From: Evan Hunt Date: Mon, 4 Dec 2023 03:35:08 +0000 (-0800) Subject: revise test for ENT NSEC3 cleanup X-Git-Tag: v9.19.22~10^2~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=815f54ec2796fe1ef7f16f0df4e9b351adc071b5;p=thirdparty%2Fbind9.git revise test for ENT NSEC3 cleanup as a side effect of the switch from RBT to QBDB, NSEC3 records are no longer created for empty non-terminal nodes when the node only contains insecure delegations in an opt-out range. such NSEC3 records are optional according to RFC 5155 (and, for example, they are not created by dnssec-signzone), but they were previously created by named, as a harmless side effect of the RBT structure, which contains empty internal nodes that can be reached by a DB iterator. these nodes are not present in the QPDB, so NSEC3 records are not created unless they're actually required. the autosign system test contained a test case (added in commit ad91a70d as part of GL #4027) that checked whether ENT NSEC3 records were deleted when the delegations under the ENT removed. this test no longer passes, because the NSEC3's are not created in the first place, and therefore cannot be removed. rather than "fix" the QPDB to add unnecessary NSEC3 records, this commit instead revises the test to check for removal of ENT NSEC3 records when *not* using opt-out. --- diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 8d31dfef0ae..a97d5f076ba 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -35,7 +35,7 @@ rm -f ns2/child.nsec3.example.db rm -f ns2/child.optout.example.db rm -f ns2/example.db rm -f ns2/insecure.secure.example.db -rm -f ns2/optout-with-ent.db +rm -f ns2/nsec3-with-ent.db rm -f ns2/private.secure.example.db rm -f ns2/signing.* rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 35c83cc6672..7421968d6d8 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -55,9 +55,9 @@ $DSFROMKEY Kbar.+013+60101.key >dsset-bar. $SIGNER -S -o bar. -O full $zonefile >signing.bar.out 2>&1 # a zone with empty non-terminals. -zone=optout-with-ent -zonefile=optout-with-ent.db -infile=optout-with-ent.db.in +zone=nsec3-with-ent +zonefile=nsec3-with-ent.db +infile=nsec3-with-ent.db.in cat $infile >$zonefile kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) $KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in index fc5740c84f8..eb0b0803861 100644 --- a/bin/tests/system/autosign/ns2/named.conf.in +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -134,14 +134,14 @@ zone "child.optout.example" { dnssec-policy optout; }; -zone "optout-with-ent" { +zone "nsec3-with-ent" { type primary; - file "optout-with-ent.db"; + file "nsec3-with-ent.db"; allow-query { any; }; allow-transfer { any; }; allow-update { any; }; inline-signing no; - dnssec-policy optout; + dnssec-policy nsec3; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns2/optout-with-ent.db.in b/bin/tests/system/autosign/ns2/nsec3-with-ent.db.in similarity index 100% rename from bin/tests/system/autosign/ns2/optout-with-ent.db.in rename to bin/tests/system/autosign/ns2/nsec3-with-ent.db.in diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 3d131fa6265..1839738966b 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -1270,9 +1270,9 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)" -zone=optout-with-ent -hash=JE76PJ65FUO86UIR594L8P0SNJJ6RMNI +echo_i "check removal of ENT NSEC3 records when delegations are removed ($n)" +zone=nsec3-with-ent +hash=M9SFFA181BCTR8D18LQUPST4N6BL304D # check that NSEC3 for ENT is present echo_i "check ENT NSEC3 is initially present"