These servers are parent servers:
- ns2 is a primary authoritative server that serves the parent zone for zones
configured in ns9.
+- ns3 is a resolver that can be configured as a parental agent.
- ns4 is the secondary server for ns2.
- ns5 is a primary authoritative server that serves the parent zone for zones
configured in ns9, but this one does not publish DS records (to test cases
Finally, ns9 is the authoritative server for the various DNSSEC enabled test
domains.
+
+We need multiple test cases for testing the "checkds" functionality. Basically,
+the behavior of "checkds" is of importance in three cases:
+
+1. Enabling DNSSEC
+2. KSK rollover
+3. Going insecure
+
+All these three cases involve publishing DS records into the parent, and
+withdrawing them. The named instance is responsible for checking that the
+relevant DS records are published or removed from the parent zone. Therefor,
+it needs to know what the parental agents are (the servers that it can send
+the DS queries to).
+
+Then there are two ways of retrieving parental agents, either through explicit
+configuration ("checkds explicit;"), or through discovery ("checkds yes;"). In
+the latter case, the parental agents are retrieved by querying for the parent NS
+RRset.
+
+The third value is "checkds no;", which disables the feature.
+
+Depending on the DS publication status, the DS state of the key needs to be
+updated. In case of DS publication, the "DSPublish" state should be set, only
+if all parental agents have the relevant DS published. In case of DS withdrawal,
+the "DSRemoved" state should be set, only if none of the parental agents have
+the relevant DS in their zone.
+
+Regardless of how parental agents are retrieved, we identify the following test
+cases:
+
+1. Enabling DNSSEC
+
+1.1. - With one parental agent
+1.1.1. - DS is correctly published in the parent: DSPublish
+1.1.2. - DS is not (yet) published in the parent: !DSPublish
+1.1.3. - The parental agent is badly configured: !DSPublish
+1.1.4. - DS is published, but has bogus signature: !DSPublish
+
+1.2. - With multiple parental agents
+1.2.1. - DS is correctly published in all parents: DSPublish
+1.2.2. - DS is not (yet) published in some parents: !DSPublish
+1.2.3. - One parental agent is badly configured: !DSPublish
+1.2.4. - DS is completely published, bogus signature: !DSPublish
+
+2. Going insecure
+
+2.1. - With one parental agent
+2.1.1. - DS is correctly withdrawn from the parent: DSRemoved
+2.1.2. - DS is (still) published in the parent: !DSRemoved
+2.1.3. - The parental agent is badly configured: !DSRemoved
+2.1.4. - DS is withdrawn, but has bogus signature: !DSRemoved
+
+2.2. - With multiple parental agents
+2.2.1. - DS is correctly withdrawn from all parents: DSRemoved
+2.2.2. - DS is not (yet) withdrawn from some parents: !DSRemoved
+2.2.3. - One parental agent is badly configured: !DSRemoved
+2.2.4. - DS is removed completely, bogus signature: !DSRemoved
+
+We deliberately don't test the "KSK Rollover" case in this system test as this
+can be considered as the same as "Enabling DNSSEC" for one key and
+"Going insecure" for another case. In other words, it is covered by the two
+other scenarios (although we might still add the test cases in the future).
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
rm -f ns*/*.jnl ns*/*.jbk
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/*.keyname
rm -f ns*/dsset-*
rm -f ns*/*.db ns*/*.jnl ns*/*.jbk ns*/*.db.signed ns*/*.db.infile
rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
rm -f ns*/trusted.conf
rm -f ns*/*.mkeys
rm -f ns*/zones
-rm -f *.checkds.out
+rm -f ./*.out
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
-checkds. NS ns2.checkds.
-ns2.checkds. A 10.53.0.2
+ns2. NS ns2.ns2.
+ns2.ns2. A 10.53.0.2
+
+ns2-4. NS ns2.ns2-4.
+ns2-4. NS ns4.ns2-4.
+ns2.ns2-4. A 10.53.0.2
+ns4.ns2-4. A 10.53.0.4
+
+ns2-4-5. NS ns2.ns2-4-5.
+ns2-4-5. NS ns4.ns2-4-5.
+ns2-4-5. NS ns5.ns2-4-5.
+ns2.ns2-4-5. A 10.53.0.2
+ns4.ns2-4-5. A 10.53.0.4
+ns5.ns2-4-5. A 10.53.0.5
+
+ns2-4-6. NS ns2.ns2-4-6.
+ns2-4-6. NS ns4.ns2-4-6.
+ns2-4-6. NS ns6.ns2-4-6.
+ns2.ns2-4-6. A 10.53.0.2
+ns4.ns2-4-6. A 10.53.0.4
+ns6.ns2-4-6. A 10.53.0.6
+
+ns2-5-7. NS ns2.ns2-5-7.
+ns2-5-7. NS ns5.ns2-5-7.
+ns2-5-7. NS ns7.ns2-5-7.
+ns2.ns2-5-7. A 10.53.0.2
+ns5.ns2-5-7. A 10.53.0.5
+ns7.ns2-5-7. A 10.53.0.7
+
+ns5. NS ns5.ns5.
