nsec3.kasp.db";
dnssec-policy "@nsec_to_nsec3@";
};
+{% endif %}{# nsec-to-nsec3.kasp #}
+{% if "nsec3.kasp" in zones %}
/* These zones use the default NSEC3 settings. */
zone "nsec3.kasp" {
type primary;
file "nsec3.kasp.db";
dnssec-policy "nsec3";
};
+{% endif %}{# nsec3.kasp #}
+{% if "nsec3-dynamic.kasp" in zones %}
zone "nsec3-dynamic.kasp" {
type primary;
file "nsec3-dynamic.kasp.db";
dnssec-policy "nsec3";
allow-update { any; };
};
+{% endif %}{# nsec3-dynamic.kasp #}
+{% if "nsec3-other.kasp" in zones %}
/* This zone uses non-default NSEC3 settings. */
zone "nsec3-other.kasp" {
type primary;
file "nsec3-other.kasp.db";
dnssec-policy "nsec3-other";
};
+{% endif %}{# nsec3-other.kasp #}
+{% if "nsec3-change.kasp" in zones %}
/* These zones will be reconfigured to use other NSEC3 settings. */
zone "nsec3-change.kasp" {
type primary;
file "nsec3-change.kasp.db";
dnssec-policy "@nsec3_change@";
};
+{% endif %}{# nsec3-change.kasp #}
+{% if "nsec3-dynamic-change.kasp" in zones %}
zone "nsec3-dynamic-change.kasp" {
type primary;
file "nsec3-dynamic-change.kasp.db";
dnssec-policy "@nsec3_change@";
allow-update { any; };
};
+{% endif %}{# nsec3-dynamic-change.kasp #}
+{% if "nsec3-to-optout.kasp" in zones %}
/* The zone will be reconfigured to use opt-out. */
zone "nsec3-to-optout.kasp" {
type primary;
file "nsec3-to-optout.kasp.db";
dnssec-policy "@nsec3_to_optout@";
};
+{% endif %}{# nsec3-to-optout.kasp #}
+{% if "nsec3-from-optout.kasp" in zones %}
/* The zone will be reconfigured to disable opt-out. */
zone "nsec3-from-optout.kasp" {
type primary;
file "nsec3-from-optout.kasp.db";
dnssec-policy "@nsec3_from_optout@";
};
+{% endif %}{# nsec3-from-optout.kasp #}
+{% if "nsec3-to-nsec.kasp" in zones %}
/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
zone "nsec3-to-nsec.kasp" {
type primary;
file "nsec3-to-nsec.kasp.db";
dnssec-policy "@nsec3_to_nsec@";
};
+{% endif %}{# nsec3-to-nsec.kasp #}
+{% if "nsec3-fails-to-load.kasp" in zones %}
/*
* The zone fails to load, this should not prevent shutdown.
* The zone is fixed after a reconfig.
dnssec-policy "nsec3";
allow-update { any; };
};
+{% endif %}{# nsec3-fails-to-load.kasp #}
+{% if "nsec3-dynamic-to-inline.kasp" in zones %}
/* These zones switch from dynamic to inline-signing or vice versa. */
zone "nsec3-dynamic-to-inline.kasp" {
type primary;
{% if not reconfiged %}
allow-update { any; };
inline-signing no;
-{% endif %}
+{% endif %}{# not reconfiged #}
};
+{% endif %}{# nsec3-dynamic-to-inline.kasp #}
+{% if "nsec3-inline-to-dynamic.kasp" in zones %}
zone "nsec3-inline-to-dynamic.kasp" {
type primary;
file "nsec3-inline-to-dynamic.kasp.db";
{% if reconfiged %}
allow-update { any; };
inline-signing no;
-{% endif %}
+{% endif %}{# reconfiged #}
+};
+{% endif %}{# nsec3-inline-to-dynamic.kasp #}
+{% if "nsec3-ent.kasp" in zones %}
+/*
+ * This zone will have an empty nonterminal node added and a node deleted.
+ */
+zone "nsec3-ent.kasp" {
+ type primary;
+ file "nsec3-ent.kasp.db";
+ dnssec-policy "nsec3";
+ inline-signing yes;
};
+{% endif %}{# nsec3-ent.kasp #}
{% if not reconfiged %}
+{% if "nsec3-dynamic-update-inline.kasp" in zones %}
/*
* Test adding a NSEC3 record to an inline-signing dnssec-policy zone.
*/
allow-update { any; };
dnssec-policy "nsec";
};
+{% endif %}{# nsec3-dynamic-update-inline.kasp #}
+{% if "nsec3-xfr-inline.kasp" in zones %}
/*
* This zone will have an empty nonterminal node added and a node deleted.
*/
dnssec-policy "nsec";
primaries { 10.53.0.2; };
};
+{% endif %}{# nsec3-xfr-inline.kasp #}
-{% else %}
-
-/*
- * This zone will have an empty nonterminal node added and a node deleted.
- */
-zone "nsec3-ent.kasp" {
- type primary;
- file "nsec3-ent.kasp.db";
- dnssec-policy "nsec3";
- inline-signing yes;
-};
-
-{% endif %}
+{% endif %}{# not reconfiged #}
};
};
+
+{% if "rsasha1-to-nsec3.kasp" in zones %}
/*
* This zone starts with NSEC, but will be reconfigured to use NSEC3.
* This should work despite the incompatible RSAHSHA1 algorithm,
file "rsasha1-to-nsec3.kasp.db";
dnssec-policy "@rsasha1_to_nsec3@";
};
+{% endif %}{# rsasha1-to-nsec3.kasp #}
+{% if "rsasha1-to-nsec3-wait.kasp" in zones %}
/*
* This zone starts with NSEC, but will be reconfigured to use NSEC3.
