test correct occlusion of DNSSEC records

author Evan Hunt <each@isc.org>

Thu, 28 Feb 2019 22:28:26 +0000 (14:28 -0800)

committer Evan Hunt <each@isc.org>

Fri, 1 Mar 2019 00:06:38 +0000 (16:06 -0800)
author Evan Hunt <each@isc.org>
Thu, 28 Feb 2019 22:28:26 +0000 (14:28 -0800)
committer Evan Hunt <each@isc.org>
Fri, 1 Mar 2019 00:06:38 +0000 (16:06 -0800)
diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db

index 86552149e1670b3d92430b405e4c7210896eb5a8..98777d674fdb09d3c7c72a7294d3f9e81ef50007 100644 (file)
--- a/bin/tests/system/dnssec/ns3/insecure.example.db
+++ b/bin/tests/system/dnssec/ns3/insecure.example.db
@@ -21,4 +21,5 @@ ns                    A       10.53.0.3
  a                      A       10.0.0.1
  b                      A       10.0.0.2
  d                      A       10.0.0.4
+x                      DNSKEY  258 3 5 Cg==
  z                      A       10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in

index 9d310d8cb2c04808d540b0c01a7e35b8fb2e216f..27f2b2401c619a0283a094105813b93e7b9170a6 100644 (file)
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -28,6 +28,7 @@ g                     A       10.0.0.7
  z                      A       10.0.0.26
  a.a.a.a.a.a.a.a.a.a.e  A       10.0.0.27
  x                      CNAME   a
+zz                     DNSKEY  258 3 5 Cg==
  
  private                        NS      ns.private
  ns.private             A       10.53.0.2
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh

index 1f39bd535bbdbcffdf81b124f795ea375da462ff..81865b626e3a712e2a9d79955b15c1ef8b9a91a6 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3635,6 +3635,19 @@ n=$((n+1))
  test "$ret" -eq 0 || echo_i "failed"
  status=$((status+ret))
  
+echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)"
+ret=0
+dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1
+dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1
+# DNSKEY+RRSIG, NSEC+RRSIG
+grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
  # Note: after this check, ns4 will not be validating any more; do not add any
  # further validation tests employing ns4 below this check.
  echo_i "check that validation defaults to off when dnssec-enable is off ($n)"
author	Evan Hunt <each@isc.org>
	Thu, 28 Feb 2019 22:28:26 +0000 (14:28 -0800)
committer	Evan Hunt <each@isc.org>
	Fri, 1 Mar 2019 00:06:38 +0000 (16:06 -0800)
bin/tests/system/dnssec/ns3/insecure.example.db		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns3/secure.example.db.in		patch \| blob \| blame \| history
bin/tests/system/dnssec/tests.sh		patch \| blob \| blame \| history