rm -f ns1/*.signed
rm -f ns1/signer.err
rm -f ns1/root.db
+rm -f ns1/trusted.conf
rm -f ns2/K*
rm -f ns2/dlvset-*
rm -f ns2/dsset-*
rm -f ns2/druz.db
rm -f ns3/K*
rm -f ns3/*.db
-rm -f ns3/*.signed
+rm -f ns3/*.signed ns3/*.signed.tmp
rm -f ns3/dlvset-*
rm -f ns3/dsset-*
rm -f ns3/keyset-*
-rm -f ns1/trusted.conf ns5/trusted.conf
-rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
+rm -f ns3/trusted*.conf
rm -f ns3/signer.err
+rm -f ns5/trusted*.conf
rm -f ns6/K*
rm -f ns6/*.db
rm -f ns6/*.signed
rm -f ns6/dsset-*
rm -f ns6/signer.err
+rm -f ns7/trusted*.conf ns8/trusted*.conf
rm -f */named.memstats
rm -f dig.out.ns*.test*
rm -f ns*/named.lock
@ NS ns.rootservers.utld
ns A 10.53.0.1
;
+; A zone that is unsigned (utld=unsigned tld) that will include a second level
+; zone that acts as a DLV.
+;
utld NS ns.utld
ns.utld A 10.53.0.2
+;
+; A zone that has a bad DNSKEY RRset but has good DLV records for its child
+; zones.
+;
druz NS ns.druz
ns.druz A 10.53.0.2
keyfile_to_trusted_keys $keyname2 > trusted.conf
cp trusted.conf ../ns5
+cp trusted.conf ../ns7
+cp trusted.conf ../ns8
notify yes;
};
+/* Root hints. */
zone "." { type hint; file "hints"; };
+
+/*
+ * A zone that is unsigned (utld=unsigned tld) that will include a second level
+ * zone that acts as a DLV.
+ */
zone "utld" { type master; file "utld.db"; };
+
+/*
+ * A zone that has a bad DNSKEY RRset but has good DLV records for its child
+ * zones.
+ */
zone "druz" { type master; file "druz.signed"; };
dlv NS ns.dlv
ns.dlv A 10.53.0.3
;
+disabled-algorithm-dlv NS ns.disabled-algorithm-dlv
+ns.disabled-algorithm-dlv A 10.53.0.3
+;
+unsupported-algorithm-dlv NS ns.unsupported-algorithm-dlv
+ns.unsupported-algorithm-dlv A 10.53.0.3
+;
child1 NS ns.child1
ns.child1 A 10.53.0.3
;
;
child10 NS ns.child10
ns.child10 A 10.53.0.3
+;
+disabled-algorithm NS ns.disabled-algorithm
+ns.disabled-algorithm A 10.53.0.3
+;
+unsupported-algorithm NS ns.unsupported-algorithm
+ns.unsupported-algorithm A 10.53.0.3
notify yes;
};
+/* Root hints. */
zone "." { type hint; file "hints"; };
-zone "dlv.utld" { type master; file "dlv.signed"; };
-zone "child1.utld" { type master; file "child1.signed"; }; // dlv
-zone "child3.utld" { type master; file "child3.signed"; }; // dlv
-zone "child4.utld" { type master; file "child4.signed"; }; // dlv
-zone "child5.utld" { type master; file "child5.signed"; }; // dlv
-zone "child7.utld" { type master; file "child7.signed"; }; // no dlv
-zone "child8.utld" { type master; file "child8.signed"; }; // no dlv
-zone "child9.utld" { type master; file "child9.signed"; }; // dlv
-zone "child10.utld" { type master; file "child.db.in"; }; // dlv unsigned
-zone "child1.druz" { type master; file "child1.druz.signed"; }; // dlv
-zone "child3.druz" { type master; file "child3.druz.signed"; }; // dlv
-zone "child4.druz" { type master; file "child4.druz.signed"; }; // dlv
-zone "child5.druz" { type master; file "child5.druz.signed"; }; // dlv
-zone "child7.druz" { type master; file "child7.druz.signed"; }; // no dlv
-zone "child8.druz" { type master; file "child8.druz.signed"; }; // no dlv
-zone "child9.druz" { type master; file "child9.druz.signed"; }; // dlv
-zone "child10.druz" { type master; file "child.db.in"; }; // dlv unsigned
+
+/* DLV zone below unsigned TLD. */
+zone "dlv.utld" { type master; file "dlv.utld.signed"; };
+
+/* DLV zone signed with a disabled algorithm below unsigned TLD. */
+zone "disabled-algorithm-dlv.utld." {
+ type master;
+ file "disabled-algorithm-dlv.utld.signed";
+};
+
+/* DLV zone signed with an unsupported algorithm below unsigned TLD. */
+zone "unsupported-algorithm-dlv.utld." {
+ type master;
+ file "unsupported-algorithm-dlv.utld.signed";
+};
+
+/* Signed zone below unsigned TLD with DLV entry. */
+zone "child1.utld" { type master; file "child1.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+ * with a disabled algorithm.
