verify that auto-dnssec maintain generates and signs NSEC3 records with DNAME at...

diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
index 359409af39c6ddec6c1fd631e7c9967d1dd2575d..35a4ca5583447e8623b239a14137298074dea682 100644 (file)
--- a/bin/tests/system/autosign/clean.sh
+++ b/bin/tests/system/autosign/clean.sh
@@ -12,9 +12,9 @@
 rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk
 rm -f */core
 rm -f */example.bk
+rm -f */named.conf
 rm -f */named.memstats
 rm -f */named.run
-rm -f */named.conf
 rm -f */trusted.conf */private.conf
 rm -f activate-now-publish-1day.key
 rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
@@ -24,6 +24,7 @@ rm -f digcomp.out.test*
 rm -f digcomp.out.test*
 rm -f missingzsk.key inactivezsk.key
 rm -f nopriv.key vanishing.key del1.key del2.key
+rm -f ns*/managed-keys.bind*
 rm -f ns*/named.lock
 rm -f ns*/named.lock
 rm -f ns1/root.db
@@ -32,11 +33,12 @@ rm -f ns2/private.secure.example.db ns2/bar.db
 rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
 rm -f ns3/*.nzf
 rm -f ns3/autonsec3.example.db
+rm -f ns3/delzsk.example.db
+rm -f ns3/dname-at-apex-nsec3.example.db
 rm -f ns3/inacksk2.example.db
 rm -f ns3/inacksk3.example.db
 rm -f ns3/inaczsk2.example.db
 rm -f ns3/inaczsk3.example.db
-rm -f ns3/delzsk.example.db
 rm -f ns3/kg.out ns3/s.out ns3/st.out
 rm -f ns3/kskonly.example.db
 rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
@@ -64,4 +66,3 @@ rm -f nsupdate.out
 rm -f settime.out.*
 rm -f signing.out.*
 rm -f sync.key
-rm -f ns*/managed-keys.bind*

diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in
index b4eeccbecfa7048203f9fdcf311b23d4dd2dc769..d519863098f367b8ae09b37e5d5a1a805f370bdd 100644 (file)
--- a/bin/tests/system/autosign/ns2/example.db.in
+++ b/bin/tests/system/autosign/ns2/example.db.in
@@ -82,3 +82,5 @@ ns.nsec3-to-nsec      A       10.53.0.3
 
 oldsigs                        NS      ns.oldsigs
 ns.oldsigs             A       10.53.0.3
+
+dname-at-apex-nsec3    NS      ns3

diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
index d55be53bd9e963bc15d5c5d53106558574d0d1d9..2f7d438b4cb0a4230b0cdfaa3002208a1e12f5cc 100644 (file)
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -15,7 +15,8 @@ SYSTEMTESTTOP=../..
 # Have the child generate subdomain keys and pass DS sets to us.
 ( cd ../ns3 && $SHELL keygen.sh )
 
-for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync
+for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \
+    dname-at-apex-nsec3
 do
        cp ../ns3/dsset-$subdomain.example$TP .
 done

diff --git a/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
new file mode 100644 (file)
index 0000000..c4a378e
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
@@ -0,0 +1,5 @@
+$TTL   600
+@      SOA     ns3.example. . 1 1200 1200 1814400 3600
+@      NS      ns3.example.
+@      DNAME   example.
+@      NSEC3PARAM 1 0 0 -

diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index a113ff570efda65af7fac426709ed032ce2cd981..826a35cd795626f8a9e227959da6b409a7dd9b76 100644 (file)
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -325,3 +325,12 @@ ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 $KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
 echo $zsk > ../delzsk.key
+
+#
+#  Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+setup dname-at-apex-nsec3.example
+cp $infile $zonefile
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP

diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index 529e39d0b88ce945aa3c8a3cf91efca0de88e0ad..dbb7435511081f98fb8514e6e3e654f6870106d3 100644 (file)
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -289,4 +289,11 @@ zone "delzsk.example." {
        auto-dnssec maintain;
 };
 
+zone "dname-at-apex-nsec3.example" {
+       type master;
+       file "dname-at-apex-nsec3.example.db";
+       allow-update { any; };
+       auto-dnssec maintain;
+};
+
 include "trusted.conf";

diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 8c4aa99d83d7a4214c069de7104a5c95e993a580..fbe70e592d6031977d64cf0b6d5a38e809b22bb4 100755 (executable)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1449,5 +1449,13 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
+ret=0
+$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "RRSIG NSEC3 7 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1