+ns5.ns5. A 10.53.0.5
+
+ns5-6-7. NS ns5.ns5-6-7.
+ns5-6-7. NS ns6.ns5-6-7.
+ns5-6-7. NS ns7.ns5-6-7.
+ns5.ns5-6-7. A 10.53.0.5
+ns6.ns5-6-7. A 10.53.0.6
+ns7.ns5-6-7. A 10.53.0.7
+
+ns5-7. NS ns5.ns5-7.
+ns5-7. NS ns7.ns5-7.
+ns5.ns5-7. A 10.53.0.5
+ns7.ns5-7. A 10.53.0.7
+
+ns6. NS ns6.ns6.
+ns6.ns6. A 10.53.0.6
echo_i "ns1/setup.sh"
-cp "../ns2/dsset-checkds." .
-
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cp "$ksk.key" "../ns10/"
keyfile_to_static_ds "$ksk" > trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns8/trusted.conf
+cp trusted.conf ../ns9/trusted.conf
file "../../common/root.hint";
};
-zone "checkds" {
+zone "ns2" {
type primary;
+ allow-update { any; };
allow-transfer { 10.53.0.2; 10.53.0.4; };
- file "checkds.db";
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns2.db";
+};
+
+zone "ns2-4" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; };
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; };
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; };
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; };
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns2-5-7.db";
+};
+
+zone "ns5" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; };
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns5.db";
+};
+
+zone "ns5-6-7" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; };
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; };
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns5-7.db";
+};
+
+zone "ns6" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; };
+ also-notify { 10.53.0.4; };
+ dnssec-policy default;
+ file "ns6.db";
};
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ NS ns4
+ NS ns5
+ns2 A 10.53.0.2
+ns4 A 10.53.0.4
+ns5 A 10.53.0.5
+
+$ORIGIN explicit.dspublish.ns2-4-5.
+incomplete NS ns9.incomplete
+ns9.imcomplete A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ NS ns4
+ NS ns6
+ns2 A 10.53.0.2
+ns4 A 10.53.0.4
+ns6 A 10.53.0.6
+
+$ORIGIN explicit.dspublish.ns2-4-6.
+bad NS ns9.bad
+ns9.bad A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ NS ns4
+ns2 A 10.53.0.2
+ns4 A 10.53.0.4
+
+$ORIGIN explicit.dspublish.ns2-4.
+good NS ns9.good
+ns9.good A 10.53.0.9
--- /dev/null
+ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ NS ns5
+ NS ns7
+ns2 A 10.53.0.2
+ns5 A 10.53.0.5
+ns7 A 10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns2-5-7.
+incomplete NS ns9.incomplete
+ns9.incomplete A 10.53.0.9
NS ns2
ns2 A 10.53.0.2
-dspublished NS ns9.dspublished
+$ORIGIN explicit.dspublish.ns2.
+good NS ns9.good
reference NS ns9.reference
-missing-dspublished NS ns9.missing-dspublished
-bad-dspublished NS ns9.bad-dspublished
-multiple-dspublished NS ns9.multiple-dspublished
-incomplete-dspublished NS ns9.incomplete-dspublished
-bad2-dspublished NS ns9.bad2-dspublished
-resolver-dspublished NS ns9.resolver-dspublished
+resolver NS ns9.resolver
+ns9.good A 10.53.0.9
+ns9.reference A 10.53.0.9
+ns9.resolver A 10.53.0.9
-dswithdrawn NS ns9.dswithdrawn
-missing-dswithdrawn NS ns9.missing-dswithdrawn
-bad-dswithdrawn NS ns9.bad-dswithdrawn
-multiple-dswithdrawn NS ns9.multiple-dswithdrawn
-incomplete-dswithdrawn NS ns9.incomplete-dswithdrawn
-bad2-dswithdrawn NS ns9.bad2-dswithdrawn
-resolver-dswithdrawn NS ns9.resolver-dswithdrawn
+$ORIGIN explicit.dsremoved.ns2.
+still-there NS ns9.still-there
+ns9.still-there A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns5
+ NS ns6
+ NS ns7
+ns5 A 10.53.0.5
+ns6 A 10.53.0.6
+ns7 A 10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns5-6-7.
+bad NS ns9.bad
+ns9.bad A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns5
+ NS ns7
+ns5 A 10.53.0.5
+ns7 A 10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns5-7.
+good NS ns9.good
+ns9.good A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns5
+ns5 A 10.53.0.5
+
+$ORIGIN explicit.dspublish.ns5.
+not-yet NS ns9.not-yet
+ns9.not-yet A 10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns5.
+good NS ns9.good
+resolver NS ns9.resolver
+ns9.good A 10.53.0.9
+ns9.resolver A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns6
+ns6 A 10.53.0.6
+
+$ORIGIN explicit.dspublish.ns6.
+bad NS ns9.bad
+ns9.bad A 10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns6.
