verify that dnssec-signzone generates NSEC3 records with DNAME at the apex

author Mark Andrews <marka@isc.org>

Mon, 26 Nov 2018 01:56:40 +0000 (12:56 +1100)

committer Mark Andrews <marka@isc.org>

Mon, 10 Dec 2018 06:29:29 +0000 (17:29 +1100)
author Mark Andrews <marka@isc.org>
Mon, 26 Nov 2018 01:56:40 +0000 (12:56 +1100)
committer Mark Andrews <marka@isc.org>
Mon, 10 Dec 2018 06:29:29 +0000 (17:29 +1100)
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh

index 1873c4b586c1c6c8da0148ae53e250dd4342e291..bc7472432561f08c9128e39612b1b5fbd19208af 100644 (file)
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -11,9 +11,9 @@
  
  rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
  rm -f */example.bk
+rm -f */named.conf
  rm -f */named.memstats
  rm -f */named.run
-rm -f */named.conf
  rm -f */named.secroots
  rm -f */tmp* */*.jnl */*.bk */*.jbk
  rm -f */trusted.conf */managed.conf */revoked.conf
@@ -27,6 +27,7 @@ rm -f keygen.err
  rm -f named.secroots.test*
  rm -f nosign.before
  rm -f ns*/*.nta
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
  rm -f ns*/named.lock
  rm -f ns1/managed.key.id
  rm -f ns1/root.db ns2/example.db ns3/secure.example.db
@@ -44,6 +45,7 @@ rm -f ns2/private.secure.example.db
  rm -f ns2/single-nsec3.db
  rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
  rm -f ns3/badds.example.db
+rm -f ns3/dname-at-apex-nsec3.example.db
  rm -f ns3/dnskey-nsec3-unknown.example.db
  rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
  rm -f ns3/dnskey-unknown.example.db
@@ -81,15 +83,16 @@ rm -f ns6/optout-tld.db
  rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk
  rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
  rm -f nsupdate.out*
+rm -f python.out.*
  rm -f rndc.out.*
  rm -f signer/*.db
  rm -f signer/example.db.after signer/example.db.before
  rm -f signer/example.db.changed
-rm -f signer/nsec3param.out
-rm -f signer/signer.out.*
+rm -f signer/general/dsset*
  rm -f signer/general/signed.zone
  rm -f signer/general/signer.out.*
-rm -f signer/general/dsset*
+rm -f signer/nsec3param.out
+rm -f signer/signer.out.*
  rm -f signing.out*
  rm -f signer/*.signed.pre*
  rm -f signer/*.signed.post*
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in

index 0b831ec94e3422d5d79843f3bb95e120a16e3dd4..79424b4a0a521eb47fae04df497adf549786805c 100644 (file)
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -158,3 +158,5 @@ ns.managed-future   A       10.53.0.3
  
  revkey                 NS      ns.revkey
  ns.revkey              A       10.53.0.3
+
+dname-at-apex-nsec3    NS      ns3
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh

index 9078459ac866fbe81ef59d3c0be498f39646ec3b..a645b1209f7d47d287d1be764d7a12420db8a8e2 100644 (file)
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -24,7 +24,8 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
         nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
         kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
         ttlpatch split-dnssec split-smart expired expiring upper lower \
-       dnskey-unknown dnskey-nsec3-unknown managed-future revkey
+       dnskey-unknown dnskey-nsec3-unknown managed-future revkey \
+       dname-at-apex-nsec3
  do
         cp ../ns3/dsset-$subdomain.example$TP .
  done
diff --git a/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in

new file mode 100644 (file)

index 0000000..c538b73
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in
@@ -0,0 +1,4 @@
+$TTL   600
+@      SOA     ns3.example. . 1 1200 1200 1814400 3600
+@      NS      ns3.example.
+@      DNAME   example.
diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in

index 14ebbc8ea80548819da115a74d2bc3c8803f75de..779eb7d6315c9ee480c82d9a23dca1d7d2e7a3e2 100644 (file)
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -293,6 +293,11 @@ zone "revkey.example" {
         file "revkey.example.db.signed";
  };
  
+zone "dname-at-apex-nsec3.example" {
+       type master;
+       file "dname-at-apex-nsec3.example.db.signed";
+};
+
  include "siginterval.conf";
  
  include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh

index 330abf7febf1712380cec5e34acff7cf2ec96d87..75d76cca0fb9ded50aea5721ead302dc3e9bec67 100644 (file)
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -543,3 +543,14 @@ zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone`
  cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
  
  $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+#
+# Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+zone=dname-at-apex-nsec3.example
+infile=dname-at-apex-nsec3.example.db.in
+zonefile=dname-at-apex-nsec3.example.db
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -3fk $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -3 $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile > /dev/null 2>&1
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh

index 64a7a854a431a485c99d1abc9ec29c6a9857edac..29ffb75df3386a1178a037eff4f361905f315b5d 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3513,5 +3513,13 @@ n=`expr $n + 1`
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=`expr $status + $ret`
  
+echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)"
+ret=0
+$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "RRSIG.NSEC3 8 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
  echo_i "exit status: $status"
  [ $status -eq 0 ] || exit 1
diff --git a/util/copyrights b/util/copyrights

index 82e724d9ff30fcb6a98c78aa0158fe11ed7d31fe..4e3092379a598d999f480cbf2a50a50503acd639 100644 (file)
--- a/util/copyrights
+++ b/util/copyrights
@@ -1090,6 +1090,7 @@
  ./bin/tests/system/dnssec/ns3/auto-nsec.example.db.in  ZONE    2011,2016,2018
  ./bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in ZONE    2011,2016,2018
  ./bin/tests/system/dnssec/ns3/bogus.example.db.in      ZONE    2000,2001,2004,2007,2014,2016,2018
+./bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in        ZONE    2018
  ./bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in       ZONE    2014,2016,2018
  ./bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in     ZONE    2014,2016,2018
  ./bin/tests/system/dnssec/ns3/dynamic.example.db.in    ZONE    2002,2004,2007,2016,2018
author	Mark Andrews <marka@isc.org>
	Mon, 26 Nov 2018 01:56:40 +0000 (12:56 +1100)
committer	Mark Andrews <marka@isc.org>
	Mon, 10 Dec 2018 06:29:29 +0000 (17:29 +1100)
bin/tests/system/dnssec/clean.sh		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns2/example.db.in		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns2/sign.sh		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in	[new file with mode: 0644]	patch \| blob
bin/tests/system/dnssec/ns3/named.conf.in		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns3/sign.sh		patch \| blob \| blame \| history
bin/tests/system/dnssec/tests.sh		patch \| blob \| blame \| history
util/copyrights		patch \| blob \| blame \| history