git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Wed, 10 Aug 2022 14:41:30 +0000 (16:41 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Mon, 22 Aug 2022 17:21:39 +0000 (19:21 +0200)
commit	73431eef8f102d324e5798cb22d62fe35b476183
tree	a6409ece9a6ed367e7b1214697446c5778077ea3	tree \| snapshot
parent	39c0c5022d144c160226d192fd37f14a21d727ed	commit \| diff

Add test case for #3486

Add two scenarios where we change the dnssec-policy from using RSASHA1
to something with NSEC3.

The first case should work, as the DS is still in hidden state and we
can basically do anything with DNSSEC.

The second case should fail, because the DS of the predecessor is
published and we can't immediately remove the predecessor DNSKEY. So
in this case we should keep the NSEC chain for a bit longer.

Add two more scenarios where we change the dnssec-policy from using
NSEC3 to something NSEC only. Both should work because there are no
restrictions on using NSEC when it comes to algorithms, but in the
cases where the DS is published we can't bluntly remove the predecessor.

Extend the nsec3 system test by also checking the DNSKEY RRset for the
expected DNSKEY records. This requires some "kasp system"-style setup
for each test (setting key properties and key states). Also move the
dnssec-verify check inside the check_nsec/check_nsec3 functions because
we will have to do that every time.

(cherry picked from commit 21729dd94efc9fc7b7317688dd9ff0ec45181bfd)

bin/tests/system/nsec3/clean.sh		diff \| blob \| blame \| history
bin/tests/system/nsec3/ns3/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/nsec3/ns3/named2.conf.in		diff \| blob \| blame \| history
bin/tests/system/nsec3/ns3/setup.sh		diff \| blob \| blame \| history
bin/tests/system/nsec3/tests.sh		diff \| blob \| blame \| history