+bad NS ns9.bad
+ns9.bad A 10.53.0.9
echo_i "ns2/setup.sh"
-for subdomain in dspublished reference missing-dspublished bad-dspublished \
- multiple-dspublished incomplete-dspublished bad2-dspublished \
- resolver-dspublished \
- dswithdrawn missing-dswithdrawn bad-dswithdrawn \
- multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \
- resolver-dswithdrawn
+for zn in \
+ ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \
+ ns5 ns5-6-7 ns5-7 ns6
do
- cp "../ns9/dsset-$subdomain.checkds." .
-done
+ zone="${zn}"
+ infile="${zn}.db.infile"
+ zonefile="${zn}.db"
-zone="checkds"
-infile="checkds.db.infile"
-zonefile="checkds.db"
+ # The signing key is copied from ns5.
+ CSK=$(cat "${zn}.keyname")
+ cat "${zn}.db.in" "${CSK}.key" > "$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+ $SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
-CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
+ cp "dsset-${zn}." ../ns1/
+done
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-zone "checkds" {
+zone "ns2" {
type secondary;
- file "checkds.db";
- primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns2.db";
+};
+
+zone "ns2-4" {
+ type secondary;
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+ type secondary;
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+ type secondary;
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+ type secondary;
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns2-5-7.db";
+};
+
+zone "ns5" {
+ type secondary;
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns5.db";
+};
+
+zone "ns5-6-7" {
+ type secondary;
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+ type secondary;
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns5-7.db";
+};
+
+zone "ns6" {
+ type secondary;
+ primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+ file "ns6.db";
};
file "../../common/root.hint";
};
-zone "checkds" {
+zone "ns2" {
type primary;
+ allow-update { any; };
allow-transfer { 10.53.0.5; 10.53.0.7; };
- file "checkds.db";
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns2.db";
+};
+
+zone "ns2-4" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; };
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; };
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; };
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; };
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns2-5-7.db";
+};
+
+zone "ns5" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; };
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns5.db";
+};
+
+zone "ns5-6-7" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; };
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; };
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns5-7.db";
+};
+
+zone "ns6" {
+ type primary;
+ allow-update { any; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; };
+ also-notify { 10.53.0.7; };
+ dnssec-policy default;
+ file "ns6.db";
};
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ NS ns4
+ NS ns5
+ns2 A 10.53.0.2
+ns4 A 10.53.0.4
+ns5 A 10.53.0.5
+
+$ORIGIN explicit.dspublish.ns2-4-5.
+incomplete NS ns9.incomplete
+ns9.imcomplete A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ NS ns4
+ NS ns6
+ns2 A 10.53.0.2
+ns4 A 10.53.0.4
+ns6 A 10.53.0.6
+
+$ORIGIN explicit.dspublish.ns2-4-6.
+bad NS ns9.bad
+ns9.bad A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ NS ns4
+ns2 A 10.53.0.2
+ns4 A 10.53.0.4
+
+$ORIGIN explicit.dspublish.ns2-4.
+good NS ns9.good
+ns9.good A 10.53.0.9
--- /dev/null
+ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ NS ns5
+ NS ns7
+ns2 A 10.53.0.2
+ns5 A 10.53.0.5
+ns7 A 10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns2-5-7.
+incomplete NS ns9.incomplete
+ns9.incomplete A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ns2 A 10.53.0.2
+
+$ORIGIN explicit.dspublish.ns2.
+good NS ns9.good
+reference NS ns9.reference
+resolver NS ns9.resolver
+ns9.good A 10.53.0.9
+ns9.reference A 10.53.0.9
+ns9.resolver A 10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns2.
+still-there NS ns9.still-there
+ns9.still-there A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns5
+ NS ns6
+ NS ns7
+ns5 A 10.53.0.5
+ns6 A 10.53.0.6
+ns7 A 10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns5-6-7.
+bad NS ns9.bad
+ns9.bad A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns5
+ NS ns7
+ns5 A 10.53.0.5
+ns7 A 10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns5-7.
+good NS ns9.good
+ns9.good A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns5
+ns5 A 10.53.0.5
+
+$ORIGIN explicit.dspublish.ns5.
+not-yet NS ns9.not-yet
+ns9.not-yet A 10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns5.
+good NS ns9.good
+resolver NS ns9.resolver
+ns9.good A 10.53.0.9
+ns9.resolver A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA secondary.example. hostmaster.example. (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns6
+ns6 A 10.53.0.6
+
+$ORIGIN explicit.dspublish.ns6.
+bad NS ns9.bad
+ns9.bad A 10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns6.
+bad NS ns9.bad
+ns9.bad A 10.53.0.9
echo_i "ns5/setup.sh"
-zone="checkds"
-infile="checkds.db.infile"
-zonefile="checkds.db"
+for zn in \
+ ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \
+ ns5 ns5-6-7 ns5-7 ns6
+do
+ zone="${zn}"
+ infile="${zn}.db.infile"
+ zonefile="${zn}.db"
-CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
+ CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
+ cat "${zn}.db.in" "${CSK}.key" > "$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+ $SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
+
+ # Copy key to ns2, the other primary.
