Extend synthfromdnssec to check insecure responses

add matching tests against a insecure zone to those which
which are synthesised.

diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh
index 2fc1361baf416e4b5c191243a3f5aa4cffe982be..e4b79138877b680190beea2573bc817c53ef4647 100644 (file)
--- a/bin/tests/system/synthfromdnssec/clean.sh
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@@ -21,6 +21,8 @@ rm -f ./ns1/K*+*+*.private
 rm -f ./ns1/dsset-*
 rm -f ./ns1/example.db
 rm -f ./ns1/example.db.signed
+rm -f ./ns1/insecure.example.db
+rm -f ./ns1/insecure.example.db.signed
 rm -f ./ns1/dnamed.db
 rm -f ./ns1/dnamed.db.signed
 rm -f ./ns1/root.db
@@ -28,7 +30,7 @@ rm -f ./ns1/root.db.signed
 rm -f ./ns1/trusted.conf
 rm -f ./ns2/named_dump.db
 rm -f ./ns*/managed-keys.bind*
-rm -f ./nodata.out
-rm -f ./nxdomain.out
-rm -f ./wild.out
-rm -f ./wildcname.out
+rm -f ./nodata.out ./insecure.nodata.out
+rm -f ./nxdomain.out ./insecure.nxdomain.out
+rm -f ./wild.out ./insecure.wild.out
+rm -f ./wildcname.out ./insecure.wildcname.out

diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
index 3f75553d934cb55e430d6aae05104c991c1e5ee6..bb1d0738309829e2438d3ea4a8dbbcd8511b1a52 100644 (file)
--- a/bin/tests/system/synthfromdnssec/ns1/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
@@ -34,6 +34,11 @@ zone "example" {
        file "example.db.signed";
 };
 
+zone "insecure.example" {
+       type primary;
+       file "insecure.example.db.signed";
+};
+
 zone "dnamed" {
        type primary;
        file "dnamed.db.signed";

diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh
index 72e242119cb483e3a4c7ce98f41328dbb03dad57..9a5819e6183af9f5bd52baa91ac3fce95975203d 100644 (file)
--- a/bin/tests/system/synthfromdnssec/ns1/sign.sh
+++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh
@@ -16,6 +16,17 @@ zone=example
 infile=example.db.in
 zonefile=example.db
 
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+echo insecure NS ns1.insecure >> "$zonefile"
+echo ns1.insecure A 10.53.0.1 >> "$zonefile"
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+zone=insecure.example
+infile=example.db.in
+zonefile=insecure.example.db
+
 keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
 cat "$infile" "$keyname.key" > "$zonefile"
 

diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
index 0c88583f1590ce6923b49052ed59bcb0b8a967b3..f3553b45a3d91eec9f4bb2c6132fcf113a217ea0 100644 (file)
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -128,6 +128,50 @@ do
     n=$((n+1))
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
+
+    echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done
 
 echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
@@ -229,6 +273,59 @@ do
     n=$((n+1))
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
+
+    echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1
+    digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1
+    digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1
+    digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1
+    nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1
+    grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done
 
 echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"