DLV tests unsupported/disabled algorithms

This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.

(cherry picked from commit 3b7c849a3fe7e0c62b77ae501b40c11f2104f1c7)

diff --git a/bin/tests/system/dlv/clean.sh b/bin/tests/system/dlv/clean.sh
index 94cadc69aedb1701e1b3b48a8483e48b98a3f0dd..44531ddaedc989f8d14fdcb7a489510613e49cc3 100644 (file)
--- a/bin/tests/system/dlv/clean.sh
+++ b/bin/tests/system/dlv/clean.sh
@@ -16,6 +16,7 @@ rm -f ns1/dsset-*
 rm -f ns1/*.signed
 rm -f ns1/signer.err
 rm -f ns1/root.db
+rm -f ns1/trusted.conf
 rm -f ns2/K*
 rm -f ns2/dlvset-*
 rm -f ns2/dsset-*
@@ -25,18 +26,19 @@ rm -f ns2/signer.err
 rm -f ns2/druz.db
 rm -f ns3/K*
 rm -f ns3/*.db
-rm -f ns3/*.signed
+rm -f ns3/*.signed ns3/*.signed.tmp
 rm -f ns3/dlvset-*
 rm -f ns3/dsset-*
 rm -f ns3/keyset-*
-rm -f ns1/trusted.conf ns5/trusted.conf
-rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
+rm -f ns3/trusted*.conf
 rm -f ns3/signer.err
+rm -f ns5/trusted*.conf
 rm -f ns6/K*
 rm -f ns6/*.db
 rm -f ns6/*.signed
 rm -f ns6/dsset-*
 rm -f ns6/signer.err
+rm -f ns7/trusted*.conf
 rm -f */named.memstats
 rm -f dig.out.ns*.test*
 rm -f ns*/named.lock

diff --git a/bin/tests/system/dlv/ns1/root.db.in b/bin/tests/system/dlv/ns1/root.db.in
index a4d4bd926915cb8d707bd5625dbbd731ba9207fc..f4faa25d3eb5ff7b1accb3e6e8390d01b87f5f94 100644 (file)
--- a/bin/tests/system/dlv/ns1/root.db.in
+++ b/bin/tests/system/dlv/ns1/root.db.in
@@ -13,7 +13,14 @@ $TTL 120
 @              NS      ns.rootservers.utld
 ns             A       10.53.0.1
 ;
+; A zone that is unsigned (utld=unsigned tld) that will include a second level
+; zone that acts as a DLV.
+;
 utld           NS      ns.utld
 ns.utld                A       10.53.0.2
+;
+; A zone that has a bad DNSKEY RRset but has good DLV records for its child
+; zones.
+;
 druz           NS      ns.druz
 ns.druz                A       10.53.0.2

diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
index b8151620ccba78e16b77979ef99fef09c20bf7d8..606e7cc5cca9a1d511a08946a6e61153d96edd4b 100755 (executable)
--- a/bin/tests/system/dlv/ns1/sign.sh
+++ b/bin/tests/system/dlv/ns1/sign.sh
@@ -23,7 +23,7 @@ infile=root.db.in
 zonefile=root.db
 outfile=root.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -34,3 +34,4 @@ echo_i "signed $zone"
 
 keyfile_to_trusted_keys $keyname2 > trusted.conf
 cp trusted.conf ../ns5
+cp trusted.conf ../ns7

diff --git a/bin/tests/system/dlv/ns2/named.conf.in b/bin/tests/system/dlv/ns2/named.conf.in
index b08bd13a031e24c3bd0de072ceae238fdd13a60b..d59ba719b175b03b5da9ef80dff93cdd960926ed 100644 (file)
--- a/bin/tests/system/dlv/ns2/named.conf.in
+++ b/bin/tests/system/dlv/ns2/named.conf.in
@@ -22,6 +22,17 @@ options {
        dnssec-enable yes;
 };
 
