From: Colin Vidal Date: Wed, 12 Mar 2025 09:53:33 +0000 (+0100) Subject: add system tests covering EDE 7 and 8 X-Git-Tag: v9.21.7~60^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e763d6637f54fcd079f4ab17120c0c53aa4adecc;p=thirdparty%2Fbind9.git add system tests covering EDE 7 and 8 Add DNSSEC system tests to cover extended DNS error 7 (Signature Expired) and 8 (Signature Not Yet Valid). --- diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 6d10c7f8a52..917da71e4be 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -64,7 +64,7 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \ kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ ttlpatch split-dnssec split-smart expired expiring upper lower \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ - dnskey-nsec3-unknown managed-future revkey \ + dnskey-nsec3-unknown managed-future future revkey \ dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do cp "../ns3/dsset-$subdomain.example." . done diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 953a310d468..d3ee1bc8b4e 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2859,6 +2859,19 @@ dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$ grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1 +grep "; EDE: 7 (Signature Expired): (expired.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +status=$((status + ret)) +echo_i "checking signatures in the future do not validate ($n)" +ret=0 +dig_with_opts +noauth future.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "future.example/.*: RRSIG validity period has not begun" ns4/named.run >/dev/null || ret=1 +grep "; EDE: 8 (Signature Not Yet Valid): (future.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret))