Add tests for NSEC3 on dynamic zones

GitLab issue #2498 is a bug report on NSEC3 with dynamic zones. Tests
for it in the nsec3 system test directory were missing.

diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
index e40fa4e656f0b226d62e2db8a058c04abb50a957..791881225b5635c5754b60acdba8e326e3e70745 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -56,13 +56,20 @@ zone "nsec-to-nsec3.kasp" {
        dnssec-policy "nsec";
 };
 
-/* This zone uses the default NSEC3 settings. */
+/* These zones use the default NSEC3 settings. */
 zone "nsec3.kasp" {
        type primary;
        file "nsec3.kasp.db";
        dnssec-policy "nsec3";
 };
 
+zone "nsec3-dynamic.kasp" {
+       type primary;
+       file "nsec3-dynamic.kasp.db";
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};
+
 /* This zone uses non-default NSEC3 settings. */
 zone "nsec3-other.kasp" {
        type primary;
@@ -70,13 +77,20 @@ zone "nsec3-other.kasp" {
        dnssec-policy "nsec3-other";
 };
 
-/* The zone will be reconfigured to use other NSEC3 settings. */
+/* These zones will be reconfigured to use other NSEC3 settings. */
 zone "nsec3-change.kasp" {
        type primary;
        file "nsec3-change.kasp.db";
        dnssec-policy "nsec3";
 };
 
+zone "nsec3-dynamic-change.kasp" {
+       type primary;
+       file "nsec3-dynamic-change.kasp.db";
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};
+
 /* The zone will be reconfigured to use opt-out. */
 zone "nsec3-to-optout.kasp" {
        type primary;

diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
index 327f5495591d797d78ef4351b307461c760fe19a..ece1549395175bec1f7adc6da01667f158f546dc 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -57,13 +57,20 @@ zone "nsec-to-nsec3.kasp" {
        dnssec-policy "nsec3";
 };
 
-/* This zone uses the default NSEC3 settings. */
+/* These zones use the default NSEC3 settings. */
 zone "nsec3.kasp" {
        type primary;
        file "nsec3.kasp.db";
        dnssec-policy "nsec3";
 };
 
+zone "nsec3-dynamic.kasp" {
+       type primary;
+       file "nsec3-dynamic.kasp.db";
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};
+
 /* This zone uses non-default NSEC3 settings. */
 zone "nsec3-other.kasp" {
        type primary;
@@ -71,7 +78,7 @@ zone "nsec3-other.kasp" {
        dnssec-policy "nsec3-other";
 };
 
-/* The zone will be reconfigured to use other NSEC3 settings. */
+/* These zone will be reconfigured to use other NSEC3 settings. */
 zone "nsec3-change.kasp" {
        type primary;
        file "nsec3-change.kasp.db";
@@ -79,6 +86,14 @@ zone "nsec3-change.kasp" {
        dnssec-policy "nsec3-other";
 };
 
+zone "nsec3-dynamic-change.kasp" {
+       type primary;
+       file "nsec3-dynamic-change.kasp.db";
+       //dnssec-policy "nsec3";
+       dnssec-policy "nsec3-other";
+       allow-update { any; };
+};
+
 /* The zone will be reconfigured to use opt-out. */
 zone "nsec3-to-optout.kasp" {
        type primary;

diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index 950ca1ea1e652386ffae7a6f83c013209fc84169..4b529d33d99aee8ee5c4a88ce46327df4cf521b9 100644 (file)
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -23,7 +23,7 @@ setup() {
 }
 
 for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
-         nsec3-to-optout nsec3-from-optout
+         nsec3-to-optout nsec3-from-optout nsec3-dynamic nsec3-dynamic-change
 do
        setup "${zn}.kasp"
 done

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index ee121156837d1f9c7e6a6e89b9c00ce5101eed9a..b9b8cff25cded9d1969f3f093251e74154a0f140 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -175,12 +175,25 @@ echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
+# Zone: nsec3-dynamic.kasp.
+set_zone_policy "nsec3-dynamic.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
 # Zone: nsec3-change.kasp.
 set_zone_policy "nsec3-change.kasp" "nsec3"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
+# Zone: nsec3-dynamic-change.kasp.
+set_zone_policy "nsec3-dynamic-change.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
 echo_i "initial check zone ${ZONE}"
@@ -227,6 +240,12 @@ echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
+# Zone: nsec3-dyamic.kasp. (same)
+set_zone_policy "nsec3-dynamic.kasp" "nsec3"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
 # Zone: nsec3-change.kasp. (reconfigured)
 set_zone_policy "nsec3-change.kasp" "nsec3-other"
 set_nsec3param "1" "11" "0"
@@ -234,6 +253,13 @@ echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
+# Zone: nsec3-dynamic-change.kasp. (reconfigured)
+set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other"
+set_nsec3param "1" "11" "0"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec"
 echo_i "check zone ${ZONE} after reconfig"