+ */
+zone "child3.utld" { type master; file "child3.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry. This one is slightly
+ * different because its children (the grandchildren) don't have a DS record in
+ * this zone. The grandchild zones are served by ns6.
+ *
+ */
+zone "child4.utld" { type master; file "child4.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+ * with an unsupported algorithm.
+ */
+zone "child5.utld" { type master; file "child5.signed"; };
+
+/* Signed zone below unsigned TLD without DLV entry. */
+zone "child7.utld" { type master; file "child7.signed"; };
+
+/*
+ * Signed zone below unsigned TLD without DLV entry and no DS records for the
+ * grandchildren.
+ */
+zone "child8.utld" { type master; file "child8.signed"; };
+
+/* Signed zone below unsigned TLD with DLV entry. */
+zone "child9.utld" { type master; file "child9.signed"; };
+
+/* Unsigned zone below an unsigned TLD with DLV entry. */
+zone "child10.utld" { type master; file "child.db.in"; };
+
+/*
+ * Zone signed with a disabled algorithm (an algorithm that is disabled in
+ * one of the test resolvers) with DLV entry.
+ */
+zone "disabled-algorithm.utld" {
+ type master;
+ file "disabled-algorithm.utld.signed";
+};
+
+/* Zone signed with an unsupported algorithm with DLV entry. */
+zone "unsupported-algorithm.utld" {
+ type master;
+ file "unsupported-algorithm.utld.signed";
+};
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.
+ */
+zone "child1.druz" { type master; file "child1.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust. The DLV zone is signed with a disabled algorithm.
+ */
+zone "child3.druz" { type master; file "child3.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust. Also there are no DS records for the grandchildren.
+ */
+zone "child4.druz" { type master; file "child4.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust. The DLV zone is signed with an unsupported algorithm.
+ */
+zone "child5.druz" { type master; file "child5.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD without DLV entry, and no chain of
+ * trust.
+ */
+zone "child7.druz" { type master; file "child7.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD without DLV entry and no DS set. Also DS
+ * records for the grandchildren are not included in the zone.
+ */
+zone "child8.druz" { type master; file "child8.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no DS set. Also DS
+ * records for the grandchildren are not included in the zone.
+ */
+zone "child9.druz" { type master; file "child9.druz.signed"; };
+
+/*
+ * Unsigned zone below signed TLD with good DLV entry but no chain of
+ * trust.
+ */
+zone "child10.druz" { type master; file "child.db.in"; };
echo_i "dlv/ns3/sign.sh"
-dlvzone=dlv.utld.
+dlvzone="dlv.utld."
dlvsets=
dssets=
+disableddlvzone="disabled-algorithm-dlv.utld."
+disableddlvsets=
+disableddssets=
+
+unsupporteddlvzone="unsupported-algorithm-dlv.utld."
+unsupporteddlvsets=
+unsupporteddssets=
+
+# Signed zone below unsigned TLD with DLV entry.
zone=child1.utld.
infile=child.db.in
zonefile=child1.utld.db
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+# with a disabled algorithm.
zone=child3.utld.
infile=child.db.in
zonefile=child3.utld.db
outfile=child3.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below unsigned TLD with DLV entry. This one is slightly
+# different because its children (the grandchildren) don't have a DS record in
+# this zone. The grandchild zones are served by ns6.
zone=child4.utld.
infile=child.db.in
zonefile=child4.utld.db
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+# with an unsupported algorithm.
zone=child5.utld.
infile=child.db.in
zonefile=child5.utld.db
outfile=child5.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
-
+# Signed zone below unsigned TLD without DLV entry.
zone=child7.utld.
infile=child.db.in
zonefile=child7.utld.db
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below unsigned TLD without DLV entry and no DS records for the
+# grandchildren.
zone=child8.utld.
infile=child.db.in
zonefile=child8.utld.db
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
-
+# Signed zone below unsigned TLD with DLV entry.
zone=child9.utld.
infile=child.db.in
zonefile=child9.utld.db
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Unsigned zone below an unsigned TLD with DLV entry. We still need to sign
+# the zone to generate the DLV set.
zone=child10.utld.
infile=child.db.in
zonefile=child10.utld.db
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+
+# Zone signed with a disabled algorithm (an algorithm that is disabled in
+# one of the test resolvers) with DLV entry.
+zone=disabled-algorithm.utld.
+infile=child.db.in
+zonefile=disabled-algorithm.utld.db
+outfile=disabled-algorithm.utld.signed
+dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+keyname1=`$KEYGEN -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -O full -l $dlvzone -o $zone -f ${outfile} $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+
+# Zone signed with an unsupported algorithm with DLV entry.
+zone=unsupported-algorithm.utld.
+infile=child.db.in
+zonefile=unsupported-algorithm.utld.db
+outfile=unsupported-algorithm.utld.signed
+dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -O full -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
+awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
+
+cp ${keyname2}.key ${keyname2}.tmp
+awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
+cp dlvset-${zone} dlvset-${zone}tmp
+awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone}
+
+echo_i "signed $zone"
+
+# Signed zone below signed TLD with DLV entry and DS set.
zone=child1.druz.
infile=child.db.in
zonefile=child1.druz.db
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is
+# signed with a disabled algorithm.
zone=child3.druz.
infile=child.db.in
zonefile=child3.druz.db
outfile=child3.druz.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+disableddssets="$disableddssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below signed TLD with DLV entry and DS set, but missing
+# DS records for the grandchildren.
zone=child4.druz.
infile=child.db.in
zonefile=child4.druz.db
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is
+# signed with an unsupported algorithm algorithm.
zone=child5.druz.
infile=child.db.in
zonefile=child5.druz.db
outfile=child5.druz.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddssets="$unsupportedssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below signed TLD without DLV entry, but with normal DS set.
zone=child7.druz.
infile=child.db.in
zonefile=child7.druz.db
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
-$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below signed TLD without DLV entry and no DS set. Also DS
+# records for the grandchildren are not included in the zone.
zone=child8.druz.
infile=child.db.in
zonefile=child8.druz.db
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+# Signed zone below signed TLD with DLV entry but no DS set. Also DS
+# records for the grandchildren are not included in the zone.
zone=child9.druz.
infile=child.db.in
zonefile=child9.druz.db
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+
+# Unsigned zone below signed TLD with DLV entry and DS set. We still need to
+# sign the zone to generate the DS sets.
zone=child10.druz.
infile=child.db.in
zonefile=child10.druz.db
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
+cp $dssets ../ns2
+cp $disableddssets ../ns2
+cp $unsupporteddssets ../ns2
-zone=dlv.utld.
+# DLV zones
infile=dlv.db.in
-zonefile=dlv.utld.db
-outfile=dlv.signed
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-keyfile_to_trusted_keys $keyname2 > trusted-dlv.conf
-cp trusted-dlv.conf ../ns5
-
-cp $dssets ../ns2
+for zone in dlv.utld. disabled-algorithm-dlv.utld. unsupported-algorithm-dlv.utld.
+do
+ zonefile="${zone}db"
+ outfile="${zone}signed"
+
+ case $zone in
+ "dlv.utld.")
+ algorithm=$DEFAULT_ALGORITHM
+ bits=$DEFAULT_BITS
+ dlvfiles=$dlvsets
+ ;;
+ "disabled-algorithm-dlv.utld.")
+ algorithm=$DISABLED_ALGORITHM
+ bits=$DISABLED_BITS
+ dlvfiles=$disableddlvsets
+ ;;
+ "unsupported-algorithm-dlv.utld.")
+ algorithm=$DEFAULT_ALGORITHM
+ bits=$DEFAULT_BITS
+ dlvfiles=$unsupporteddlvsets
+ ;;
+ esac
+
+ keyname1=`$KEYGEN -a $algorithm -b $bits -n zone $zone 2> /dev/null`
+ keyname2=`$KEYGEN -f KSK -a $algorithm -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $dlvfiles $keyname1.key $keyname2.key >$zonefile
+
+ case $zone in
+ "dlv.utld.")
+ $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+ keyfile_to_trusted_keys $keyname2 > ../ns5/trusted-dlv.conf
+ ;;
+ "disabled-algorithm-dlv.utld.")
+ $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+ keyfile_to_trusted_keys $keyname2 > ../ns8/trusted-dlv-disabled.conf
+ ;;
+ "unsupported-algorithm-dlv.utld.")
+ cp ${keyname2}.key ${keyname2}.tmp
+ $SIGNER -O full -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
+ awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
+ awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
+ keyfile_to_trusted_keys $keyname2 > ../ns7/trusted-dlv-unsupported.conf
+ ;;
+ esac
+
+ echo_i "signed $zone"
+done
notify yes;
dnssec-validation yes;
dnssec-lookaside "." trust-anchor "dlv.utld";
+ disable-algorithms "utld." { @DISABLED_ALGORITHM@; };
};
zone "." { type hint; file "hints"; };
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
+
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "trusted.conf";
+include "trusted-dlv-unsupported.conf";
+
+options {
+ query-source address 10.53.0.7;
+ notify-source 10.53.0.7;
+ transfer-source 10.53.0.7;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.7; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+ dnssec-lookaside "." trust-anchor "unsupported-algorithm-dlv.utld";
+};
+
+zone "." { type hint; file "hints"; };
+
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
+
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "trusted.conf";
+include "trusted-dlv-disabled.conf";
+
+options {
+ query-source address 10.53.0.8;
+ notify-source 10.53.0.8;
+ transfer-source 10.53.0.8;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.8; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+ dnssec-lookaside "." trust-anchor "disabled-algorithm-dlv.utld";
+ disable-algorithms "disabled-algorithm-dlv.utld." { @DISABLED_ALGORITHM@; };
+};
+
+zone "." { type hint; file "hints"; };
+
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
(cd ns1 && $SHELL -e sign.sh)
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
-echo_i "checking that DNSKEY reference by DLV validates as secure ($n)"
+echo_i "checking that unsigned TLD zone DNSKEY referenced by DLV validates as secure ($n)"
ret=0
$DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "checking that child DNSKEY reference by DLV validates as secure ($n)"
+echo_i "checking that unsigned TLD child zone DNSKEY referenced by DLV validates as secure ($n)"
ret=0
$DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+echo_i "checking that no chain of trust SOA referenced by DLV validates as secure ($n)"
ret=0
$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+echo_i "checking that no chain of trust child SOA referenced by DLV validates as secure ($n)"
ret=0
$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+# Test that a child zone that is signed with an unsupported algorithm,
+# referenced by a good DLV zone, yields an insecure response.
+echo_i "checking that unsupported algorithm TXT referenced by DLV validates as insecure ($n)"
+ret=0
+$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+grep -q "foo\.unsupported-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test that a child zone that is signed with a disabled algorithm,
+# referenced by a good DLV zone, yields an insecure response.
+echo_i "checking that disabled algorithm TXT referenced by DLV validates as insecure ($n)"
+ret=0
+$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+grep -q "foo\.disabled-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test that a child zone that is signed with a known algorithm, referenced by
+# a DLV zone that is signed with a disabled algorithm, yields a bogus
+# response.
+echo_i "checking that good signed TXT referenced by disabled algorithm DLV validates as bogus ($n)"
+ret=0
+$DIG $DIGOPTS foo.child3.utld txt @10.53.0.8 > dig.out.ns8.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+grep -q "foo\.child3\.utld\..*TXT.*\"foo\"" dig.out.ns8.test$n && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test that a child zone that is signed with a known algorithm, referenced by
+# a DLV zone that is signed with an unsupported algorithm, yields a bogus
+# response.
+echo_i "checking that good signed TXT referenced by unsupported algorithm DLV validates as bogus ($n)"
+ret=0
+$DIG $DIGOPTS foo.child5.utld txt @10.53.0.7 > dig.out.ns7.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns7.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns7.test$n > /dev/null && ret=1
+grep -q "foo\.child5\.utld\..*TXT.*\"foo\"" dig.out.ns7.test$n && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1