From: Mark Andrews Date: Thu, 18 Nov 2021 03:22:04 +0000 (+1100) Subject: Generate test zone with multiple NSEC and NSEC3 chains X-Git-Tag: v9.17.21~25^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=77ca7783775597618cf5e9b459c7c8a281b1cec1;p=thirdparty%2Fbind9.git Generate test zone with multiple NSEC and NSEC3 chains The method used to generate a test zone with multiple NSEC and NSEC3 chains was incorrect. Multiple calls to dnssec-signzone with multiple parameters is not additive. Extract the chain on each run then add them to the final signed zone instance. --- diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index adcb52f7d2d..b4ff9f39414 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -94,6 +94,7 @@ rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed rm -f ./ns3/ttlpatch.example.db.patched rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp +rm -f ./ns3/NSEC ./ns3/NSEC3 rm -f ./ns4/managed-keys.bind* rm -f ./ns4/named_dump.db* rm -f ./ns6/optout-tld.db diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index c32e462a115..59fd58d77cb 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -340,17 +340,18 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -O full -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC +"$SIGNER" -P -O full -u3 - -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3 +"$SIGNER" -P -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -P -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -P -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -P -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null +cat NSEC NSEC3 >> "$zonefile".signed # # A RSASHA256 zone.