+ echo "${CSK}" > "../ns2/${zn}.keyname"
+ cp "${CSK}.key" ../ns2/
+ cp "${CSK}.private" ../ns2/
+done
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; SPDX-License-Identifier: MPL-2.0
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 300
-@ IN SOA secondary.example. hostmaster.example. (
- 1 ; serial
- 20 ; refresh (20 seconds)
- 20 ; retry (20 seconds)
- 1814400 ; expire (3 weeks)
- 3600 ; minimum (1 hour)
- )
-
- NS ns5
-ns5 A 10.53.0.5
-
-dspublished NS ns9.dspublished
-reference NS ns9.reference
-missing-dspublished NS ns9.missing-dspublished
-bad-dspublished NS ns9.bad-dspublished
-multiple-dspublished NS ns9.multiple-dspublished
-incomplete-dspublished NS ns9.incomplete-dspublished
-bad2-dspublished NS ns9.bad2-dspublished
-resolver-dspublished NS ns9.resolver-dspublished
-
-dswithdrawn NS ns9.dswithdrawn
-missing-dswithdrawn NS ns9.missing-dswithdrawn
-bad-dswithdrawn NS ns9.bad-dswithdrawn
-multiple-dswithdrawn NS ns9.multiple-dswithdrawn
-incomplete-dswithdrawn NS ns9.incomplete-dswithdrawn
-bad2-dswithdrawn NS ns9.bad2-dswithdrawn
-resolver-dswithdrawn NS ns9.resolver-dswithdrawn
-
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-zone "." {
- type hint;
- file "../../common/root.hint";
+zone "ns2" {
+ type secondary;
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns2.db";
+};
+
+zone "ns2-4" {
+ type secondary;
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+ type secondary;
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+ type secondary;
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+ type secondary;
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns2-5-7.db";
+};
+
+zone "ns5" {
+ type secondary;
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns5.db";
+};
+
+zone "ns5-6-7" {
+ type secondary;
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+ type secondary;
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns5-7.db";
};
-zone "checkds" {
+zone "ns6" {
type secondary;
- file "checkds.db";
- primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+ file "ns6.db";
};
// NS9
+include "trusted.conf";
+
options {
query-source address 10.53.0.9;
notify-source 10.53.0.9;
};
/*
- * Zone with parental agent configured, due for DS checking.
+ * 1. Enabling DNSSEC
+ * 1.1 - With one parental agent
+ * 1.1.1. - DS is correctly published in the parent.
*/
-zone "dspublished.checkds" {
+zone "good.explicit.dspublish.ns2" {
type primary;
- file "dspublished.checkds.db";
+ file "good.explicit.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
parental-agents { 10.53.0.2 port @PORT@; };
};
-/*
- * Zone with parental agent configured, due for DS checking.
- * Same as above, but now with a reference to parental-agents.
- */
-zone "reference.checkds" {
+/* Same as above, but now with a reference to parental-agents. */
+zone "reference.explicit.dspublish.ns2" {
type primary;
- file "reference.checkds.db";
+ file "reference.explicit.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
parental-agents { "ns2"; };
};
+/* Same as above, but now with resolver parental agent configured. */
+zone "resolver.explicit.dspublish.ns2" {
+ type primary;
+ file "resolver.explicit.dspublish.ns2.db";
+ inline-signing yes;
+ dnssec-policy "default";
+ parental-agents {
+ 10.53.0.3 port @PORT@;
+ };
+};
+
/*
- * Zone with parental agent configured, due for DS checking.
- * The parental agent does not have the DS yet.
+ * 1. Enabling DNSSEC
+ * 1.1 - With one parental agent
+ * 1.1.2. - DS is not (yet) published in the parent.
*/
-zone "missing-dspublished.checkds" {
+zone "not-yet.explicit.dspublish.ns5" {
type primary;
- file "missing-dspublished.checkds.db";
+ file "not-yet.explicit.dspublish.ns5.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
};
};
-
/*
- * Zone with parental agent configured, due for DS checking.
- * This case, the server is badly configured.
+ * 1. Enabling DNSSEC
+ * 1.1 - With one parental agent
+ * 1.1.3. - The parental agent is badly configured.
*/
-zone "bad-dspublished.checkds" {
+zone "bad.explicit.dspublish.ns6" {
type primary;
- file "bad-dspublished.checkds.db";
+ file "bad.explicit.dspublish.ns6.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
};
/*
- * Zone with multiple parental agents configured, due for DS checking.
- * All need to have the DS before the rollover may continue.
+ * 1. Enabling DNSSEC
+ * 1.1 - With one parental agent
+ * 1.1.4. - DS is published, but has bogus signature
*/
-zone "multiple-dspublished.checkds" {
+// TODO
+
+/*
+ * 1. Enabling DNSSEC
+ * 1.2 - With multiple parental agent
+ * 1.2.1. - DS is correctly published in all parents.