+/* Root hints. */
 zone "." { type hint; file "hints"; };
+
+/*
+ * A zone that is unsigned (utld=unsigned tld) that will include a second level
+ * zone that acts as a DLV.
+ */
 zone "utld" { type master; file "utld.db"; };
+
+/*
+ * A zone that has a bad DNSKEY RRset but has good DLV records for its child
+ * zones.
+ */
 zone "druz" { type master; file "druz.signed"; };

diff --git a/bin/tests/system/dlv/ns2/utld.db b/bin/tests/system/dlv/ns2/utld.db
index 66f559d76f57d455b3d470e11866a5e6d163a6ce..4369968b0f10ab890710c3d822c57dd1ae4701ea 100644 (file)
--- a/bin/tests/system/dlv/ns2/utld.db
+++ b/bin/tests/system/dlv/ns2/utld.db
@@ -18,6 +18,12 @@ ns.rootservers       A       10.53.0.1
 dlv            NS      ns.dlv
 ns.dlv         A       10.53.0.3
 ;
+disabled-algorithm-dlv         NS      ns.disabled-algorithm-dlv
+ns.disabled-algorithm-dlv      A       10.53.0.3
+;
+unsupported-algorithm-dlv      NS      ns.unsupported-algorithm-dlv
+ns.unsupported-algorithm-dlv   A       10.53.0.3
+;
 child1         NS      ns.child1
 ns.child1      A       10.53.0.3
 ;
@@ -47,3 +53,9 @@ ns.child9     A       10.53.0.3
 ;
 child10                NS      ns.child10
 ns.child10     A       10.53.0.3
+;
+disabled-algorithm             NS    ns.disabled-algorithm
+ns.disabled-algorithm          A     10.53.0.3
+;
+unsupported-algorithm          NS    ns.unsupported-algorithm
+ns.unsupported-algorithm       A     10.53.0.3

diff --git a/bin/tests/system/dlv/ns3/named.conf.in b/bin/tests/system/dlv/ns3/named.conf.in
index 42d712b229fefdfeadd6dd4647e981369ff2f2bc..f93d1920e06d1f4b6835aa608d86d5ceecee5d58 100644 (file)
--- a/bin/tests/system/dlv/ns3/named.conf.in
+++ b/bin/tests/system/dlv/ns3/named.conf.in
@@ -22,21 +22,106 @@ options {
        dnssec-enable yes;
 };
 
+/* Root hints. */
 zone "." { type hint; file "hints"; };
-zone "dlv.utld" { type master; file "dlv.signed"; };
-zone "child1.utld" { type master; file "child1.signed"; };     // dlv
-zone "child3.utld" { type master; file "child3.signed"; };     // dlv
-zone "child4.utld" { type master; file "child4.signed"; };     // dlv
-zone "child5.utld" { type master; file "child5.signed"; };     // dlv
-zone "child7.utld" { type master; file "child7.signed"; };     // no dlv
-zone "child8.utld" { type master; file "child8.signed"; };     // no dlv
-zone "child9.utld" { type master; file "child9.signed"; };     // dlv
-zone "child10.utld" { type master; file "child.db.in"; };      // dlv unsigned
-zone "child1.druz" { type master; file "child1.druz.signed"; };        // dlv
-zone "child3.druz" { type master; file "child3.druz.signed"; };        // dlv
-zone "child4.druz" { type master; file "child4.druz.signed"; };        // dlv
-zone "child5.druz" { type master; file "child5.druz.signed"; };        // dlv
-zone "child7.druz" { type master; file "child7.druz.signed"; };        // no dlv
-zone "child8.druz" { type master; file "child8.druz.signed"; };        // no dlv
-zone "child9.druz" { type master; file "child9.druz.signed"; };        // dlv
-zone "child10.druz" { type master; file "child.db.in"; };      // dlv unsigned
+
+/* DLV zone below unsigned TLD. */
+zone "dlv.utld" { type master; file "dlv.utld.signed"; };
+
+/* DLV zone signed with an unsupported algorithm below unsigned TLD. */
+zone "unsupported-algorithm-dlv.utld." {
+       type master;
+       file "unsupported-algorithm-dlv.utld.signed";
+};
+
+/* Signed zone below unsigned TLD with DLV entry. */
+zone "child1.utld" { type master; file "child1.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+ * with a disabled algorithm.
+ */
+zone "child3.utld" { type master; file "child3.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry.  This one is slightly
+ * different because its children (the grandchildren) don't have a DS record in
+ * this zone.  The grandchild zones are served by ns6.
+ *
+ */
+zone "child4.utld" { type master; file "child4.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+ * with an unsupported algorithm.
+ */
+zone "child5.utld" { type master; file "child5.signed"; };
+
+/* Signed zone below unsigned TLD without DLV entry. */
+zone "child7.utld" { type master; file "child7.signed"; };
+
+/*
+ * Signed zone below unsigned TLD without DLV entry and no DS records for the
+ * grandchildren.
+ */
+zone "child8.utld" { type master; file "child8.signed"; };
+
+/* Signed zone below unsigned TLD with DLV entry. */
+zone "child9.utld" { type master; file "child9.signed"; };
+
+/* Unsigned zone below an unsigned TLD with DLV entry. */
+zone "child10.utld" { type master; file "child.db.in"; };
+
+/* Zone signed with an unsupported algorithm with DLV entry. */
+zone "unsupported-algorithm.utld" {
+       type master;
+       file "unsupported-algorithm.utld.signed";
+};
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.
+ */
+zone "child1.druz" { type master; file "child1.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.  The DLV zone is signed with a disabled algorithm.
+ */
+zone "child3.druz" { type master; file "child3.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.  Also there are no DS records for the grandchildren.
+ */
+zone "child4.druz" { type master; file "child4.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.  The DLV zone is signed with an unsupported algorithm.
+ */
+zone "child5.druz" { type master; file "child5.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD without DLV entry, and no chain of
+ * trust.
+ */
+zone "child7.druz" { type master; file "child7.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD without DLV entry and no DS set.  Also DS
+ * records for the grandchildren are not included in the zone.
+ */
+zone "child8.druz" { type master; file "child8.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no DS set.  Also DS
+ * records for the grandchildren are not included in the zone.
+ */
+zone "child9.druz" { type master; file "child9.druz.signed"; };
+
+/*
+ * Unsigned zone below signed TLD with good DLV entry but no chain of
+ * trust.
+ */
+zone "child10.druz" { type master; file "child.db.in"; };

diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index bcc9922e26f164c8d94dee7e4ad6439c7ffa50a0..a6372909f006411e0f3f26726b64fd393ba0724e 100755 (executable)
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -16,130 +16,169 @@ SYSTEMTESTTOP=../..
 
 echo_i "dlv/ns3/sign.sh"
 
-dlvzone=dlv.utld.
+dlvzone="dlv.utld."
 dlvsets=
 dssets=
 
+unsupporteddlvzone="unsupported-algorithm-dlv.utld."
+unsupporteddlvsets=
+unsupporteddssets=
+
+# Signed zone below unsigned TLD with DLV entry.
 zone=child1.utld.
 infile=child.db.in
 zonefile=child1.utld.db
 outfile=child1.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+# with a disabled algorithm.
 zone=child3.utld.
 infile=child.db.in
 zonefile=child3.utld.db
 outfile=child3.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below unsigned TLD with DLV entry.  This one is slightly
+# different because its children (the grandchildren) don't have a DS record in
+# this zone.  The grandchild zones are served by ns6.
 zone=child4.utld.
 infile=child.db.in
 zonefile=child4.utld.db
 outfile=child4.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+# with an unsupported algorithm.
 zone=child5.utld.
 infile=child.db.in
 zonefile=child5.utld.db
 outfile=child5.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
-
+# Signed zone below unsigned TLD without DLV entry.
 zone=child7.utld.
 infile=child.db.in
 zonefile=child7.utld.db
 outfile=child7.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below unsigned TLD without DLV entry and no DS records for the
+# grandchildren.
 zone=child8.utld.
 infile=child.db.in
 zonefile=child8.utld.db
 outfile=child8.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
-
+# Signed zone below unsigned TLD with DLV entry.
 zone=child9.utld.
 infile=child.db.in
 zonefile=child9.utld.db
 outfile=child9.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
+# Unsigned zone below an unsigned TLD with DLV entry.  We still need to sign
+# the zone to generate the DLV set.
 zone=child10.utld.
 infile=child.db.in
 zonefile=child10.utld.db
 outfile=child10.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+
+# Zone signed with an unsupported algorithm with DLV entry.
+zone=unsupported-algorithm.utld.
+infile=child.db.in
+zonefile=unsupported-algorithm.utld.db
+outfile=unsupported-algorithm.utld.signed
+dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
+awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
+
+cp ${keyname2}.key ${keyname2}.tmp
+awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
+cp dlvset-${zone} dlvset-${zone}tmp
+awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone}
+
 echo_i "signed $zone"
 
