echo $CSK
echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \
- cat $CSK.ds - > trust-anchors
+ cat $CSK.ds - > bogus/trust-anchors
ONEMONTHAGO=`date -d 'now - 1 month' +%Y%m%d`
YESTERDAY=`date -d 'now - 2 days' +%Y%m%d`
TOMORROW=`date -d 'now + 2 days' +%Y%m%d`
-ldns-signzone -i $YESTERDAY dnssec-failures.test $CSK -f - | \
+ldns-signzone -i $YESTERDAY bogus/dnssec-failures.test $CSK -f - | \
grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
sed 's/Signatures invalid/Signatures INVALID/g' | \
grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \
grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base
-ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY dnssec-failures.test $CSK -f - | \
+ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY bogus/dnssec-failures.test $CSK -f - | \
grep -v '[ ]NSEC[ ]' | \
grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
-ldns-signzone -i $TOMORROW dnssec-failures.test $CSK -f - | \
+ldns-signzone -i $TOMORROW bogus/dnssec-failures.test $CSK -f - | \
grep -v '[ ]NSEC[ ]' | \
grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
-cat base expired notyetincepted > dnssec-failures.test.signed && rm -f base expired notyetincepted $CSK.*
+cat base expired notyetincepted > bogus/dnssec-failures.test.signed && rm -f base expired notyetincepted $CSK.*
username: ""
directory: ""
local-zone: test nodefault
- port: 53535
+ port: @PORT2@
auth-zone:
name: "dnssec-failures.test"
- zonefile: "testdata/ede.tdir/bogus/dnssec-failures.test.signed"
\ No newline at end of file
+ zonefile: "bogus/dnssec-failures.test.signed"
\ No newline at end of file
# @TODO change this to local file
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
- trust-anchor-file: "testdata/ede.tdir/bogus/trust-anchors"
+ trust-anchor-file: "bogus/trust-anchors"
module-config: "respip validator iterator"
local-zone: hopsa.kidee. always_refuse
local-data: "hopsa.kidee. TXT hela hola"
- localzone: nlnetlabs.nl transparant
+ local-zone: nlnetlabs.nl transparent
local-data: "hopsa.nlnetlabs.nl. TXT hela hola"
- local-zone: uva.nl. always_null
+ local-zone: uva.nl. always_null
local-zone: example.com redirect
local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
do-not-query-localhost: no
forward-zone:
- name: "dnssec-failures.test"
- forward-addr: 127.0.0.1@@PORT2@
\ No newline at end of file
+ name: "dnssec-failures.test"
+ forward-addr: 127.0.0.1@@PORT2@
\ No newline at end of file
echo "UNBOUND_PORT2=$UNBOUND_PORT2" >> .tpkg.var.test
# rewrite config file with created ports
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/g; s/@PORT2\@/'$UNBOUND_PORT2'/g' < ede.conf > ub.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' < ede.conf > temp.conf
+sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < temp.conf > ub.conf
sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < ede-auth.conf > ub2.conf
+# create broken dnssec zone
+bogus/make-broken-zone.sh
+
# start unbound in the background
PRE="../.."
$PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+# start authoritative unbound in the background
+$PRE/unbound -d -c ub2.conf > unbound.log 2>&1 &
+UNBOUND_PID2=$!
+echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
+
+
# query with bad edns keepalive
dig @127.0.0.1 -p $UNBOUND_PORT +tcp +ednsopt=11:010203 > keepalive.txt
# RPZ always_refuse
dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A > always_refuse.txt
-if ! grep -q "OPT=15: 00 04" always_refuse.txt
+if ! grep -q "OPT=15: 00 0f" always_refuse.txt
then
- echo "local-zone always_null must have EDE blocked code"
+ echo "local-zone always_refuse must have EDE blocked code"
exit 1
fi
-# @TODO what does this trigger?
-dig @localhost hopsa.kidee. A
+# @TODO what does this trigger? -> ede blocked
+dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A
# @TODO trigger mesh DNSSEC bogus
dig @127.0.0.1 -p $UNBOUND_PORT servfail.nl > servfail.txt
fi
# local data forged answer
-dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT
+#dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT
#@TODO write actual test
projects / thirdparty / unbound.git / commitdiff
