verify that auto-dnssec maintain generates and signs NSEC3 records with DNAME at...

author Mark Andrews <marka@isc.org>

Mon, 26 Nov 2018 02:46:37 +0000 (13:46 +1100)

committer Mark Andrews <marka@isc.org>

Mon, 10 Dec 2018 06:48:17 +0000 (17:48 +1100)
author Mark Andrews <marka@isc.org>
Mon, 26 Nov 2018 02:46:37 +0000 (13:46 +1100)
committer Mark Andrews <marka@isc.org>
Mon, 10 Dec 2018 06:48:17 +0000 (17:48 +1100)
diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh

index 6147d8d39bc0e10a3db0b05ad094affe22db0306..1727f2726bacfb3a9bca200e0a015273a591d51c 100644 (file)
--- a/bin/tests/system/autosign/clean.sh
+++ b/bin/tests/system/autosign/clean.sh
@@ -12,6 +12,7 @@
  rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
  rm -f */core
  rm -f */example.bk
+rm -f */named.conf
  rm -f */named.memstats
  rm -f */named.run
  rm -f */named.conf
@@ -23,6 +24,7 @@ rm -f digcomp.out.test*
  rm -f digcomp.out.test*
  rm -f missingzsk.key inactivezsk.key
  rm -f nopriv.key vanishing.key del1.key del2.key
+rm -f ns*/managed-keys.bind*
  rm -f ns*/named.lock
  rm -f ns*/named.lock
  rm -f ns1/root.db
@@ -31,11 +33,12 @@ rm -f ns2/private.secure.example.db ns2/bar.db
  rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
  rm -f ns3/*.nzf
  rm -f ns3/autonsec3.example.db
+rm -f ns3/delzsk.example.db
+rm -f ns3/dname-at-apex-nsec3.example.db
  rm -f ns3/inacksk2.example.db
  rm -f ns3/inacksk3.example.db
  rm -f ns3/inaczsk2.example.db
  rm -f ns3/inaczsk3.example.db
-rm -f ns3/delzsk.example.db
  rm -f ns3/kg.out ns3/s.out ns3/st.out
  rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
  rm -f ns3/nsec.example.db
diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in

index b4eeccbecfa7048203f9fdcf311b23d4dd2dc769..d519863098f367b8ae09b37e5d5a1a805f370bdd 100644 (file)
--- a/bin/tests/system/autosign/ns2/example.db.in
+++ b/bin/tests/system/autosign/ns2/example.db.in
@@ -82,3 +82,5 @@ ns.nsec3-to-nsec      A       10.53.0.3
  
  oldsigs                        NS      ns.oldsigs
  ns.oldsigs             A       10.53.0.3
+
+dname-at-apex-nsec3    NS      ns3
diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh

index 4c5e07ebdf0916ed5231df5cc9c76c71c8d25027..ce97775e1dd4543a5724440a77cbd987f6caae5c 100644 (file)
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -15,7 +15,8 @@ SYSTEMTESTTOP=../..
  # Have the child generate subdomain keys and pass DS sets to us.
  ( cd ../ns3 && $SHELL keygen.sh )
  
-for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync
+for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \
+    dname-at-apex-nsec3
  do
         cp ../ns3/dsset-$subdomain.example$TP .
  done
diff --git a/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in

new file mode 100644 (file)

index 0000000..c4a378e
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
@@ -0,0 +1,5 @@
+$TTL   600
+@      SOA     ns3.example. . 1 1200 1200 1814400 3600
+@      NS      ns3.example.
+@      DNAME   example.
+@      NSEC3PARAM 1 0 0 -
diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh

index 9cd9805988b60272b730435f4d1a46e5d38a3dfb..dbb18beb1173c38e4c978eff341009db046736ca 100644 (file)
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -316,3 +316,12 @@ ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
  $KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
  zsk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
  echo $zsk > ../delzsk.key
+
+#
+#  Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+setup dname-at-apex-nsec3.example
+cp $infile $zonefile
+ksk=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in

index 257a47b682f6bc33b10be3e3d4cba26c574d74da..e71005a6c8ae133927f65f1f85254c4ad9fcf4c5 100644 (file)
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -281,4 +281,11 @@ zone "delzsk.example." {
         auto-dnssec maintain;
  };
  
+zone "dname-at-apex-nsec3.example" {
+       type master;
+       file "dname-at-apex-nsec3.example.db";
+       allow-update { any; };
+       auto-dnssec maintain;
+};
+
  include "trusted.conf";
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh

index da81c02bd0b07499578a7c342d1dc35f7d0621b3..238f5c11a74348c4505465ce3c02f11bfbdd8442 100755 (executable)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1424,5 +1424,13 @@ n=`expr $n + 1`
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=`expr $status + $ret`
  
+echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
+ret=0
+$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "RRSIG NSEC3 7 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
  echo_i "exit status: $status"
  [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in

index c538b735dfd29f335d6b1bc7012340353fd89bfd..80838cab22b3423dbed75db30175559ef34d0220 100644 (file)
--- a/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in
+++ b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in
@@ -1,3 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
  $TTL   600
  @      SOA     ns3.example. . 1 1200 1200 1814400 3600
  @      NS      ns3.example.
diff --git a/util/copyrights b/util/copyrights

index 4e3092379a598d999f480cbf2a50a50503acd639..cffda80d762ebcc8a0479dfa80a0dc7b4a69688e 100644 (file)
--- a/util/copyrights
+++ b/util/copyrights
@@ -609,6 +609,7 @@
  ./bin/tests/system/autosign/ns3/autonsec3.example.db.in        ZONE    2011,2016,2018
  ./bin/tests/system/autosign/ns3/delay.example.db       ZONE    2011,2016,2018
  ./bin/tests/system/autosign/ns3/delzsk.example.db.in   ZONE    2018
+./bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in      ZONE    2018
  ./bin/tests/system/autosign/ns3/inacksk2.example.db.in ZONE    2017,2018
  ./bin/tests/system/autosign/ns3/inacksk3.example.db.in ZONE    2017,2018
  ./bin/tests/system/autosign/ns3/inaczsk.example.db.in  ZONE    2011,2016,2018
author	Mark Andrews <marka@isc.org>
	Mon, 26 Nov 2018 02:46:37 +0000 (13:46 +1100)
committer	Mark Andrews <marka@isc.org>
	Mon, 10 Dec 2018 06:48:17 +0000 (17:48 +1100)
bin/tests/system/autosign/clean.sh		patch \| blob \| blame \| history
bin/tests/system/autosign/ns2/example.db.in		patch \| blob \| blame \| history
bin/tests/system/autosign/ns2/keygen.sh		patch \| blob \| blame \| history
bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in	[new file with mode: 0644]	patch \| blob
bin/tests/system/autosign/ns3/keygen.sh		patch \| blob \| blame \| history
bin/tests/system/autosign/ns3/named.conf.in		patch \| blob \| blame \| history
bin/tests/system/autosign/tests.sh		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in		patch \| blob \| blame \| history
util/copyrights		patch \| blob \| blame \| history