rm -f ns*/zones ns*/*.db.infile
rm -f ns*/*.zsk1 ns*/*.zsk2
rm -f ns3/legacy-keys.*
+rm -rf ns3/keys/
rm -f *.created published.test* retired.test*
rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
rm -f python.out.*
allow-update { any; };
};
+/*
+ * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the
+ * raw version of the zone.
+ */
+zone "dynamic-signed-inline-signing.kasp" {
+ type primary;
+ file "dynamic-signed-inline-signing.kasp.db.signed";
+ key-directory "keys";
+ dnssec-policy "default";
+ allow-update { any; };
+};
+
/* An inline-signed zone with dnssec-policy. */
zone "inline-signing.kasp" {
type primary;
cp $infile $zonefile
$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+# We are signing the raw version of the zone here. This is unusual and not
+# common operation, but want to make sure that in such a case BIND 9 does not
+# schedule a resigning operation on the raw version. Add expired signatures so
+# a resign is imminent.
+setup dynamic-signed-inline-signing.kasp
+T="now-1d"
+csktimes="-P $T -A $T -P sync $T"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+cp $infile $zonefile
+$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
# These signatures are set to expire long in the past, update immediately.
setup expired-sigs.autosign
T="now-6mo"
$SHELL clean.sh
mkdir keys
+mkdir ns3/keys
copy_setports ns2/named.conf.in ns2/named.conf
if ! $SHELL ../testcrypto.sh -q RSASHA1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
+#
+# Zone: dynamic-signed-inline-signing.kasp
+#
+set_zone "dynamic-signed-inline-signing.kasp"
+set_dynamic
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+dnssec_verify
+# Ensure no zone_resigninc for the unsigned version of the zone is triggered.
+n=$((n+1))
+echo_i "check if resigning the raw version of the zone is prevented for zone ${ZONE} ($n)"
+ret=0
+grep "zone_resigninc: zone $ZONE/IN (unsigned): enter" $DIR/named.run && ret=1
+grep "error reading K$ZONE" $DIR/named.run && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
#
# Zone: inline-signing.kasp
#
projects / thirdparty / bind9.git / commitdiff