+ */
+zone "good.explicit.dspublish.ns2-4" {
type primary;
- file "multiple-dspublished.checkds.db";
+ file "good.explicit.dspublish.ns2-4.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
};
/*
- * Zone with multiple parental agents configured, due for DS checking.
- * All need to have the DS before the rollover may continue.
- * This case, one server is still missing the DS.
+ * 1. Enabling DNSSEC
+ * 1.2 - With multiple parental agent
+ * 1.2.2. - DS is not (yet) published in some parents.
*/
-zone "incomplete-dspublished.checkds" {
+zone "incomplete.explicit.dspublish.ns2-4-5" {
type primary;
- file "incomplete-dspublished.checkds.db";
+ file "incomplete.explicit.dspublish.ns2-4-5.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
};
};
-
/*
- * Zone with multiple parental agents configured, due for DS checking.
- * All need to have the DS before the rollover may continue.
- * This case, one server is badly configured.
+ * 1. Enabling DNSSEC
+ * 1.2 - With multiple parental agent
+ * 1.2.3. - DS is not (yet) published in some parents.
*/
-zone "bad2-dspublished.checkds" {
+zone "bad.explicit.dspublish.ns2-4-6" {
type primary;
- file "bad2-dspublished.checkds.db";
+ file "bad.explicit.dspublish.ns2-4-6.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
};
/*
- * Zone with resolver parental agent configured, due for DS checking.
+ * 1. Enabling DNSSEC
+ * 1.2 - With multiple parental agent
+ * 1.2.4. - DS is completely published, bogus signature.
*/
-zone "resolver-dspublished.checkds" {
- type primary;
- file "resolver-dspublished.checkds.db";
- inline-signing yes;
- dnssec-policy "default";
- parental-agents {
- 10.53.0.3 port @PORT@;
- };
-};
+// TODO
// TODO: Other test cases:
-// - Test with bogus response
// - check with TSIG
// - check with TLS
-
/*
- * Zones that are going insecure (test DS withdrawn polling).
+ * 2. Going insecure
+ * 2.1 - With one parental agent
+ * 2.1.1. - DS is correctly withdrawn from the parent.
*/
-zone "dswithdrawn.checkds" {
+zone "good.explicit.dsremoved.ns5" {
type primary;
- file "dswithdrawn.checkds.db";
+ file "good.explicit.dsremoved.ns5.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents { 10.53.0.5 port @PORT@; };
};
-zone "missing-dswithdrawn.checkds" {
+zone "resolver.explicit.dsremoved.ns5" {
type primary;
- file "missing-dswithdrawn.checkds.db";
+ file "resolver.explicit.dsremoved.ns5.db";
+ inline-signing yes;
+ dnssec-policy "default";
+ parental-agents {
+ 10.53.0.3 port @PORT@;
+ };
+};
+
+/*
+ * 2. Going insecure
+ * 2.1 - With one parental agent
+ * 2.1.2. - DS is (still) published in the parent.
+ */
+zone "still-there.explicit.dsremoved.ns2" {
+ type primary;
+ file "still-there.explicit.dsremoved.ns2.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
};
};
-zone "bad-dswithdrawn.checkds" {
+/*
+ * 2. Going insecure
+ * 2.1 - With one parental agent
+ * 2.1.3. - The parental agent is badly configured.
+ */
+zone "bad.explicit.dsremoved.ns6" {
type primary;
- file "bad-dswithdrawn.checkds.db";
+ file "bad.explicit.dsremoved.ns6.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
};
};
-zone "multiple-dswithdrawn.checkds" {
+/*
+ * 2. Going insecure
+ * 2.1 - With one parental agent
+ * 2.1.4. - DS is withdrawn, but has bogus signature.
+ */
+// TODO
+
+/*
+ * 2. Going insecure
+ * 2.2. - With multiple parental agents
+ * 2.2.1. - DS is correctly withdrawn from all parents.
+ */
+zone "good.explicit.dsremoved.ns5-7" {
type primary;
- file "multiple-dswithdrawn.checkds.db";
+ file "good.explicit.dsremoved.ns5-7.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
};
};
-zone "incomplete-dswithdrawn.checkds" {
+/*
+ * 2. Going insecure
+ * 2.2. - With multiple parental agents
+ * 2.2.2. - DS is not (yet) withdrawn from some parents.
+ */
+zone "incomplete.explicit.dsremoved.ns2-5-7" {
type primary;
- file "incomplete-dswithdrawn.checkds.db";
+ file "incomplete.explicit.dsremoved.ns2-5-7.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
};
};
-zone "bad2-dswithdrawn.checkds" {
+/*
+ * 2. Going insecure
+ * 2.2. - With multiple parental agents
+ * 2.2.3. - One parental agent is badly configured.
