From: Matthijs Mekking Date: Wed, 14 Oct 2020 08:03:13 +0000 (+0200) Subject: Add some NSEC3 optout tests X-Git-Tag: v9.17.8~27^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5b45bdd03a8df98c123537f7e586f55c957cf3f;p=thirdparty%2Fbind9.git Add some NSEC3 optout tests Make sure that just changing the optout value recreates the chain. --- diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index 0c722511c60..a168b88e0cf 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -20,6 +20,10 @@ dnssec-policy "nsec3" { nsec3param; }; +dnssec-policy "optout" { + nsec3param optout yes; +}; + dnssec-policy "nsec3-other" { nsec3param iterations 11 optout yes salt "deadbeef"; }; @@ -73,6 +77,20 @@ zone "nsec3-change.kasp" { dnssec-policy "nsec3"; }; +/* The zone will be reconfigured to use opt-out. */ +zone "nsec3-to-optout.kasp" { + type primary; + file "nsec3-to-optout.kasp.db"; + dnssec-policy "nsec3"; +}; + +/* The zone will be reconfigured to disable opt-out. */ +zone "nsec3-from-optout.kasp" { + type primary; + file "nsec3-from-optout.kasp.db"; + dnssec-policy "optout"; +}; + /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ zone "nsec3-to-nsec.kasp" { type primary; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index ce9037889a7..91bc44e3145 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -20,6 +20,10 @@ dnssec-policy "nsec3" { nsec3param; }; +dnssec-policy "optout" { + nsec3param optout yes; +}; + dnssec-policy "nsec3-other" { nsec3param iterations 11 optout yes salt "deadbeef"; }; @@ -75,6 +79,22 @@ zone "nsec3-change.kasp" { dnssec-policy "nsec3-other"; }; +/* The zone will be reconfigured to use opt-out. */ +zone "nsec3-to-optout.kasp" { + type primary; + file "nsec3-to-optout.kasp.db"; + //dnssec-policy "nsec3"; + dnssec-policy "optout"; +}; + +/* The zone will be reconfigured to disable opt-out. */ +zone "nsec3-from-optout.kasp" { + type primary; + file "nsec3-from-optout.kasp.db"; + //dnssec-policy "optout"; + dnssec-policy "nsec3"; +}; + /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ zone "nsec3-to-nsec.kasp" { type primary; diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index 957fe2a3b19..950ca1ea1e6 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -22,7 +22,8 @@ setup() { cp template.db.in "$zonefile" } -for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec +for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ + nsec3-to-optout nsec3-from-optout do setup "${zn}.kasp" done diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 18a9a87ce84..ef312f5b27a 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -184,6 +184,19 @@ echo_i "initial check zone ${ZONE}" check_nsec3 dnssec_verify +# Zone: nsec3-to-optout.kasp. +set_zone_policy "nsec3-to-optout.kasp" "nsec3" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-from-optout.kasp. +set_zone_policy "nsec3-from-optout.kasp" "optout" +set_nsec3param "1" "5" "-" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + # Zone: nsec3-other.kasp. set_zone_policy "nsec3-other.kasp" "nsec3-other" set_nsec3param "1" "11" "DEADBEEF" @@ -224,6 +237,20 @@ echo_i "check zone ${ZONE} after reconfig" check_nsec dnssec_verify +# Zone: nsec3-to-optout.kasp. (reconfigured) +set_zone_policy "nsec3-to-optout.kasp" "optout" +set_nsec3param "1" "5" "-" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3-from-optout.kasp. (reconfigured) +set_zone_policy "nsec3-from-optout.kasp" "nsec3" +set_nsec3param "0" "5" "-" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + # Zone: nsec3-other.kasp. (same) set_zone_policy "nsec3-other.kasp" "nsec3-other" set_nsec3param "1" "11" "DEADBEEF" @@ -231,7 +258,7 @@ echo_i "check zone ${ZONE} after reconfig" check_nsec3 dnssec_verify -# Using rndc signing -nsec3param +# Using rndc signing -nsec3param (should fail) set_zone_policy "nsec3-change.kasp" "nsec3-other" echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings" rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" @@ -241,4 +268,3 @@ dnssec_verify echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 -