Test dnssec-policy max-zone-ttl rejects zone with too high TTL

Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.

diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index e229fd915840b10b81ab35606c19ac62e98a50be..64ae2aa402c94f9c260b04bfec4ccfd6f959b3ab 100644 (file)
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -223,6 +223,15 @@ zone "ecdsa384.kasp" {
        dnssec-policy "ecdsa384";
 };
 
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+       type primary;
+       file "max-zone-ttl.kasp.db";
+       dnssec-policy "ttl";
+};
+
 /*
  * Zones in different signing states.
  */

diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
index d0ae96ce0885b99ad519789cb530477afa7a4ecc..17b900c7b37b1901329082509ce1a902d08384f0 100644 (file)
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
@@ -132,3 +132,7 @@ dnssec-policy "checkds-csk" {
                csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
        };
 };
+
+dnssec-policy "ttl" {
+       max-zone-ttl 299;
+};

diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 21c4c9126d410e5663b89ec6421ed49b2bfe1cfd..bc4a0fc11d686d83aa5c3765af974747389f7595 100644 (file)
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -64,20 +64,16 @@ if [ -f ../ed448-supported.file ]; then
        cat ed448.conf >> named.conf
 fi
 
-# Set up zone that stays unsigned.
-zone="unsigned.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $infile
-cp template.db.in $zonefile
-
-# Set up zone that stays unsigned.
-zone="insecure.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $zonefile
+# Set up zones that stay unsigned.
+for zn in unsigned insecure max-zone-ttl
+do
+       zone="${zn}.kasp"
+       echo_i "setting up zone: $zone"
+       zonefile="${zone}.db"
+       infile="${zone}.db.infile"
+       cp template.db.in $infile
+       cp template.db.in $zonefile
+done
 
 # Some of these zones already have keys.
 zone="dnssec-keygen.kasp"

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 4a458945a0e3f95bebb195ac853c5588063cb8b8..ff4d32cc7bd467f766e626261667d22477653583 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -253,6 +253,15 @@ status=$((status+ret))
 
 next_key_event_threshold=$((next_key_event_threshold+i))
 
+# Test max-zone-ttl rejects zones with too high TTL.
+n=$((n+1))
+echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
+ret=0
+set_zone "max-zone-ttl.kasp"
+grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Zone: default.kasp.
 #