rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
rm -f */example.bk
+rm -f */named.conf
rm -f */named.memstats
rm -f */named.run
-rm -f */named.conf
rm -f */named.secroots
rm -f */tmp* */*.jnl */*.bk */*.jbk
rm -f */trusted.conf */managed.conf */revoked.conf
rm -f named.secroots.test*
rm -f nosign.before
rm -f ns*/*.nta
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
rm -f ns*/named.lock
rm -f ns1/managed.key.id
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns2/single-nsec3.db
rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
rm -f ns3/badds.example.db
+rm -f ns3/dname-at-apex-nsec3.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
rm -f ns3/dnskey-unknown.example.db
rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk
rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
rm -f nsupdate.out*
+rm -f python.out.*
rm -f rndc.out.*
rm -f signer/*.db
rm -f signer/*.signed.post*
rm -f signer/*.signed.pre*
rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed
-rm -f signer/nsec3param.out
-rm -f signer/signer.out.*
+rm -f signer/general/dsset*
rm -f signer/general/signed.zone
rm -f signer/general/signer.out.*
-rm -f signer/general/dsset*
+rm -f signer/nsec3param.out
+rm -f signer/signer.out.*
rm -f signing.out*
-rm -f python.out.*
-rm -f ns*/managed-keys.bind* ns*/*.mkeys*
revkey NS ns.revkey
ns.revkey A 10.53.0.3
+
+dname-at-apex-nsec3 NS ns3
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
- dnskey-unknown dnskey-nsec3-unknown managed-future revkey
+ dnskey-unknown dnskey-nsec3-unknown managed-future revkey \
+ dname-at-apex-nsec3
do
cp ../ns3/dsset-$subdomain.example$TP .
done
--- /dev/null
+$TTL 600
+@ SOA ns3.example. . 1 1200 1200 1814400 3600
+@ NS ns3.example.
+@ DNAME example.
file "revkey.example.db.signed";
};
+zone "dname-at-apex-nsec3.example" {
+ type master;
+ file "dname-at-apex-nsec3.example.db.signed";
+};
+
include "siginterval.conf";
include "trusted.conf";
cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
+
+#
+# Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+zone=dname-at-apex-nsec3.example
+infile=dname-at-apex-nsec3.example.db.in
+zonefile=dname-at-apex-nsec3.example.db
+kskname=`$KEYGEN -q -a RSASHA256 -3fk $zone`
+zskname=`$KEYGEN -q -a RSASHA256 -3 $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)"
+ret=0
+$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "RRSIG.NSEC3 8 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
# Note: after this check, ns4 will not be validating any more; do not add any
# further validation tests employing ns4 below this check.
echo_i "check that validation defaults to off when dnssec-enable is off ($n)"
projects / thirdparty / bind9.git / commitdiff
