rm -f ./delv.out*
rm -f ./delve.out*
rm -f ./dig.out.*
-rm -f ./ns2/too-many-iterations.db
rm -f ./dnssectools.out*
rm -f ./dsfromkey.out.*
rm -f ./keygen.err
rm -f ./ns2/in-addr.arpa.db
rm -f ./ns2/nsec3chain-test.db
rm -f ./ns2/single-nsec3.db
+rm -f ./ns2/too-many-iterations.db
rm -f ./ns2/updatecheck-kskonly.secure.*
+rm -f ./ns3/NSEC ./ns3/NSEC3
+rm -f ./ns3/all-but-dnskey-signed-with-nonexistent-key-nsec3.example.db not removed
+rm -f ./ns3/all-but-dnskey-signed-with-nonexistent-key-nsec3.example.db.badsigs not removed
+rm -f ./ns3/all-but-dnskey-signed-with-nonexistent-key-nsec3.example.db.goodsigs not removed
rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db
rm -f ./ns3/badds.example.db
rm -f ./ns3/dname-at-apex-nsec3.example.db
rm -f ./ns3/ttlpatch.example.db.patched
rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db
rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
-rm -f ./ns3/NSEC ./ns3/NSEC3
rm -f ./ns4/managed-keys.bind*
rm -f ./ns4/named_dump.db*
rm -f ./ns6/optout-tld.db
ns.revkey A 10.53.0.3
dname-at-apex-nsec3 NS ns3
+
+all-but-dnskey-signed-with-nonexistent-key-nsec3 NS ns.all-but-dnskey-signed-with-nonexistent-key-nsec3
+ns.all-but-dnskey-signed-with-nonexistent-key-nsec3 A 10.53.0.3
allow-update { any; };
};
+zone "notdelegated.example" {
+ type primary;
+ file "notdelegated.example.db";
+};
+
zone "insecure.secure.example" {
type primary;
file "insecure.secure.example.db";
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ SOA ns2 hostmaster 0 0 0 0 0
+@ NS ns2
+@ NS ns3
+@ A 10.53.0.100
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+www CNAME @
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future revkey \
- dname-at-apex-nsec3 occluded
+ dname-at-apex-nsec3 occluded \
+ all-but-dnskey-signed-with-nonexistent-key-nsec3
do
cp "../ns3/dsset-$subdomain.example$TP" .
done
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
+d A 10.0.0.4
+e A 10.0.0.5
+f A 10.0.0.6
+g A 10.0.0.7
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
+zz DNSKEY 258 3 5 Cg==
+
+normalthenrrsig A 10.0.0.28
+rrsigonly A 10.0.0.29
+
+cnameandkey CNAME @
+cnamenokey CNAME @
+dnameandkey DNAME @
file "example.bk";
};
+zone "notdelegated.example" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ file "notdelegated.example.bk";
+};
+
zone "secure.example" {
type primary;
file "secure.example.db.signed";
file "too-many-iterations.bk";
};
+zone "all-but-dnskey-signed-with-nonexistent-key-nsec3.example" {
+ type primary;
+ file "all-but-dnskey-signed-with-nonexistent-key-nsec3.example.db";
+};
+
include "siginterval.conf";
include "trusted.conf";
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
"${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+#
+# A NSEC3 zone which is signed but only has a valid DNSKEY RRSet.
+#
+zone=all-but-dnskey-signed-with-nonexistent-key-nsec3.example
+infile=all-but-dnskey-signed-with-nonexistent-key-nsec3.example.db.in
+zonefile=all-but-dnskey-signed-with-nonexistent-key-nsec3.example.db
+
+# these keys will be discarded
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
+cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
+"$SIGNER" -P -D -O full -3 - -o "$zone" "$zonefile" > /dev/null
+awk '$4 == "RRSIG" && $5 == "DNSKEY" { next }
+{ print }' "$zonefile.signed" > "$zonefile.badsigs"
+
+# these keys will be added to the final zone
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
+cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
+"$SIGNER" -P -D -O full -3 - -o "$zone" "$zonefile" > /dev/null
+awk ' $4 == "RRSIG" && $5 == "DNSKEY" { print }
+{ next }' "$zonefile.signed" > "$zonefile.goodsigs"
+echo '$INCLUDE "'"$zonefile.goodsigs"'"' >> "$zonefile"
+echo '$INCLUDE "'"$zonefile.badsigs"'"' >> "$zonefile"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
+echo_i "check for validation deadlock - NSEC3 zone with only DNSKEY correctly signed ($n)"
+ret=0
+nextpart ns4/named.run > /dev/null
+zone=all-but-dnskey-signed-with-nonexistent-key-nsec3.example
+pattern="validating [0123456789ABCDEFGHIJKLMNOPQRSTUV]*.$zone/DS:"
+pattern="$pattern fetch/validator loop detected: aborting validation"
+dig_with_opts xx.$zone A @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+nextpart ns4/named.run | grep "$pattern" > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check for validation deadlock - undelegated unsigned zone with CNAME to apex ($n)"
+ret=0
+zone=notdelegated.example
+nextpart ns4/named.run > /dev/null
+dig_with_opts www.$zone A @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+dig_with_opts www.$zone A @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+nextpart ns4/named.run | grep "aborting validation" || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
