]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 334ea12)
add system tests covering EDE 7 and 8
authorColin Vidal <colin@isc.org>
Wed, 12 Mar 2025 09:53:33 +0000 (10:53 +0100)
committerColin Vidal <colin@isc.org>
Thu, 13 Mar 2025 08:57:09 +0000 (09:57 +0100)
Add DNSSEC system tests to cover extended DNS error 7 (Signature
Expired) and 8 (Signature Not Yet Valid).

bin/tests/system/dnssec/ns2/sign.sh patch | blob | blame | history
bin/tests/system/dnssec/tests.sh patch | blob | blame | history

diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 6d10c7f8a52b49ff3e06fab435089a39fb334590..917da71e4be54c30fe7c0baa69030e8fb2fa177e 100644 (file)
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -64,7 +64,7 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
   kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
   ttlpatch split-dnssec split-smart expired expiring upper lower \
   dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
-  dnskey-nsec3-unknown managed-future revkey \
+  dnskey-nsec3-unknown managed-future future revkey \
   dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do
   cp "../ns3/dsset-$subdomain.example." .
 done
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 953a310d46818c03edeb99942b6c42b4c39e3d9b..d3ee1bc8b4e8517135d02975fab7cf681c68305c 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -2859,6 +2859,19 @@ dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$
 grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1
+grep "; EDE: 7 (Signature Expired): (expired.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+status=$((status + ret))
+echo_i "checking signatures in the future do not validate ($n)"
+ret=0
+dig_with_opts +noauth future.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+grep "future.example/.*: RRSIG validity period has not begun" ns4/named.run >/dev/null || ret=1
+grep "; EDE: 8 (Signature Not Yet Valid): (future.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
Mirror of https://gitlab.isc.org/isc-projects/bind9.git