+2904. [bug] When using DLV, sub-zones of the zones in the DLV,
+ could be incorrectly marked as insecure instead of
+ secure leading to negative proofs failing. This was
+ a unintended outcome from change 2890. [RT# 21392]
+
2900. [bug] The placeholder negative caching element was not
properly constructed triggering a INSIST in
dns_ncache_towire(). [RT #21346]
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: conf.sh.in,v 1.27.18.12 2009/11/25 23:46:51 tbox Exp $
+# $Id: conf.sh.in,v 1.27.18.13 2010/06/03 00:36:02 marka Exp $
#
# Common configuration data for system tests, to be sourced into
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
# v6synth
-SUBDIRS="acl cacheclean checkconf checknames dnssec forward glue ixfr limits
- lwresd masterfile masterformat notify nsupdate pending resolver rrsetorder
- sortlist stub tkey unknown upforwd views xfer xferquota zonechecks"
+SUBDIRS="acl cacheclean checkconf checknames dlv dnssec forward glue ixfr
+ limits lwresd masterfile masterformat notify nsupdate pending
+ resolver rrsetorder sortlist stub tkey unknown upforwd views
+ xfer xferquota zonechecks"
# PERL will be an empty string if no perl interpreter was found.
PERL=@PERL@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.2 2004/05/14 04:58:18 marka Exp $
+# $Id: clean.sh,v 1.2.2.2 2010/06/03 00:36:02 marka Exp $
rm -f random.data
rm -f ns*/named.run
rm -f ns3/dsset-*
rm -f ns3/keyset-*
rm -f ns3/trusted.conf ns5/trusted.conf
+rm -f ns3/signer.err
+rm -f ns6/K*
+rm -f ns6/*.db
+rm -f ns6/*.signed
+rm -f ns6/dsset-*
+rm -f ns6/signer.err
+rm -f */named.memstats
+rm -f dig.out.ns*.test*
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: child.db.in,v 1.2 2004/05/14 04:58:21 marka Exp $
+; $Id: child.db.in,v 1.2.2.2 2010/06/03 00:36:02 marka Exp $
$TTL 120
@ SOA ns hostmaster.ns 1 3600 1200 604800 60
ns A 10.53.0.3
foo TXT foo
bar TXT bar
+grand NS ns.grand
+ns.grand A 10.53.0.6
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.2 2004/05/14 04:58:22 marka Exp $
+# $Id: sign.sh,v 1.2.2.2 2010/06/03 00:36:02 marka Exp $
+
+(cd ../ns6 && sh -e sign.sh)
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-cat $infile $keyname1.key $keyname2.key >$zonefile
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-cat $infile $keyname1.key $keyname2.key >$zonefile
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
outfile=child7.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-cat $infile $keyname1.key $keyname2.key >$zonefile
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
outfile=child8.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.er
echo "I: signed $zone"
zone=child10.utld.
dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-cat $infile $keyname1.key $keyname2.key >$zonefile
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
outfile=dlv.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
-; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: hints,v 1.3 2010/05/26 23:50:47 tbox Exp $
+; $Id: hints,v 1.3.12.1 2010/06/03 00:36:02 marka Exp $
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1
/*
- * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.3 2010/05/27 23:51:08 tbox Exp $ */
+/* $Id: named.conf,v 1.3.10.1 2010/06/03 00:36:02 marka Exp $ */
controls { /* empty */ };
#!/bin/sh
#
-# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.3 2010/05/27 23:51:08 tbox Exp $
+# $Id: sign.sh,v 1.3.10.1 2010/06/03 00:36:02 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.2 2004/05/14 04:58:19 marka Exp $
+# $Id: tests.sh,v 1.2.2.2 2010/06/03 00:36:02 marka Exp $
-exit 0
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+echo "I:checking that DNSKEY reference by DLV validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that child DNSKEY reference by DLV validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.119.18.55 2010/06/03 00:07:58 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.56 2010/06/03 00:36:02 marka Exp $ */
/*! \file */
return (dlv_validatezonekey(val));
if (val->dsset == NULL) {
+
+ /*
+ * We have a dlv sep. Skip looking up the SEP from
+ * {trusted,managed}-keys. If the dlv sep is for the
+ * root then it will have been handled above so we don't
+ * need to check whether val->event->name is "." prior to
+ * looking up the DS.
+ */
+ if (val->havedlvsep)
+ goto find_ds;
+
/*
* First, see if this key was signed by a trusted key.
*/
val->event->name, found) != ISC_R_SUCCESS) {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "not beneath secure root");
+ "must be secure failure, "
+ "not beneath secure root");
return (DNS_R_MUSTBESECURE);
} else
validator_log(val, ISC_LOG_DEBUG(3),
- "not beneath secure root");
- if (val->view->dlv == NULL || DLVTRIED(val)) {
+ "not beneath secure root");
+ if (val->view->dlv == NULL) {
markanswer(val, "validatezonekey (1)");
return (ISC_R_SUCCESS);
}
}
}
- /*
- * If this is the root name and there was no trusted key,
- * give up, since there's no DS at the root.
- */
- if (dns_name_equal(event->name, dns_rootname)) {
- if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
- return (DNS_R_NOVALIDSIG);
- else
- return (DNS_R_NOVALIDDS);
- }
-
if (atsep) {
/*
* We have not found a key to verify this DNSKEY
return (DNS_R_NOVALIDKEY);
}
+ /*
+ * If this is the root name and there was no trusted key,
+ * give up, since there's no DS at the root.
+ */
+ if (dns_name_equal(event->name, dns_rootname)) {
+ if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "root key failed to validate");
+ return (DNS_R_NOVALIDSIG);
+ } else {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "no trusted root key");
+ return (DNS_R_NOVALIDDS);
+ }
+ }
+ find_ds:
/*
* Otherwise, try to find the DS record.
*/
projects / thirdparty / bind9.git / commitdiff
