From: Peter van Dijk Date: Mon, 29 Oct 2012 15:23:08 +0000 (+0000) Subject: Stop setting auth=1 on NS records of secure delegations. Spotted by George Notaras... X-Git-Tag: auth-3.2-rc1~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c2df797edccd2e8e7494d8ab658f345bd97ae89a;p=thirdparty%2Fpdns.git Stop setting auth=1 on NS records of secure delegations. Spotted by George Notaras, patch by Kees Monshouwer. Fixes #605 git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2831 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/modules/gmysqlbackend/gmysqlbackend.cc b/modules/gmysqlbackend/gmysqlbackend.cc index 0ab9237a29..dfc9586961 100644 --- a/modules/gmysqlbackend/gmysqlbackend.cc +++ b/modules/gmysqlbackend/gmysqlbackend.cc @@ -100,8 +100,9 @@ public: declare(suffix,"get-order-after-query","DNSSEC Ordering Query, after", "select min(ordername) from records where ordername > '%s' and domain_id=%d and ordername is not null"); declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 desc limit 1"); declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'"); - declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null"); + declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=%d where domain_id='%d' and name='%s'"); declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'"); + declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=1 where domain_id='%d' and name='%s' and type='DS'"); declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d"); declare(suffix,"update-lastcheck-query","", "update domains set last_check=%d where id=%d"); diff --git a/modules/gpgsqlbackend/gpgsqlbackend.cc b/modules/gpgsqlbackend/gpgsqlbackend.cc index f54ae353ee..50373bd19e 100644 --- a/modules/gpgsqlbackend/gpgsqlbackend.cc +++ b/modules/gpgsqlbackend/gpgsqlbackend.cc @@ -95,8 +95,9 @@ public: declare(suffix,"get-order-after-query","DNSSEC Ordering Query, after", "select ordername from records where ordername ~>~ E'%s' and domain_id=%d and ordername is not null order by 1 using ~<~ limit 1"); declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 using ~>~ limit 1"); declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername=E'%s',auth=(%d = 1) where name=E'%s' and domain_id='%d'"); + declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=true where domain_id='%d' and name='%s' and type='DS'"); - declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null"); + declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=(%d = 1) where domain_id='%d' and name='%s'"); declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=false where name=E'%s' and type=E'%s' and domain_id='%d'"); declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d"); diff --git a/modules/gsqlite3backend/gsqlite3backend.cc b/modules/gsqlite3backend/gsqlite3backend.cc index 1b0d10e30a..d29c283cb8 100644 --- a/modules/gsqlite3backend/gsqlite3backend.cc +++ b/modules/gsqlite3backend/gsqlite3backend.cc @@ -95,8 +95,9 @@ public: declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 desc limit 1"); declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'"); - declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null"); + declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=%d where domain_id='%d' and name='%s'"); declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'"); + declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=1 where domain_id='%d' and name='%s' and type='DS'"); declare( suffix, "master-zone-query", "Data", "select master from domains where name='%s' and type='SLAVE'"); diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc index bf826f464b..561cc4074d 100644 --- a/pdns/backends/gsql/gsqlbackend.cc +++ b/pdns/backends/gsql/gsqlbackend.cc @@ -291,8 +291,9 @@ GSQLBackend::GSQLBackend(const string &mode, const string &suffix) d_afterOrderQuery = getArg("get-order-after-query"); d_lastOrderQuery = getArg("get-order-last-query"); d_setOrderAuthQuery = getArg("set-order-and-auth-query"); - d_nullifyOrderNameQuery = getArg("nullify-ordername-query"); + d_nullifyOrderNameAndUpdateAuthQuery = getArg("nullify-ordername-and-update-auth-query"); d_nullifyOrderNameAndAuthQuery = getArg("nullify-ordername-and-auth-query"); + d_setAuthOnDsRecordQuery = getArg("set-auth-on-ds-record-query"); d_AddDomainKeyQuery = getArg("add-domain-key-query"); d_ListDomainKeysQuery = getArg("list-domain-keys-query"); @@ -322,11 +323,8 @@ bool GSQLBackend::updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std if(!d_dnssecQueries) return false; char output[1024]; - // ordername='%s',auth=%d where name='%s' and domain_id='%d' - + snprintf(output, sizeof(output)-1, d_setOrderAuthQuery.c_str(), sqlEscape(ordername).c_str(), auth, sqlEscape(qname).c_str(), domain_id); -// cerr<<"sql: '"<doCommand(output); } @@ -336,18 +334,18 @@ bool GSQLBackend::updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std return true; } -bool GSQLBackend::nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname) +bool GSQLBackend::nullifyDNSSECOrderNameAndUpdateAuth(uint32_t domain_id, const std::string& qname, bool auth) { if(!d_dnssecQueries) return false; char output[1024]; - snprintf(output, sizeof(output)-1, d_nullifyOrderNameQuery.c_str(), domain_id, sqlEscape(qname).c_str()); + snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndUpdateAuthQuery.c_str(), auth, domain_id, sqlEscape(qname).c_str()); try { d_db->doCommand(output); } catch(SSqlException &e) { - throw AhuException("GSQLBackend unable to nullify ordername for domain_id "+itoa(domain_id)+": "+e.txtReason()); + throw AhuException("GSQLBackend unable to nullify ordername and update auth for domain_id "+itoa(domain_id)+": "+e.txtReason()); } return true; } @@ -368,6 +366,22 @@ bool GSQLBackend::nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::s return true; } +bool GSQLBackend::setDNSSECAuthOnDsRecord(uint32_t domain_id, const std::string& qname) +{ + if(!d_dnssecQueries) + return false; + char output[1024]; + + snprintf(output, sizeof(output)-1, d_setAuthOnDsRecordQuery.c_str(), domain_id, sqlEscape(qname).c_str()); + try { + d_db->doCommand(output); + } + catch(SSqlException &e) { + throw AhuException("GSQLBackend unable to set auth on DS record "+qname+" for domain_id "+itoa(domain_id)+": "+e.txtReason()); + } + return true; +} + bool GSQLBackend::updateEmptyNonTerminals(uint32_t domain_id, const std::string& zonename, set& insert, set& erase, bool remove) { char output[1024]; diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh index 026e92e516..53f7f7f635 100644 --- a/pdns/backends/gsql/gsqlbackend.hh +++ b/pdns/backends/gsql/gsqlbackend.hh @@ -43,8 +43,9 @@ public: virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after); bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth); virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth); - virtual bool nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname); + virtual bool nullifyDNSSECOrderNameAndUpdateAuth(uint32_t domain_id, const std::string& qname, bool auth); virtual bool nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::string& qname, const std::string& type); + virtual bool setDNSSECAuthOnDsRecord(uint32_t domain_id, const std::string& qname); virtual bool updateEmptyNonTerminals(uint32_t domain_id, const std::string& zonename, set& insert ,set& erase, bool remove); virtual bool doesDNSSEC(); @@ -95,8 +96,9 @@ private: string d_afterOrderQuery; string d_lastOrderQuery; string d_setOrderAuthQuery; - string d_nullifyOrderNameQuery; + string d_nullifyOrderNameAndUpdateAuthQuery; string d_nullifyOrderNameAndAuthQuery; + string d_setAuthOnDsRecordQuery; string d_removeEmptyNonTerminalsFromZoneQuery; string d_insertEmptyNonTerminalQuery; string d_deleteEmptyNonTerminalQuery; diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh index ccc246b02e..5436ec299f 100644 --- a/pdns/dnsbackend.hh +++ b/pdns/dnsbackend.hh @@ -141,7 +141,7 @@ public: return false; } - virtual bool nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname) + virtual bool nullifyDNSSECOrderNameAndUpdateAuth(uint32_t domain_id, const std::string& qname, bool auth) { return false; } @@ -151,6 +151,11 @@ public: return false; } + virtual bool setDNSSECAuthOnDsRecord(uint32_t domain_id, const std::string& qname) + { + return false; + } + virtual bool doesDNSSEC() { return false; diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc index cc62b2b3dd..b844839492 100644 --- a/pdns/pdnssec.cc +++ b/pdns/pdnssec.cc @@ -164,9 +164,6 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone) break; } } while(chopOff(shorter)); - - if(dsnames.count(qname)) - auth=true; } if(haveNSEC3) @@ -175,13 +172,19 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone) hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))); if(g_verbose) cerr<<"'"< '"<< hashed <<"'"<updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, auth); } - sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, auth); - if((!auth || dsnames.count(qname)) && realrr) + else + sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth); + if(realrr) { - sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS"); - sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A"); - sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA"); + if (dsnames.count(qname)) + sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname); + if (!auth || nsset.count(qname)) { + sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS"); + sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A"); + sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA"); + } } } else // NSEC @@ -189,15 +192,16 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone) if(realrr) { sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth); - if(!auth || dsnames.count(qname)) - { + if (dsnames.count(qname)) + sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname); + if (!auth || nsset.count(qname)) { sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A"); sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA"); } } else { - sd.db->nullifyDNSSECOrderName(sd.domain_id, qname); + sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth); } } diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index 869d8102f6..8dcce8daca 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -258,22 +258,25 @@ void CommunicatorClass::suck(const string &domain,const string &remote) break; } }while(chopOff(shorter)); - - if(dsnames.count(qname)) - auth=true; } if(dnssecZone && haveNSEC3) { if(!narrow) { hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))); + di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth); } - di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth); // this should always be done - if((!auth || dsnames.count(qname)) && realrr) + else + di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth); + if(realrr) { - di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS"); - di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A"); - di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA"); + if (dsnames.count(qname)) + di.backend->setDNSSECAuthOnDsRecord(domain_id, qname); + if (!auth || nsset.count(qname)) { + di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS"); + di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A"); + di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA"); + } } } else // NSEC @@ -281,8 +284,9 @@ void CommunicatorClass::suck(const string &domain,const string &remote) if(realrr) { di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth); - if(!auth || dsnames.count(qname)) - { + if (dsnames.count(qname)) + di.backend->setDNSSECAuthOnDsRecord(domain_id, qname); + if (!auth || nsset.count(qname)) { di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A"); di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA"); } diff --git a/regression-tests/any-nxdomain/expected_result.dnssec b/regression-tests/any-nxdomain/expected_result.dnssec index dba5a1d0c3..4d714e5dbb 100644 --- a/regression-tests/any-nxdomain/expected_result.dnssec +++ b/regression-tests/any-nxdomain/expected_result.dnssec @@ -1,4 +1,4 @@ -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/cname-to-nxdomain/expected_result.dnssec b/regression-tests/cname-to-nxdomain/expected_result.dnssec index 257438e215..1978b08e77 100644 --- a/regression-tests/cname-to-nxdomain/expected_result.dnssec +++ b/regression-tests/cname-to-nxdomain/expected_result.dnssec @@ -1,6 +1,6 @@ 0 nxd.example.com. IN CNAME 120 nxdomain.example.com. 0 nxd.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ... -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/ds-at-secure-delegation/command b/regression-tests/ds-at-secure-delegation/command new file mode 100755 index 0000000000..741afcbe2c --- /dev/null +++ b/regression-tests/ds-at-secure-delegation/command @@ -0,0 +1,2 @@ +#!/bin/sh +cleandig dsdelegation.example.com DS dnssec diff --git a/regression-tests/ds-at-secure-delegation/description b/regression-tests/ds-at-secure-delegation/description new file mode 100644 index 0000000000..0b14d35839 --- /dev/null +++ b/regression-tests/ds-at-secure-delegation/description @@ -0,0 +1,4 @@ +This test tries to resolve a DS question at a secure delegation. +It was written specifically to verify that we do not sign NS records +at secure delegations. + diff --git a/regression-tests/ds-at-secure-delegation/expected_result b/regression-tests/ds-at-secure-delegation/expected_result new file mode 100644 index 0000000000..415c463c66 --- /dev/null +++ b/regression-tests/ds-at-secure-delegation/expected_result @@ -0,0 +1,4 @@ +0 dsdelegation.example.com. IN DS 120 28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='dsdelegation.example.com.', qtype=DS diff --git a/regression-tests/ds-at-secure-delegation/expected_result.dnssec b/regression-tests/ds-at-secure-delegation/expected_result.dnssec new file mode 100644 index 0000000000..b3e6ac8278 --- /dev/null +++ b/regression-tests/ds-at-secure-delegation/expected_result.dnssec @@ -0,0 +1,5 @@ +0 dsdelegation.example.com. IN DS 120 28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda +0 dsdelegation.example.com. IN RRSIG 120 DS 8 3 120 [expiry] [inception] [keytag] example.com. ... +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='dsdelegation.example.com.', qtype=DS diff --git a/regression-tests/example.com b/regression-tests/example.com index 3a216b2598..f45edd2f21 100644 --- a/regression-tests/example.com +++ b/regression-tests/example.com @@ -30,6 +30,9 @@ location IN LOC 51 56 0.123 N 5 54 0.000 E 4.00m 1.00m 10000.00m 10.00m ; unauth IN CNAME no-idea.example.org. ; +dsdelegation IN NS ns.example.com. + IN DS 28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda +; nxd IN CNAME nxdomain.example.com. ; hwinfo IN HINFO "abc" "def" diff --git a/regression-tests/nsec-glue/expected_result b/regression-tests/nsec-glue/expected_result index 79c314f121..002855b56f 100644 --- a/regression-tests/nsec-glue/expected_result +++ b/regression-tests/nsec-glue/expected_result @@ -1,4 +1,4 @@ -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/nsec-middle/expected_result b/regression-tests/nsec-middle/expected_result index 9045b0c274..06a61d8a86 100644 --- a/regression-tests/nsec-middle/expected_result +++ b/regression-tests/nsec-middle/expected_result @@ -1,4 +1,4 @@ -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/nsec-wraparound/expected_result b/regression-tests/nsec-wraparound/expected_result index 3f6ac8b9f7..0ff7e42e85 100644 --- a/regression-tests/nsec-wraparound/expected_result +++ b/regression-tests/nsec-wraparound/expected_result @@ -1,4 +1,4 @@ -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/nsec-wrong-type-at-apex/expected_result b/regression-tests/nsec-wrong-type-at-apex/expected_result index a4818c38c0..38f236e6b8 100644 --- a/regression-tests/nsec-wrong-type-at-apex/expected_result +++ b/regression-tests/nsec-wrong-type-at-apex/expected_result @@ -1,4 +1,4 @@ -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result b/regression-tests/nxdomain-below-nonempty-terminal/expected_result index f25ff2abb6..2cd6b8ecaa 100644 --- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result +++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result @@ -1,4 +1,4 @@ -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/second-level-nxdomain/expected_result b/regression-tests/second-level-nxdomain/expected_result index 711fd146bd..cebdb0c6da 100644 --- a/regression-tests/second-level-nxdomain/expected_result +++ b/regression-tests/second-level-nxdomain/expected_result @@ -1,4 +1,4 @@ -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/secure-delegation/command b/regression-tests/secure-delegation/command new file mode 100755 index 0000000000..aab6774812 --- /dev/null +++ b/regression-tests/secure-delegation/command @@ -0,0 +1,2 @@ +#!/bin/sh +cleandig www.dsdelegation.example.com A dnssec diff --git a/regression-tests/secure-delegation/description b/regression-tests/secure-delegation/description new file mode 100644 index 0000000000..3ce51e86e8 --- /dev/null +++ b/regression-tests/secure-delegation/description @@ -0,0 +1,4 @@ +This test checks the DS/NS response for a secure referral. +It was written specifically to verify that we do not sign NS records +at secure delegations. + diff --git a/regression-tests/secure-delegation/expected_result b/regression-tests/secure-delegation/expected_result new file mode 100644 index 0000000000..4461cabf62 --- /dev/null +++ b/regression-tests/secure-delegation/expected_result @@ -0,0 +1,4 @@ +1 dsdelegation.example.com. IN NS 120 ns.example.com. +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0 +Reply to question for qname='www.dsdelegation.example.com.', qtype=A diff --git a/regression-tests/secure-delegation/expected_result.dnssec b/regression-tests/secure-delegation/expected_result.dnssec new file mode 100644 index 0000000000..a6a5e61ca2 --- /dev/null +++ b/regression-tests/secure-delegation/expected_result.dnssec @@ -0,0 +1,6 @@ +1 dsdelegation.example.com. IN DS 120 28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda +1 dsdelegation.example.com. IN NS 120 ns.example.com. +1 dsdelegation.example.com. IN RRSIG 120 DS 8 3 120 [expiry] [inception] [keytag] example.com. ... +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0 +Reply to question for qname='www.dsdelegation.example.com.', qtype=A diff --git a/regression-tests/two-level-nxdomain/expected_result b/regression-tests/two-level-nxdomain/expected_result index 19b83daee3..dd82e70dd1 100644 --- a/regression-tests/two-level-nxdomain/expected_result +++ b/regression-tests/two-level-nxdomain/expected_result @@ -1,4 +1,4 @@ -1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY 1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400