* This should block because RSASHA1 is not compatible with NSEC3,
file "rsasha1-to-nsec3-wait.kasp.db";
dnssec-policy "@rsasha1_to_nsec3@";
};
+{% endif %}{# rsasha1-to-nsec3-wait.kasp #}
+{% if "nsec3-to-rsasha1.kasp" in zones %}
/*
* This zone starts with NSEC3, but will be reconfigured to use NSEC with an
* NSEC only algorithm. This should work despite the incompatible RSAHSHA1
file "nsec3-to-rsasha1.kasp.db";
dnssec-policy "@nsec3_to_rsasha1@";
};
+{% endif %}{# nsec3-to-rsasha1.kasp #}
+{% if "nsec3-to-rsasha1-ds.kasp" in zones %}
/*
* This zone starts with NSEC3, but will be reconfigured to use NSEC with an
* NSEC only algorithm. This should also be fine because we are allowed
file "nsec3-to-rsasha1-ds.kasp.db";
dnssec-policy "@nsec3_to_rsasha1@";
};
+{% endif %}{# nsec3-to-rsasha1-ds.kasp #}
)
+# include the following zones when rendering named configs
+ZONES = {
+ "nsec3-change.kasp",
+}
+
+
+def bootstrap():
+ return {
+ "zones": ZONES,
+ }
+
+
@pytest.fixture(scope="module", autouse=True)
def after_servers_start(ns3, templates):
# After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM.
# Reconfigure.
- templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True})
- templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True})
+ data = {
+ "reconfiged": True,
+ "zones": ZONES,
+ }
+ templates.render(f"{nsdir}/named-fips.conf", data)
+ templates.render(f"{nsdir}/named-rsasha1.conf", data)
# Wait for the NSEC3 chain is finished rebuilding.
messages = [
# pylint: disable=redefined-outer-name,unused-import
+import os
+
import dns.update
import pytest
)
+# include the following zones when rendering named configs
+ZONES = {
+ "nsec-to-nsec3.kasp",
+ "nsec3-xfr-inline.kasp",
+ "nsec3-dynamic-update-inline.kasp",
+ "nsec3.kasp",
+ "nsec3-dynamic.kasp",
+ "nsec3-change.kasp",
+ "nsec3-dynamic-change.kasp",
+ "nsec3-dynamic-to-inline.kasp",
+ "nsec3-inline-to-dynamic.kasp",
+ "nsec3-to-nsec.kasp",
+ "nsec3-to-optout.kasp",
+ "nsec3-from-optout.kasp",
+ "nsec3-other.kasp",
+}
+
+if os.environ["RSASHA1_SUPPORTED"] == "1":
+ ZONES.update(
+ {
+ "rsasha1-to-nsec3.kasp",
+ "rsasha1-to-nsec3-wait.kasp",
+ "nsec3-to-rsasha1.kasp",
+ "nsec3-to-rsasha1-ds.kasp",
+ }
+ )
+
+
+def bootstrap():
+ return {
+ "zones": ZONES,
+ }
+
+
@pytest.mark.parametrize(
"params",
[
)
+# include the following zones when rendering named configs
+ZONES = {
+ "nsec3-to-nsec.kasp",
+ "nsec-to-nsec3.kasp",
+ "nsec3.kasp",
+ "nsec3-dynamic.kasp",
+ "nsec3-dynamic-change.kasp",
+ "nsec3-dynamic-to-inline.kasp",
+ "nsec3-inline-to-dynamic.kasp",
+ # "nsec3-to-optout.kasp",
+ # "nsec3-from-optout.kasp",
+ "nsec3-other.kasp",
+ "nsec3-ent.kasp",
+}
+
+if os.environ["RSASHA1_SUPPORTED"] == "1":
+ ZONES.update(
+ {
+ "rsasha1-to-nsec3-wait.kasp",
+ "nsec3-to-rsasha1.kasp",
+ "nsec3-to-rsasha1-ds.kasp",
+ "rsasha1-to-nsec3.kasp",
+ }
+ )
+
+
+def bootstrap():
+ return {
+ "zones": ZONES,
+ }
+
+
@pytest.fixture(scope="module", autouse=True)
def after_servers_start(ns3, templates):
# Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig.
isctest.kasp.check_dnssec_verify(ns3, zone)
# Reconfigure.
- templates.render(f"{ns3.identifier}/named-fips.conf", {"reconfiged": True})
- templates.render(f"{ns3.identifier}/named-rsasha1.conf", {"reconfiged": True})
+ data = {
+ "reconfiged": True,
+ "zones": ZONES,
+ }
+ templates.render(f"{ns3.identifier}/named-fips.conf", data)
+ templates.render(f"{ns3.identifier}/named-rsasha1.conf", data)
ns3.reconfigure()
)
+# include the following zones when rendering named configs
+ZONES = {
+ "nsec3-fails-to-load.kasp",
+}
+
+
+def bootstrap():
+ return {
+ "zones": ZONES,
+ }
+
+
def test_nsec3_case(ns3):
# Get test parameters.
params = {
)
+# include the following zones when rendering named configs
+ZONES = {
+ "nsec3.kasp",
+ "nsec3-other.kasp",
+}
+
+
+def bootstrap():
+ return {
+ "zones": ZONES,
+ }
+
+
def perform_nsec3_tests(server, params):
# Get test parameters.
zone = params["zone"]
projects / thirdparty / bind9.git / commitdiff
