--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 30 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+
+www A 10.0.0.1
allow-update { any; };
};
+zone "corp" {
+ type master;
+ file "corp.db";
+};
+
include "trusted.conf";
nta-lifetime 12s;
nta-recheck 9s;
+ validate-except { corp; };
+
# Note: We only reference the bind.keys file here to confirm that it
# is *not* being used. It contains the real root key, and we're
# using a local toy root zone for the tests, so it wouldn't work.
file "../../common/root.hint";
};
+zone "corp" {
+ type static-stub;
+ server-addresses { 10.53.0.2; };
+};
+
include "trusted.conf";
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+echo_i "checking validate-except in an insecure local domain ($n)"
+ret=0
+$DIG $DIGOPTS ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
echo_i "checking positive and negative validation with negative trust anchors ($n)"
ret=0
echo_i "sleeping for an additional 4 seconds for ns4 to fully startup"
sleep 4
-# dump the NTA to a file
+# dump the NTA to a file (omit validate-except entries)
+echo_i "testing 'rndc nta'"
$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
+# "corp" is configured as a validate-except domain and thus should be
+# omitted. only "secure.example" should be in the dump at this point.
lines=`wc -l < rndc.out.ns4.test$n.1`
[ "$lines" -eq 1 ] || ret=1
+grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1
ts=`awk '{print $3" "$4}' < rndc.out.ns4.test$n.1`
# rndc nta outputs localtime, so append the timezone
ts_with_zone="$ts `date +%z`"
./bin/tests/system/dnssec/ns2/cds.secure.db.in ZONE 2015,2016,2018
./bin/tests/system/dnssec/ns2/child.nsec3.example.db ZONE 2006,2008,2016,2018
./bin/tests/system/dnssec/ns2/child.optout.example.db ZONE 2006,2008,2016,2018
+./bin/tests/system/dnssec/ns2/corp.db ZONE 2018
./bin/tests/system/dnssec/ns2/dlv.db.in ZONE 2004,2007,2016,2018
./bin/tests/system/dnssec/ns2/dst.example.db.in ZONE 2004,2007,2016,2018
./bin/tests/system/dnssec/ns2/example.db.in ZONE 2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2016,2018
projects / thirdparty / bind9.git / commitdiff
