as a side effect of the switch from RBT to QBDB, NSEC3 records
are no longer created for empty non-terminal nodes when the
node only contains insecure delegations in an opt-out range.
such NSEC3 records are optional according to RFC 5155 (and,
for example, they are not created by dnssec-signzone), but they were
previously created by named, as a harmless side effect of the RBT
structure, which contains empty internal nodes that can be reached
by a DB iterator. these nodes are not present in the QPDB, so
NSEC3 records are not created unless they're actually required.
the autosign system test contained a test case (added in commit
ad91a70d as part of GL #4027) that checked whether ENT NSEC3
records were deleted when the delegations under the ENT removed.
this test no longer passes, because the NSEC3's are not created
in the first place, and therefore cannot be removed.
rather than "fix" the QPDB to add unnecessary NSEC3 records, this
commit instead revises the test to check for removal of ENT NSEC3
records when *not* using opt-out.
rm -f ns2/child.optout.example.db
rm -f ns2/example.db
rm -f ns2/insecure.secure.example.db
-rm -f ns2/optout-with-ent.db
+rm -f ns2/nsec3-with-ent.db
rm -f ns2/private.secure.example.db
rm -f ns2/signing.*
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
$SIGNER -S -o bar. -O full $zonefile >signing.bar.out 2>&1
# a zone with empty non-terminals.
-zone=optout-with-ent
-zonefile=optout-with-ent.db
-infile=optout-with-ent.db.in
+zone=nsec3-with-ent
+zonefile=nsec3-with-ent.db
+infile=nsec3-with-ent.db.in
cat $infile >$zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
dnssec-policy optout;
};
-zone "optout-with-ent" {
+zone "nsec3-with-ent" {
type primary;
- file "optout-with-ent.db";
+ file "nsec3-with-ent.db";
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
inline-signing no;
- dnssec-policy optout;
+ dnssec-policy nsec3;
};
include "trusted.conf";
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
-echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
-zone=optout-with-ent
-hash=JE76PJ65FUO86UIR594L8P0SNJJ6RMNI
+echo_i "check removal of ENT NSEC3 records when delegations are removed ($n)"
+zone=nsec3-with-ent
+hash=M9SFFA181BCTR8D18LQUPST4N6BL304D
# check that NSEC3 for ENT is present
echo_i "check ENT NSEC3 is initially present"
projects / thirdparty / bind9.git / commitdiff
