Add two more nsec3 system tests

Add one more case that tests reconfiguring a zone to turn off
inline-signing. It should still be a valid DNSSEC zone and the NSEC3
parameters should not change.

Add another test to ensure that you cannot update the zone with a
NSEC3 record.

(cherry picked from commit 4cd8e8e9c34d7bf56a1a51d0c489b8a433076f27)

diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh
index d6b11e749b65329ca62594d3b195885cb5f27441..7ca682968902d7ea6b573e973ad0a31e92bd7fe4 100644 (file)
--- a/bin/tests/system/nsec3/clean.sh
+++ b/bin/tests/system/nsec3/clean.sh
@@ -13,7 +13,7 @@
 
 set -e
 
-rm -f dig.out.* rndc.signing.* verify.out.*
+rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
 rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
 rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state

diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
index dc885f0066856c4df798544fec675e8aa70b2b9e..e21c5336103a1ac0147bc161610c6f2c43ef59f7 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -185,10 +185,26 @@ zone "nsec3-fails-to-load.kasp" {
        allow-update { any; };
 };
 
-/* The zone switches from dynamic to inline-signing. */
+/* These zones switch from dynamic to inline-signing or vice versa. */
 zone "nsec3-dynamic-to-inline.kasp" {
        type primary;
        file "nsec3-dynamic-to-inline.kasp.db";
        dnssec-policy "nsec3";
        allow-update { any; };
 };
+
+zone "nsec3-inline-to-dynamic.kasp" {
+       type primary;
+       file "nsec3-inline-to-dynamic.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec3";
+};
+
+/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
+zone "nsec3-dynamic-update-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-update-inline.kasp.db";
+       inline-signing yes;
+       allow-update { any; };
+       dnssec-policy "nsec";
+};

diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
index 26b49ea109e1acc6429b87a0677084e26fd53f96..084bba3f0b36547bdf636357a07edd2990873ed7 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -194,7 +194,7 @@ zone "nsec3-fails-to-load.kasp" {
        allow-update { any; };
 };
 
-/* The zone switches from dynamic to inline-signing. */
+/* These zones switch from dynamic to inline-signing or vice versa. */
 zone "nsec3-dynamic-to-inline.kasp" {
        type primary;
        file "nsec3-dynamic-to-inline.kasp.db";
@@ -202,3 +202,11 @@ zone "nsec3-dynamic-to-inline.kasp" {
        dnssec-policy "nsec3";
        allow-update { any; };
 };
+
+zone "nsec3-inline-to-dynamic.kasp" {
+       type primary;
+       file "nsec3-inline-to-dynamic.kasp.db";
+       inline-signing no;
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};

diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index a0dd7932362921c4dd532f525828aa0ebca3066e..68bc2e451131fbe3af79686e008dbc7580bfb7ba 100644 (file)
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -26,7 +26,8 @@ setup() {
 
 for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
          nsec3-to-optout nsec3-from-optout nsec3-dynamic \
-         nsec3-dynamic-change nsec3-dynamic-to-inline
+         nsec3-dynamic-change nsec3-dynamic-to-inline \
+         nsec3-inline-to-dynamic nsec3-dynamic-update-inline
 do
        setup "${zn}.kasp"
 done

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index 7317d7906098ff3fda10b92efddcc295a2466f65..8c7049714948edafb57f0583f1aa460745a55da6 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -304,6 +304,13 @@ set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
+# Zone: nsec3-inline-to-dynamic.kasp.
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
@@ -332,7 +339,26 @@ set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
+# Zone: nsec3-dynamic-update-inline.kasp.
+set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+
+n=$((n+1))
+echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)"
+ret=0
+$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1
+server 10.53.0.3 ${PORT}
+zone ${ZONE}.
+update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG
+send
+END
+wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1
+check_nsec
+
 # Reconfig named.
+ret=0
 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
 copy_setports ns3/named2.conf.in ns3/named.conf
 rndc_reconfig ns3 10.53.0.3
@@ -426,13 +452,20 @@ set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
-# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured)
+# Zone: nsec3-dynamic-to-inline.kasp. (same)
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
+# Zone: nsec3-inline-to-dynamic.kasp. (same)
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
 set_nsec3param "1" "11" "8"