+ */
+zone "bad.explicit.dsremoved.ns5-6-7" {
type primary;
- file "bad2-dswithdrawn.checkds.db";
+ file "bad.explicit.dsremoved.ns5-6-7.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
};
};
-zone "resolver-dswithdrawn.checkds" {
- type primary;
- file "resolver-dswithdrawn.checkds.db";
- inline-signing yes;
- dnssec-policy "default";
- parental-agents {
- 10.53.0.8 port @PORT@;
- };
-};
+/*
+ * 2. Going insecure
+ * 2.2. - With multiple parental agents
+ * 2.2.4. - DS is removed completely, bogus signature
+ */
+// TODO
Y="now-1y"
# DS Publication.
-for zn in dspublished reference missing-dspublished bad-dspublished \
- multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished
+for checkds in explicit
do
- setup "${zn}.checkds"
- cp template.db.in "$zonefile"
- keytimes="-P $T -P sync $T -A $T"
- CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
- $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1
- cat template.db.in "${CSK}.key" > "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
- cp $infile $zonefile
- $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+ for zn in \
+ good.${checkds}.dspublish.ns2 \
+ reference.${checkds}.dspublish.ns2 \
+ resolver.${checkds}.dspublish.ns2 \
+ not-yet.${checkds}.dspublish.ns5 \
+ bad.${checkds}.dspublish.ns6 \
+ good.${checkds}.dspublish.ns2-4 \
+ incomplete.${checkds}.dspublish.ns2-4-5 \
+ bad.${checkds}.dspublish.ns2-4-6
+ do
+ setup "${zn}"
+ cp template.db.in "$zonefile"
+ keytimes="-P $T -P sync $T -A $T"
+ CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
+ $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1
+ cat "$zonefile" "${CSK}.key" > "$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+ cp "dsset-${zone}." ../ns2/
+ done
done
# DS Withdrawal.
-for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \
- incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn
+for checkds in explicit
do
- setup "${zn}.checkds"
- cp template.db.in "$zonefile"
- keytimes="-P $Y -P sync $Y -A $Y"
- CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
- $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1
- cat template.db.in "${CSK}.key" > "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
- cp $infile $zonefile
- $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+ for zn in \
+ good.${checkds}.dsremoved.ns5 \
+ resolver.${checkds}.dsremoved.ns5 \
+ still-there.${checkds}.dsremoved.ns2 \
+ bad.${checkds}.dsremoved.ns6 \
+ good.${checkds}.dsremoved.ns5-7 \
+ incomplete.${checkds}.dsremoved.ns2-5-7 \
+ bad.${checkds}.dsremoved.ns5-6-7
+ do
+ setup "${zn}"
+ cp template.db.in "$zonefile"
+ keytimes="-P $Y -P sync $Y -A $Y"
+ CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
+ $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1
+ cat "$zonefile" "${CSK}.key" > "$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+ cp "dsset-${zone}." ../ns2/
+ done
done
ttl = 300
nextname = "a."
+ labelcount = zone.count(".") # zone is specified as FQDN
types = "NS SOA RRSIG NSEC DNSKEY"
match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types)
- sig = "{0} {1} IN RRSIG NSEC 13 2 300".format(zone, ttl)
+ sig = "{0} {1} IN RRSIG NSEC 13 {2} 300".format(zone, ttl, labelcount)
for rr in response.answer:
if match in rr.to_text():
parent.nameservers = ["10.53.0.2"]
parent.port = named_port
- # DS correctly published in parent.
- zone_check(server, "dspublished.checkds.")
+ #
+ # 1.1.1: DS is correctly published in parent.
+ # parental-agents: ns2
+ #
+
+ # The simple case.
+ zone_check(server, "good.explicit.dspublish.ns2.")
wait_for_log(
"ns9/named.run",
- "zone dspublished.checkds/IN (signed): checkds: DS response from 10.53.0.2",
+ "zone good.explicit.dspublish.ns2/IN (signed): checkds: "
+ "DS response from 10.53.0.2",
)
- keystate_check(parent, "dspublished.checkds.", "DSPublish")
+ keystate_check(parent, "good.explicit.dspublish.ns2.", "DSPublish")
- # DS correctly published in parent (reference to parental-agent).
- zone_check(server, "reference.checkds.")
+ # Using a reference to parental-agents.
+ zone_check(server, "reference.explicit.dspublish.ns2.")
wait_for_log(
"ns9/named.run",
- "zone reference.checkds/IN (signed): checkds: DS response from 10.53.0.2",
+ "zone reference.explicit.dspublish.ns2/IN (signed): "
+ "checkds: DS response from 10.53.0.2",
)
- keystate_check(parent, "reference.checkds.", "DSPublish")
+ keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish")
- # DS not published in parent.
- zone_check(server, "missing-dspublished.checkds.")
+ # Using a resolver as parental-agent (ns3).
+ zone_check(server, "resolver.explicit.dspublish.ns2.")
wait_for_log(
"ns9/named.run",
- "zone missing-dspublished.checkds/IN (signed): checkds: "
+ "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: "
+ "DS response from 10.53.0.3",
+ )
+ keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish")
+
+ #
+ # 1.1.2: DS is not published in parent.
+ # parental-agents: ns5
+ #
+ zone_check(server, "not-yet.explicit.dspublish.ns5.")
