check that DNSKEY and other occluded data are excluded from the delegating bitmap

diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 306205c57ce70eb52434a2cce3143e37800da8cd..1bbfd203a55caae1e125749cc4837b9dc9f0874f 100644 (file)
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -66,6 +66,7 @@ rm -f ./ns3/managed-future.example.db
 rm -f ./ns3/multiple.example.db ./ns3/nsec3-unknown.example.db ./ns3/nsec3.example.db
 rm -f ./ns3/nsec3.nsec3.example.db
 rm -f ./ns3/nsec3.optout.example.db
+rm -f ./ns3/occluded.example.db
 rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db
 rm -f ./ns3/optout.nsec3.example.db
 rm -f ./ns3/optout.optout.example.db

diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 623228655de2d0419324724d2e845e4f1ebc3116..178d819dd6649baa09698a369612df8c05df30b3 100644 (file)
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -27,7 +27,7 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
        kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
        ttlpatch split-dnssec split-smart expired expiring upper lower \
        dnskey-unknown dnskey-nsec3-unknown managed-future revkey \
-       dname-at-apex-nsec3
+       dname-at-apex-nsec3 occluded
 do
        cp "../ns3/dsset-$subdomain.example$TP" .
 done

diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
index 87b10533a0732bcd9abe38761958953604ec199c..0218ef1100f44f5a1bb70eb30cdd57149cc1e015 100644 (file)
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -299,6 +299,11 @@ zone "dname-at-apex-nsec3.example" {
        file "dname-at-apex-nsec3.example.db.signed";
 };
 
+zone "occluded.example" {
+       type master;
+       file "occluded.example.db.signed";
+};
+
 include "siginterval.conf";
 
 include "trusted.conf";

diff --git a/bin/tests/system/dnssec/ns3/occluded.example.db.in b/bin/tests/system/dnssec/ns3/occluded.example.db.in
new file mode 100644 (file)
index 0000000..77a1cfb
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/occluded.example.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300       ; 5 minutes
+@                      IN SOA  mname1. . (
+                               2000042407 ; serial
+                               20         ; refresh (20 seconds)
+                               20         ; retry (20 seconds)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns
+ns                     A       10.53.0.3
+
+a.b                    A       10.0.0.1
+delegation             NS      ns
+                       A       10.53.0.3
+                       AAAA    2002::

diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 285d2158e4e2090a85aab8c60e7ca845d8dbfc8b..31278280e990cdeaa2706e7101a347c7b0f646d3 100644 (file)
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -558,3 +558,18 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
 zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
 cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
 "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
+
+#
+# A NSEC zone with occuded data at the delegation
+#
+zone=occluded.example
+infile=occluded.example.db.in
+zonefile=occluded.example.db
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
+keyname=$("$KEYGEN" -q -a RSASHA1 -n ENTITY -T KEY "delegation.$zone")
+dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
+$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP"
+cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
+    "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 4ae9cb0b069f1dd3a9705d33662d85b46280f2d3..fc5e21e7e264a1f5ddcb2fcfb2f256d4597883a8 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3595,6 +3595,16 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)"
+ret=0
+dig_with_opts axfr occluded.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n > /dev/null || ret=1
+grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n > /dev/null || ret=1
+grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 # Note: after this check, ns4 will not be validating any more; do not add any
 # further validation tests employing ns4 below this check.
 echo_i "check that validation defaults to off when dnssec-enable is off ($n)"