From: Matthijs Mekking Date: Wed, 10 Aug 2022 14:41:30 +0000 (+0200) Subject: Add test case for #3486 X-Git-Tag: v9.19.5~26^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e534c1cd149422cf57bd7984f8ed0c455663598;p=thirdparty%2Fbind9.git Add test case for #3486 Add two scenarios where we change the dnssec-policy from using RSASHA1 to something with NSEC3. The first case should work, as the DS is still in hidden state and we can basically do anything with DNSSEC. The second case should fail, because the DS of the predecessor is published and we can't immediately remove the predecessor DNSKEY. So in this case we should keep the NSEC chain for a bit longer. Add two more scenarios where we change the dnssec-policy from using NSEC3 to something NSEC only. Both should work because there are no restrictions on using NSEC when it comes to algorithms, but in the cases where the DS is published we can't bluntly remove the predecessor. Extend the nsec3 system test by also checking the DNSKEY RRset for the expected DNSKEY records. This requires some "kasp system"-style setup for each test (setting key properties and key states). Also move the dnssec-verify check inside the check_nsec/check_nsec3 functions because we will have to do that every time. --- diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh index 6383f29beae..d6b11e749b6 100644 --- a/bin/tests/system/nsec3/clean.sh +++ b/bin/tests/system/nsec3/clean.sh @@ -13,9 +13,10 @@ set -e -rm -f dig.out.* rndc.signing.* +rm -f dig.out.* rndc.signing.* verify.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind rm -f ns*/K*.private ns*/K*.key ns*/K*.state rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed - +rm -f ns*/keygen.out.* ns*/settime.out.* +rm -f created.key-* *.created unused.key-* diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index 36c217ad3ce..c94fa5d6791 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -18,6 +18,12 @@ dnssec-policy "nsec" { // NSEC will be used; }; +dnssec-policy "rsasha1" { + keys { + csk lifetime unlimited algorithm rsasha1; + }; +}; + dnssec-policy "nsec3" { nsec3param; }; @@ -59,6 +65,56 @@ zone "nsec-to-nsec3.kasp" { dnssec-policy "nsec"; }; +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should work despite the incompatible RSAHSHA1 algorithm, + * because the DS is still in hidden state. + */ +zone "rsasha1-to-nsec3.kasp" { + type primary; + file "rsasha1-to-nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should block because RSASHA1 is not compatible with NSEC3, + * and the DS is published. + */ +zone "rsasha1-to-nsec3-wait.kasp" { + type primary; + file "rsasha1-to-nsec3-wait.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 + * algorithm, because the DS is still in hidden state. + */ +zone "nsec3-to-rsasha1.kasp" { + type primary; + file "nsec3-to-rsasha1.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should also be fine because we are allowed + * to change to NSEC with any algorithm, then we can also publish the new + * DNSKEY and signatures of the RSASHA1 algorithm. + */ +zone "nsec3-to-rsasha1-ds.kasp" { + type primary; + file "nsec3-to-rsasha1-ds.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + + /* These zones use the default NSEC3 settings. */ zone "nsec3.kasp" { type primary; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index c81cd700491..d9764abcad6 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -18,6 +18,12 @@ dnssec-policy "nsec" { // NSEC will be used; }; +dnssec-policy "rsasha1" { + keys { + csk lifetime unlimited algorithm rsasha1; + }; +}; + dnssec-policy "nsec3" { nsec3param; }; @@ -60,6 +66,59 @@ zone "nsec-to-nsec3.kasp" { dnssec-policy "nsec3"; }; +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should work despite the incompatible RSAHSHA1 algorithm, + * because the DS is still in hidden state. + */ +zone "rsasha1-to-nsec3.kasp" { + type primary; + file "rsasha1-to-nsec3.kasp.db"; + inline-signing yes; + //dnssec-policy "rsasha1"; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should block because RSASHA1 is not compatible with NSEC3, + * and the DS is published. + */ +zone "rsasha1-to-nsec3-wait.kasp" { + type primary; + file "rsasha1-to-nsec3-wait.kasp.db"; + inline-signing yes; + //dnssec-policy "rsasha1"; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 + * algorithm, because the DS is still in hidden state. + */ +zone "nsec3-to-rsasha1.kasp" { + type primary; + file "nsec3-to-rsasha1.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should also be fine because we are allowed + * to change to NSEC with any algorithm, then we can also publish the new + * DNSKEY and signatures of the RSASHA1 algorithm. + */ +zone "nsec3-to-rsasha1-ds.kasp" { + type primary; + file "nsec3-to-rsasha1-ds.