+ wait_for_log(
+ "ns9/named.run",
+ "zone not-yet.explicit.dspublish.ns5/IN (signed): checkds: "
"empty DS response from 10.53.0.5",
)
- keystate_check(parent, "missing-dspublished.checkds.", "!DSPublish")
+ keystate_check(parent, "not-yet.explicit.dspublish.ns5.", "!DSPublish")
- # Badly configured parent.
- zone_check(server, "bad-dspublished.checkds.")
+ #
+ # 1.1.3: The parental agent is badly configured.
+ # parental-agents: ns6
+ #
+ zone_check(server, "bad.explicit.dspublish.ns6.")
wait_for_log(
"ns9/named.run",
- "zone bad-dspublished.checkds/IN (signed): checkds: "
+ "zone bad.explicit.dspublish.ns6/IN (signed): checkds: "
"bad DS response from 10.53.0.6",
)
- keystate_check(parent, "bad-dspublished.checkds.", "!DSPublish")
-
- # TBD: DS published in parent, but bogus signature.
-
- # DS correctly published in all parents.
- zone_check(server, "multiple-dspublished.checkds.")
+ keystate_check(parent, "bad.explicit.dspublish.ns6.", "!DSPublish")
+
+ #
+ # 1.1.4: DS is published, but has bogus signature.
+ #
+ # TBD
+
+ #
+ # 1.2.1: DS is correctly published in all parents.
+ # parental-agents: ns2, ns4
+ #
+ zone_check(server, "good.explicit.dspublish.ns2-4.")
wait_for_log(
"ns9/named.run",
- "zone multiple-dspublished.checkds/IN (signed): checkds: "
+ "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: "
"DS response from 10.53.0.2",
)
wait_for_log(
"ns9/named.run",
- "zone multiple-dspublished.checkds/IN (signed): checkds: "
+ "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: "
"DS response from 10.53.0.4",
)
- keystate_check(parent, "multiple-dspublished.checkds.", "DSPublish")
+ keystate_check(parent, "good.explicit.dspublish.ns2-4.", "DSPublish")
- # DS published in only one of multiple parents.
- zone_check(server, "incomplete-dspublished.checkds.")
+ #
+ # 1.2.2: DS is not published in some parents.
+ # parental-agents: ns2, ns4, ns5
+ #
+ zone_check(server, "incomplete.explicit.dspublish.ns2-4-5.")
wait_for_log(
"ns9/named.run",
- "zone incomplete-dspublished.checkds/IN (signed): checkds: "
+ "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
"DS response from 10.53.0.2",
)
wait_for_log(
"ns9/named.run",
- "zone incomplete-dspublished.checkds/IN (signed): checkds: "
+ "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
"DS response from 10.53.0.4",
)
wait_for_log(
"ns9/named.run",
- "zone incomplete-dspublished.checkds/IN (signed): checkds: "
+ "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
"empty DS response from 10.53.0.5",
)
- keystate_check(parent, "incomplete-dspublished.checkds.", "!DSPublish")
+ keystate_check(parent, "incomplete.explicit.dspublish.ns2-4-5.", "!DSPublish")
- # One of the parents is badly configured.
- zone_check(server, "bad2-dswithdrawn.checkds.")
+ #
+ # 1.2.3: One parental agent is badly configured.
+ # parental-agents: ns2, ns4, ns6
+ #
+ zone_check(server, "bad.explicit.dspublish.ns2-4-6.")
wait_for_log(
"ns9/named.run",
- "zone bad2-dspublished.checkds/IN (signed): checkds: "
+ "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
"DS response from 10.53.0.2",
)
wait_for_log(
"ns9/named.run",
- "zone bad2-dspublished.checkds/IN (signed): checkds: "
+ "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
"DS response from 10.53.0.4",
)
wait_for_log(
"ns9/named.run",
- "zone bad2-dspublished.checkds/IN (signed): checkds: "
+ "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
"bad DS response from 10.53.0.6",
)
- keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish")
-
- # Check with resolver parental-agent.
- zone_check(server, "resolver-dspublished.checkds.")
- wait_for_log(
- "ns9/named.run",
- "zone resolver-dspublished.checkds/IN (signed): checkds: "
- "DS response from 10.53.0.3",
- )
- keystate_check(parent, "resolver-dspublished.checkds.", "DSPublish")
+ keystate_check(parent, "bad.explicit.dspublish.ns2-4-6.", "!DSPublish")
- # TBD: DS published in all parents, but one has bogus signature.
+ #
+ # 1.2.4: DS is completely published, bogus signature.
+ #
+ # TBD
# TBD: Check with TSIG
-
# TBD: Check with TLS
parent.nameservers = ["10.53.0.2"]
parent.port = named_port
- # DS correctly published in single parent.
- zone_check(server, "dswithdrawn.checkds.")
+ #
+ # 2.1.1: DS correctly withdrawn from the parent.
+ # parental-agents: ns5
+ #
+
+ # The simple case.
