From: Mark Andrews Date: Wed, 1 Dec 2021 04:32:20 +0000 (+1100) Subject: Check 'server { broken-nsec yes; };' X-Git-Tag: v9.17.21~5^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfe31e61d268720788d1d19f8fdf05212a89a081;p=thirdparty%2Fbind9.git Check 'server { broken-nsec yes; };' --- diff --git a/bin/tests/system/checkconf/good-broken-nsec.conf b/bin/tests/system/checkconf/good-broken-nsec.conf new file mode 100644 index 00000000000..f1057d3c84e --- /dev/null +++ b/bin/tests/system/checkconf/good-broken-nsec.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +server 10.0.0/24 { + broken-nsec yes; +}; diff --git a/bin/tests/system/synthfromdnssec/ns7/named.conf.in b/bin/tests/system/synthfromdnssec/ns7/named.conf.in new file mode 100644 index 00000000000..bd44c0330bb --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns7/named.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; +}; + +server 10.53.0.1 { + broken-nsec yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +statistics-channels { + inet 10.53.0.7 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns7/root.hints b/bin/tests/system/synthfromdnssec/ns7/root.hints new file mode 100644 index 00000000000..63fc22d0e1d --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns7/root.hints @@ -0,0 +1,11 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh index 067aa0e753c..7768353e749 100644 --- a/bin/tests/system/synthfromdnssec/setup.sh +++ b/bin/tests/system/synthfromdnssec/setup.sh @@ -20,6 +20,7 @@ copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf ( cd ns1 diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh index 48e04f43e4c..7bceeaf6c20 100644 --- a/bin/tests/system/synthfromdnssec/tests.sh +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -98,13 +98,14 @@ check_auth_count() { return 0 } -for ns in 2 4 5 6 +for ns in 2 4 5 6 7 do case $ns in 2) ad=yes; description="";; 4) ad=yes; description="no";; 5) ad=yes; description="yes";; 6) ad=no; description="yes; dnssec-validation no";; + 7) ad=yes; description="yes; server 10.53.0.1 { broken-nsec yes; };";; *) exit 1;; esac echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" @@ -318,13 +319,14 @@ status=$((status+ret)) # sleep 1 -for ns in 2 4 5 6 +for ns in 2 4 5 6 7 do case $ns in 2) ad=yes synth=${synth_default} description="";; 4) ad=yes synth=no description="no";; 5) ad=yes synth=yes description="yes";; 6) ad=no synth=no description="yes; dnssec-validation no";; + 7) ad=yes synth=no description="yes; server 10.53.0.1 { broken-nsec yes; };";; *) exit 1;; esac echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" @@ -637,11 +639,11 @@ do count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) test $count = 2 || ret=1 zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) - if [ ${ad} = yes ] + if [ ${ad} = no -o $ns = 7 ] then - test $zero = 1 || ret=1 - else test $zero = 2 || ret=1 + else + test $zero = 1 || ret=1 fi n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -698,11 +700,11 @@ do count=$(echo "$counter" | grep CacheNSECNodes | wc -l) test $count = 1 || ret=1 zero=$(echo "$counter" | grep ">0<" | wc -l) - if [ ${ad} = yes ] + if [ ${ad} = no -o $ns = 7 ] then - test $zero = 0 || ret=1 - else test $zero = 1 || ret=1 + else + test $zero = 0 || ret=1 fi n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -761,11 +763,11 @@ do count=$(grep '"CacheNSECNodes":' $json | wc -l) test $count = 2 || ret=1 zero=$(grep '"CacheNSECNodes":0' $json | wc -l) - if [ ${ad} = yes ] + if [ ${ad} = no -o $ns = 7 ] then - test $zero = 1 || ret=1 - else test $zero = 2 || ret=1 + else + test $zero = 1 || ret=1 fi n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi