From: Evan Hunt Date: Tue, 1 May 2018 00:43:52 +0000 (-0700) Subject: add a system test X-Git-Tag: v9.13.3~58^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ecd699e815adcd0d5efdf778c3d0142ff980887;p=thirdparty%2Fbind9.git add a system test --- diff --git a/bin/tests/system/dnssec/ns2/corp.db b/bin/tests/system/dnssec/ns2/corp.db new file mode 100644 index 00000000000..70c96299c2e --- /dev/null +++ b/bin/tests/system/dnssec/ns2/corp.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 30 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +www A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 329424dccf6..4f056328181 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -158,4 +158,9 @@ zone "cdnskey-auto.secure" { allow-update { any; }; }; +zone "corp" { + type master; + file "corp.db"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index 9f851b09c92..f74a4058ce0 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -28,6 +28,8 @@ options { nta-lifetime 12s; nta-recheck 9s; + validate-except { corp; }; + # Note: We only reference the bind.keys file here to confirm that it # is *not* being used. It contains the real root key, and we're # using a local toy root zone for the tests, so it wouldn't work. @@ -50,4 +52,9 @@ zone "." { file "../../common/root.hint"; }; +zone "corp" { + type static-stub; + server-addresses { 10.53.0.2; }; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index c87700e120a..41d4643a11a 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1764,6 +1764,15 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking validate-except in an insecure local domain ($n)" +ret=0 +$DIG $DIGOPTS ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "checking positive and negative validation with negative trust anchors ($n)" ret=0 @@ -2165,10 +2174,14 @@ fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" sleep 4 -# dump the NTA to a file +# dump the NTA to a file (omit validate-except entries) +echo_i "testing 'rndc nta'" $RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +# "corp" is configured as a validate-except domain and thus should be +# omitted. only "secure.example" should be in the dump at this point. lines=`wc -l < rndc.out.ns4.test$n.1` [ "$lines" -eq 1 ] || ret=1 +grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1 ts=`awk '{print $3" "$4}' < rndc.out.ns4.test$n.1` # rndc nta outputs localtime, so append the timezone ts_with_zone="$ts `date +%z`" diff --git a/util/copyrights b/util/copyrights index 42f83b1a3a8..149114649ec 100644 --- a/util/copyrights +++ b/util/copyrights @@ -990,6 +990,7 @@ ./bin/tests/system/dnssec/ns2/cds.secure.db.in ZONE 2015,2016,2018 ./bin/tests/system/dnssec/ns2/child.nsec3.example.db ZONE 2006,2008,2016,2018 ./bin/tests/system/dnssec/ns2/child.optout.example.db ZONE 2006,2008,2016,2018 +./bin/tests/system/dnssec/ns2/corp.db ZONE 2018 ./bin/tests/system/dnssec/ns2/dlv.db.in ZONE 2004,2007,2016,2018 ./bin/tests/system/dnssec/ns2/dst.example.db.in ZONE 2004,2007,2016,2018 ./bin/tests/system/dnssec/ns2/example.db.in ZONE 2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2016,2018