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "rsasha1"; +}; + /* These zones use the default NSEC3 settings. */ zone "nsec3.kasp" { type primary; diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index cbaf84ce8d4..e2478ac3df1 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -30,4 +30,29 @@ do setup "${zn}.kasp" done +if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) +then + for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \ + nsec3-to-rsasha1-ds + do + setup "${zn}.kasp" + done + + longago="now-1y" + keytimes="-P ${longago} -A ${longago}" + O="omnipresent" + + zone="rsasha1-to-nsec3-wait.kasp" + CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2> keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 + + zone="nsec3-to-rsasha1-ds.kasp" + CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2> keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 +else + echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported" +fi + cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index d9c2b83d174..f5865d5ab17 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -36,6 +36,8 @@ rndccmd() { set_zone_policy() { ZONE=$1 POLICY=$2 + NUM_KEYS=$3 + DNSKEY_TTL=$4 } # Set expected NSEC3 parameters: flags ($1), iterations ($2), and # salt length ($3). @@ -47,6 +49,49 @@ set_nsec3param() { SALT="" } +# Set expected default dnssec-policy keys values. +set_key_default_values() { + key_clear $1 + + set_keyrole $1 "csk" + set_keylifetime $1 "0" + set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256" + set_keysigning $1 "yes" + set_zonesigning $1 "yes" + + set_keystate $1 "GOAL" "omnipresent" + set_keystate $1 "STATE_DNSKEY" "rumoured" + set_keystate $1 "STATE_KRRSIG" "rumoured" + set_keystate $1 "STATE_ZRRSIG" "rumoured" + set_keystate $1 "STATE_DS" "hidden" +} + +# Set expected rsasha1 dnssec-policy keys values. +set_key_rsasha1_values() { + key_clear $1 + + set_keyrole $1 "csk" + set_keylifetime $1 "0" + set_keyalgorithm $1 "5" "RSASHA1" "2048" + set_keysigning $1 "yes" + set_zonesigning $1 "yes" + + set_keystate $1 "GOAL" "omnipresent" + set_keystate $1 "STATE_DNSKEY" "rumoured" + set_keystate $1 "STATE_KRRSIG" "rumoured" + set_keystate $1 "STATE_ZRRSIG" "rumoured" + set_keystate $1 "STATE_DS" "hidden" +} + +# Update the key states. +set_key_states() { + set_keystate $1 "GOAL" "$2" + set_keystate $1 "STATE_DNSKEY" "$3" + set_keystate $1 "STATE_KRRSIG" "$4" + set_keystate $1 "STATE_ZRRSIG" "$5" + set_keystate $1 "STATE_DS" "$6" +} + # The apex NSEC3PARAM record indicates that it is signed. _wait_for_nsec3param() { dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1 @@ -79,24 +124,43 @@ wait_for_zone_is_signed() { status=$((status+ret)) } +# Test: check DNSSEC verify +_check_dnssec_verify() { + dig_with_opts @$SERVER "${ZONE}" AXFR > "dig.out.test$n.axfr.$ZONE" || return 1 + $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" > "verify.out.test$n.$ZONE" 2>&1 || return 1 + return 0 +} + # Test: check NSEC in answers -_check_nsec_nsec3param() -{ +_check_nsec_nsec3param() { dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1 return 0 } -_check_nsec_nxdomain() -{ +_check_nsec_nxdomain() { dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1 return 0 } -check_nsec() -{ +check_nsec() { + n=$((n+1)) + echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + check_keys + retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + n=$((n+1)) + echo_i "verify DNSSEC for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + n=$((n+1)) echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" ret=0 @@ -113,8 +177,7 @@ check_nsec() } # Test: check NSEC3 parameters in answers -_check_nsec3_nsec3param() -{ +_check_nsec3_nsec3param() { dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1 @@ -124,15 +187,13 @@ _check_nsec3_nsec3param() return 0 } -_check_nsec3_nxdomain() -{ +_check_nsec3_nxdomain() { dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 return 0 } -check_nsec3() -{ +check_nsec3() { n=$((n+1)) echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)" ret=0 @@ -146,74 +207,119 @@ check_nsec3() retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) + + n=$((n+1)) + echo_i "verify DNSSEC for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) } start_time="$(TZ=UTC date +%s)" status=0 n=0 +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + # Zone: nsec-to-nsec3.kasp. -set_zone_policy "nsec-to-nsec3.kasp" "nsec" +set_zone_policy "nsec-to-nsec3.kasp" "nsec" 1 3600 set_server "ns3" "10.53.0.3" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec -dnssec_verify + +if ($SHELL ../testcrypto.sh -q RSASHA1) +then + # Zone: rsasha1-to-nsec3.kasp. + set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + echo_i "initial check zone ${ZONE}" + check_nsec + + # Zone: rsasha1-to-nsec3-wait.kasp. + set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + echo_i "initial check zone ${ZONE}" + check_nsec + + # Zone: nsec3-to-rsasha1.kasp. + set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + echo_i "initial check zone ${ZONE}" + check_nsec3 + + # Zone: nsec3-to-rsasha1-ds.kasp. + set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + echo_i "initial check zone ${ZONE}" + check_nsec3 +fi # Zone: nsec3.kasp. -set_zone_policy "nsec3.kasp" "nsec3" +set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-dynamic.kasp. -set_zone_policy "nsec3-dynamic.kasp" "nsec3" +set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-change.kasp. -set_zone_policy "nsec3-change.kasp" "nsec3" +set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-dynamic-change.kasp. -set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" +set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-to-nsec.kasp. -set_zone_policy "nsec3-to-nsec.kasp" "nsec3" +set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-to-optout.kasp. -set_zone_policy "nsec3-to-optout.kasp" "nsec3" +set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-from-optout.kasp. -set_zone_policy "nsec3-from-optout.kasp" "optout" +set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600 set_nsec3param "1" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-other.kasp. -set_zone_policy "nsec3-other.kasp" "nsec3-other" +set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Reconfig named. echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" @@ -221,88 +327,139 @@ copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 # Zone: nsec-to-nsec3.kasp. (reconfigured) -set_zone_policy "nsec-to-nsec3.kasp" "nsec3" +set_zone_policy "nsec-to-nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify + +if ($SHELL ../testcrypto.sh -q RSASHA1) +then + # Zone: rsasha1-to-nsec3.kasp. + set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" + set_keysigning "KEY1" "no" + set_zonesigning "KEY1" "no" + set_key_default_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec3 + + # Zone: rsasha1-to-nsec3-wait.kasp. + set_zone_policy "rsasha1-to-nsec3-wait.kasp" "nsec3" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + set_key_default_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + + ret=0 + wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + check_nsec + + # Zone: nsec3-to-rsasha1.kasp. + set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_default_values "KEY1" + set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" + set_keysigning "KEY1" "no" + set_zonesigning "KEY1" "no" + set_key_rsasha1_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec + + # Zone: nsec3-to-rsasha1-ds.kasp. + set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_default_values "KEY1" + set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + set_key_rsasha1_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec + + key_clear "KEY1" + key_clear "KEY2" +fi # Zone: nsec3.kasp. (same) -set_zone_policy "nsec3.kasp" "nsec3" +set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Zone: nsec3-dyamic.kasp. (same) -set_zone_policy "nsec3-dynamic.kasp" "nsec3" +set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Zone: nsec3-change.kasp. (reconfigured) -set_zone_policy "nsec3-change.kasp" "nsec3-other" +set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Zone: nsec3-dynamic-change.kasp. (reconfigured) -set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" +set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Zone: nsec3-to-nsec.kasp. (reconfigured) -set_zone_policy "nsec3-to-nsec.kasp" "nsec" +set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec -dnssec_verify # Zone: nsec3-to-optout.kasp. (reconfigured) # DISABLED: # There is a bug in the nsec3param building code that thinks when the # optout bit is changed, the chain already exists. [GL #2216] -#set_zone_policy "nsec3-to-optout.kasp" "optout" +#set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600 #set_nsec3param "1" "0" "0" +#set_key_default_values "KEY1" #echo_i "check zone ${ZONE} after reconfig" #check_nsec3 -#dnssec_verify # Zone: nsec3-from-optout.kasp. (reconfigured) # DISABLED: # There is a bug in the nsec3param building code that thinks when the # optout bit is changed, the chain already exists. [GL #2216] -#set_zone_policy "nsec3-from-optout.kasp" "nsec3" +#set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600 #set_nsec3param "0" "0" "0" +#set_key_default_values "KEY1" #echo_i "check zone ${ZONE} after reconfig" #check_nsec3 -#dnssec_verify # Zone: nsec3-other.kasp. (same) -set_zone_policy "nsec3-other.kasp" "nsec3-other" +set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Using rndc signing -nsec3param (should fail) -set_zone_policy "nsec3-change.kasp" "nsec3-other" +set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600 echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings" rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail" check_nsec3 -dnssec_verify # Test NSEC3 and NSEC3PARAM is the same after restart -set_zone_policy "nsec3.kasp" "nsec3" +set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} before restart" check_nsec3 -dnssec_verify # Restart named, NSEC3 should stay the same. ret=0 @@ -318,22 +475,22 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) prevsalt="${SALT}" -set_zone_policy "nsec3.kasp" "nsec3" +set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" SALT="${prevsalt}" echo_i "check zone ${ZONE} after restart has salt ${SALT}" check_nsec3 -dnssec_verify # Zone: nsec3-fails-to-load.kasp. (should be fixed after reload) cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db rndc_reload ns3 10.53.0.3 -set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" +set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reload" check_nsec3 -dnssec_verify echo_i "exit status: $status" [ $status -eq 0 ] || exit 1