ns2.managed. A 10.53.0.2
trusted. NS ns2.trusted.
ns2.trusted. A 10.53.0.2
+lazy-ksk. NS ns2.lazy-ksk.
+ns2.lazy-ksk. A 10.53.0.2
optout-tld NS ns6.optout-tld.
ns6.optout-tld. A 10.53.0.6
in-addr.arpa. NS ns2.example.
cp "../ns2/dsset-example." .
cp "../ns2/dsset-in-addr.arpa." .
cp "../ns2/dsset-too-many-iterations." .
+cp "../ns2/dsset-lazy-ksk." .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
cp "../ns6/dsset-optout-tld." .
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 30 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+*.a A 10.0.0.3
+b A 10.0.0.2
+d A 10.0.0.4
file "too-many-iterations.db.signed";
};
+zone "lazy-ksk" {
+ type primary;
+ file "lazy-ksk.db";
+ dnssec-policy "dnssec";
+ allow-update { any; };
+};
+
include "trusted.conf";
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1
+
+#
+# A zone with a secure chain of trust of two KSKs, only one KSK is not signing.
+#
+zone=lazy-ksk
+infile=lazy-ksk.db.in
+zonefile=lazy-ksk.db
+ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+ksk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$ksk1.key" "$ksk2.key" "$ksk3.key" "$zsk.key" >"$zonefile"
+$DSFROMKEY "$ksk1.key" >"dsset-$zone."
+$DSFROMKEY "$ksk2.key" >>"dsset-$zone."
+$DSFROMKEY "$ksk3.key" >>"dsset-$zone."
+# Keep the KSK with the highest key tag
+id1=$(keyfile_to_key_id "$ksk1")
+id2=$(keyfile_to_key_id "$ksk2")
+id3=$(keyfile_to_key_id "$ksk3")
+if [ $id1 -gt $id2 ]; then
+ if [ $id1 -gt $id3 ]; then
+ rm1="$ksk2"
+ rm2="$ksk3"
+ else # id3 -gt $id1
+ rm1="$ksk2"
+ rm2="$ksk1"
+ fi
+else # $id2 -gt $id1
+ if [ $id2 -gt $id3 ]; then
+ rm1="$ksk1"
+ rm2="$ksk3"
+ else #id3 -gt $id2
+ rm1="$ksk2"
+ rm2="$ksk1"
+ fi
+fi
+
+rm "$rm1.key"
+rm "$rm1.private"
+rm "$rm2.key"
+rm "$rm2.private"
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
+# Check that a query for a domain that has a KSK that is not actively signing
+# the DNSKEY RRset. This should not result in a broken trust chain if there is
+# another KSK that is signing the DNSKEY RRset.
+echo_i "checking that a secure chain with one active and one inactive KSK validates as secure ($n)"
+ret=0
+dig_with_opts @10.53.0.4 a.lazy-ksk A >dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
# TODO: test case for GL #1689.
# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
# we could write a test that signs a zone with supported and unsupported
projects / thirdparty / bind9.git / commitdiff