+ zone_check(server, "good.explicit.dsremoved.ns5.")
wait_for_log(
"ns9/named.run",
- "zone dswithdrawn.checkds/IN (signed): checkds: "
+ "zone good.explicit.dsremoved.ns5/IN (signed): checkds: "
"empty DS response from 10.53.0.5",
)
- keystate_check(parent, "dswithdrawn.checkds.", "DSRemoved")
+ keystate_check(parent, "good.explicit.dsremoved.ns5.", "DSRemoved")
+
+ # Using a resolver as parental-agent (ns3).
+ zone_check(server, "resolver.explicit.dsremoved.ns5.")
+ wait_for_log(
+ "ns9/named.run",
+ "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: "
+ "empty DS response from 10.53.0.3",
+ )
+ keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved")
- # DS not withdrawn from parent.
- zone_check(server, "missing-dswithdrawn.checkds.")
+ #
+ # 2.1.2: DS is published in the parent.
+ # parental-agents: ns2
+ #
+ zone_check(server, "still-there.explicit.dsremoved.ns2.")
wait_for_log(
"ns9/named.run",
- "zone missing-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone still-there.explicit.dsremoved.ns2/IN (signed): checkds: "
"DS response from 10.53.0.2",
)
- keystate_check(parent, "missing-dswithdrawn.checkds.", "!DSRemoved")
+ keystate_check(parent, "still-there.explicit.dsremoved.ns2.", "!DSRemoved")
- # Badly configured parent.
- zone_check(server, "bad-dswithdrawn.checkds.")
+ #
+ # 2.1.3: The parental agent is badly configured.
+ # parental-agents: ns6
+ #
+ zone_check(server, "bad.explicit.dsremoved.ns6.")
wait_for_log(
"ns9/named.run",
- "zone bad-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone bad.explicit.dsremoved.ns6/IN (signed): checkds: "
"bad DS response from 10.53.0.6",
)
- keystate_check(parent, "bad-dswithdrawn.checkds.", "!DSRemoved")
-
- # TBD: DS published in parent, but bogus signature.
-
- # DS correctly withdrawn from all parents.
- zone_check(server, "multiple-dswithdrawn.checkds.")
+ keystate_check(parent, "bad.explicit.dsremoved.ns6.", "!DSRemoved")
+
+ #
+ # 2.1.4: DS is withdrawn, but has bogus signature.
+ #
+ # TBD
+
+ #
+ # 2.2.1: DS is correctly withdrawn from all parents.
+ # parental-agents: ns5, ns7
+ #
+ zone_check(server, "good.explicit.dsremoved.ns5-7.")
wait_for_log(
"ns9/named.run",
- "zone multiple-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: "
"empty DS response from 10.53.0.5",
)
wait_for_log(
"ns9/named.run",
- "zone multiple-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: "
"empty DS response from 10.53.0.7",
)
- keystate_check(parent, "multiple-dswithdrawn.checkds.", "DSRemoved")
+ keystate_check(parent, "good.explicit.dsremoved.ns5-7.", "DSRemoved")
- # DS withdrawn from only one of multiple parents.
- zone_check(server, "incomplete-dswithdrawn.checkds.")
+ #
+ # 2.2.2: DS is not withdrawn from some parents.
+ # parental-agents: ns2, ns5, ns7
+ #
+ zone_check(server, "incomplete.explicit.dsremoved.ns2-5-7.")
wait_for_log(
"ns9/named.run",
- "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
"DS response from 10.53.0.2",
)
wait_for_log(
"ns9/named.run",
- "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
"empty DS response from 10.53.0.5",
)
wait_for_log(
"ns9/named.run",
- "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
"empty DS response from 10.53.0.7",
)
- keystate_check(parent, "incomplete-dswithdrawn.checkds.", "!DSRemoved")
+ keystate_check(parent, "incomplete.explicit.dsremoved.ns2-5-7.", "!DSRemoved")
- # One of the parents is badly configured.
- zone_check(server, "bad2-dswithdrawn.checkds.")
+ #
+ # 2.2.3: One parental agent is badly configured.
+ # parental-agents: ns5, ns6, ns7
+ #
+ zone_check(server, "bad.explicit.dsremoved.ns5-6-7.")
wait_for_log(
"ns9/named.run",
- "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
"empty DS response from 10.53.0.5",
)
wait_for_log(
"ns9/named.run",
- "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
"empty DS response from 10.53.0.7",
)
wait_for_log(
"ns9/named.run",
- "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+ "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
"bad DS response from 10.53.0.6",
)
- keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved")
-
- # Check with resolver parental-agent.
- zone_check(server, "resolver-dswithdrawn.checkds.")
- wait_for_log(
- "ns9/named.run",
- "zone resolver-dswithdrawn.checkds/IN (signed): checkds: "
- "empty DS response from 10.53.0.8",
- )
- keystate_check(parent, "resolver-dswithdrawn.checkds.", "DSRemoved")
+ keystate_check(parent, "bad.explicit.dsremoved.ns5-6-7.", "!DSRemoved")
- # TBD: DS withdrawn from all parents, but one has bogus signature.
+ #
+ # 2.2.4:: DS is removed completely, bogus signature.
+ #
+ # TBD
projects / thirdparty / bind9.git / commitdiff
