From: Matthijs Mekking Date: Tue, 19 Dec 2023 12:23:44 +0000 (+0100) Subject: Regression check for NSEC3 to NSEC3 conversion X-Git-Tag: v9.19.21~21^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1d6b892e04e7d8841c778c40bce61c7ff2c1dccb;p=thirdparty%2Fbind9.git Regression check for NSEC3 to NSEC3 conversion When changing the NSEC3 chain, the new NSEC3 chain must be built before the old NSEC3PARAM is removed. Check each delta in the conversion to ensure this ordering is met. --- diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 47a47e7f546..bc4dd5d8c2c 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -195,6 +195,14 @@ $KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out +# +# NSEC3->NSEC3 transition test zone. +# +setup nsec3-to-nsec3.example +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out + # # Introducing a pre-published key test. # diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index bfcccaf001c..9bc5d655e16 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -265,6 +265,15 @@ zone "nsec3-to-nsec.example" { dnssec-policy autosign; }; +zone "nsec3-to-nsec3.example" { + type primary; + file "nsec3-to-nsec3.example.db"; + allow-update { any; }; + inline-signing no; + max-journal-size 10M; + dnssec-policy nsec3; +}; + zone "oldsigs.example" { type primary; file "oldsigs.example.db"; diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in new file mode 100644 index 00000000000..0b11a00b004 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 19e95901398..4c2ea9d9b87 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -890,7 +890,8 @@ checkprivate private.secure.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.optout.example 10.53.0.3 || ret=1 -checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed +checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed +checkprivate nsec3-to-nsec3.example 10.53.0.3 2 || ret=1 # automatically removed if $SHELL ../testcrypto.sh -q RSASHA1; then checkprivate nsec-only.example 10.53.0.3 || ret=1 fi @@ -1350,5 +1351,19 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "check that NSEC3 to NSEC3 builds the new NSEC3 chain first ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec3.example.db.jnl \ + | awk 'BEGIN { addnsec3param=0; delnsec3param=0; nsec3=0 } +$1 == "del" && $5 == "SOA" { if (delnsec3param || nsec3 || addnsec3param) { if (delnsec3param && (!nsec3 || !addnsec3param)) { exit(1); } else { exit(0); } } } +$1 == "del" && $5 == "NSEC3PARAM" { delnsec3param=1 } +$1 == "add" && $5 == "NSEC3PARAM" { addnsec3param=1 } +$1 == "add" && $5 == "NSEC3" { nsec3=1 } +END { if (delnsec3param || nsec3 || addnsec3param) { if (delnsec3param && (!nsec3 || !addnsec3param)) { exit(1); } else { exit(0); } } else { exit(1); } } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1