Replace DSA with Reserved algorithm

(cherry picked from commit 17cdde1e56abae5c3bf5256ecbdacbd8cbef05b6)

diff --git a/bin/tests/system/dnssec/ns3/dsa.key b/bin/tests/system/dnssec/ns3/dsa.key
deleted file mode 100644 (file)
index 1dfb289..0000000
--- a/bin/tests/system/dnssec/ns3/dsa.key
+++ /dev/null
@@ -1 +0,0 @@
-dnskey-unsupported-2.example.  IN      DNSKEY  257 3 3 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}

diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index e59b78e09f08ea549f5d8d03ac3c9d8e2877b58a..b98a8b42dac6f2fe17363999edc14ec5d71c993b 100644 (file)
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -213,7 +213,7 @@ $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE
 
 #
 # A zone that is signed with an unsupported DNSKEY algorithm (3).
-# Algorithm 7 is replaced by 3 in the zone and dsset.
+# Algorithm 7 is replaced by 255 in the zone and dsset.
 #
 zone=dnskey-unsupported.example.
 infile=dnskey-unsupported.example.db.in
@@ -225,13 +225,13 @@ cat "$infile" "$keyname.key" > "$zonefile"
 
 "$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
 
-awk '$4 == "DNSKEY" { $7 = 3; print } $4 == "RRSIG" { $6 = 3; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
+awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
 
 DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
 $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
 
 #
-# A zone with a published unsupported DNSKEY algorithm (DSA).
+# A zone with a published unsupported DNSKEY algorithm (Reserved).
 # Different from above because this key is not intended for signing.
 #
 zone=dnskey-unsupported-2.example.
@@ -241,7 +241,7 @@ zonefile=dnskey-unsupported-2.example.db
 ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 
-cat "$infile" "$ksk.key" "$zsk.key" dsa.key > "$zonefile"
+cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
 
 # "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
 "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile"

diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
new file mode 100644 (file)
index 0000000..cc8bb9a
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
@@ -0,0 +1 @@
+dnskey-unsupported-2.example.  IN      DNSKEY  257 3 255 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 82df7c93a4366589e3de851cf84ca8e9625f72a2..bc48f6aa9ac8a6dc2db8cc7706e7e6f7624e48f2 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3361,7 +3361,7 @@ echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)"
 ret=0
 dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n
 grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
-grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 3" dig.out.test$n > /dev/null || ret=1
+grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))

diff --git a/util/copyrights b/util/copyrights
index 68a6ba7f4460736c9e50fae6f2f1a35a2e8d568c..cd13cc1fc4b8f92cdc1e3e0af0c5405afc6b1af5 100644 (file)
--- a/util/copyrights
+++ b/util/copyrights
@@ -1097,7 +1097,6 @@
 ./bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in     ZONE    2014,2016,2018
 ./bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in       ZONE    2018
 ./bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in ZONE    2018
-./bin/tests/system/dnssec/ns3/dsa.key          X       2018
 ./bin/tests/system/dnssec/ns3/dynamic.example.db.in    ZONE    2002,2004,2007,2016,2018
 ./bin/tests/system/dnssec/ns3/expired.example.db.in    ZONE    2011,2012,2016,2018
 ./bin/tests/system/dnssec/ns3/expiring.example.db.in   ZONE    2011,2012,2016,2018
@@ -1137,6 +1136,7 @@
 ./bin/tests/system/dnssec/ns3/split-dnssec.example.db.in       ZONE    2011,2016,2018
 ./bin/tests/system/dnssec/ns3/split-smart.example.db.in        ZONE    2011,2016,2018
 ./bin/tests/system/dnssec/ns3/ttlpatch.example.db.in   ZONE    2011,2016,2018
+./bin/tests/system/dnssec/ns3/unsupported-algorithm.key        X       2018
 ./bin/tests/system/dnssec/ns3/update-nsec3.example.db.in       ZONE    2011,2016,2018
 ./bin/tests/system/dnssec/ns3/upper.example.db.in      ZONE    2012,2016,2018
 ./bin/tests/system/dnssec/ns4/named1.conf.in   CONF-C  2018