Make sure that just changing the optout value recreates the chain.
nsec3param;
};
+dnssec-policy "optout" {
+ nsec3param optout yes;
+};
+
dnssec-policy "nsec3-other" {
nsec3param iterations 11 optout yes salt "deadbeef";
};
dnssec-policy "nsec3";
};
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+ type primary;
+ file "nsec3-to-optout.kasp.db";
+ dnssec-policy "nsec3";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+ type primary;
+ file "nsec3-from-optout.kasp.db";
+ dnssec-policy "optout";
+};
+
/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
zone "nsec3-to-nsec.kasp" {
type primary;
nsec3param;
};
+dnssec-policy "optout" {
+ nsec3param optout yes;
+};
+
dnssec-policy "nsec3-other" {
nsec3param iterations 11 optout yes salt "deadbeef";
};
dnssec-policy "nsec3-other";
};
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+ type primary;
+ file "nsec3-to-optout.kasp.db";
+ //dnssec-policy "nsec3";
+ dnssec-policy "optout";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+ type primary;
+ file "nsec3-from-optout.kasp.db";
+ //dnssec-policy "optout";
+ dnssec-policy "nsec3";
+};
+
/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
zone "nsec3-to-nsec.kasp" {
type primary;
cp template.db.in "$zonefile"
}
-for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec
+for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
+ nsec3-to-optout nsec3-from-optout
do
setup "${zn}.kasp"
done
check_nsec3
dnssec_verify
+# Zone: nsec3-to-optout.kasp.
+set_zone_policy "nsec3-to-optout.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-from-optout.kasp.
+set_zone_policy "nsec3-from-optout.kasp" "optout"
+set_nsec3param "1" "5" "-"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
# Zone: nsec3-other.kasp.
set_zone_policy "nsec3-other.kasp" "nsec3-other"
set_nsec3param "1" "11" "DEADBEEF"
check_nsec
dnssec_verify
+# Zone: nsec3-to-optout.kasp. (reconfigured)
+set_zone_policy "nsec3-to-optout.kasp" "optout"
+set_nsec3param "1" "5" "-"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-from-optout.kasp. (reconfigured)
+set_zone_policy "nsec3-from-optout.kasp" "nsec3"
+set_nsec3param "0" "5" "-"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
# Zone: nsec3-other.kasp. (same)
set_zone_policy "nsec3-other.kasp" "nsec3-other"
set_nsec3param "1" "11" "DEADBEEF"
check_nsec3
dnssec_verify
-# Using rndc signing -nsec3param
+# Using rndc signing -nsec3param (should fail)
set_zone_policy "nsec3-change.kasp" "nsec3-other"
echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
-
projects / thirdparty / bind9.git / commitdiff