+# Signed zone below signed TLD with DLV entry and DS set.
 zone=child1.druz.
 infile=child.db.in
 zonefile=child1.druz.db
@@ -147,33 +186,35 @@ outfile=child1.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD with DLV entry and DS set.  The DLV zone is
+# signed with a disabled algorithm.
 zone=child3.druz.
 infile=child.db.in
 zonefile=child3.druz.db
 outfile=child3.druz.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD with DLV entry and DS set, but missing
+# DS records for the grandchildren.
 zone=child4.druz.
 infile=child.db.in
 zonefile=child4.druz.db
@@ -181,76 +222,86 @@ outfile=child4.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD with DLV entry and DS set.  The DLV zone is
+# signed with an unsupported algorithm algorithm.
 zone=child5.druz.
 infile=child.db.in
 zonefile=child5.druz.db
 outfile=child5.druz.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddssets="$unsupportedssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD without DLV entry, but with normal DS set.
 zone=child7.druz.
 infile=child.db.in
 zonefile=child7.druz.db
 outfile=child7.druz.signed
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD without DLV entry and no DS set.  Also DS
+# records for the grandchildren are not included in the zone.
 zone=child8.druz.
 infile=child.db.in
 zonefile=child8.druz.db
 outfile=child8.druz.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD with DLV entry but no DS set.  Also DS
+# records for the grandchildren are not included in the zone.
 zone=child9.druz.
 infile=child.db.in
 zonefile=child9.druz.db
 outfile=child9.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
+
+# Unsigned zone below signed TLD with DLV entry and DS set.  We still need to
+# sign the zone to generate the DS sets.
 zone=child10.druz.
 infile=child.db.in
 zonefile=child10.druz.db
@@ -258,29 +309,56 @@ outfile=child10.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
+cp $dssets ../ns2
+cp $unsupporteddssets ../ns2
 
-zone=dlv.utld.
+# DLV zones
 infile=dlv.db.in
-zonefile=dlv.utld.db
-outfile=dlv.signed
-
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
-cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-keyfile_to_trusted_keys $keyname2 > trusted-dlv.conf
-cp trusted-dlv.conf ../ns5
-
-cp $dssets ../ns2
+for zone in dlv.utld. unsupported-algorithm-dlv.utld.
+do
+       zonefile="${zone}db"
+       outfile="${zone}signed"
+
+       case $zone in
+       "dlv.utld.")
+               algorithm=$DEFAULT_ALGORITHM
+               bits=$DEFAULT_BITS
+               dlvfiles=$dlvsets
+               ;;
+       "unsupported-algorithm-dlv.utld.")
+               algorithm=$DEFAULT_ALGORITHM
+               bits=$DEFAULT_BITS
+               dlvfiles=$unsupporteddlvsets
+               ;;
+       esac
+
+       keyname1=`$KEYGEN -r $RANDFILE -a $algorithm -b $bits -n zone $zone 2> /dev/null`
+       keyname2=`$KEYGEN -r $RANDFILE -f KSK -a $algorithm -b $bits -n zone $zone 2> /dev/null`
+
+       cat $infile $dlvfiles $keyname1.key $keyname2.key >$zonefile
+
+       case $zone in
+       "dlv.utld.")
+               $SIGNER -O full -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+               keyfile_to_trusted_keys $keyname2 > ../ns5/trusted-dlv.conf
+               ;;
+       "unsupported-algorithm-dlv.utld.")
+               cp ${keyname2}.key ${keyname2}.tmp
+               $SIGNER -O full -r $RANDFILE -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
+               awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
+               awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
+               keyfile_to_trusted_keys $keyname2 > ../ns7/trusted-dlv-unsupported.conf
+               ;;
+       esac
+
+       echo_i "signed $zone"
+done

diff --git a/bin/tests/system/dlv/ns5/named.conf.in b/bin/tests/system/dlv/ns5/named.conf.in
index 9e3b19501aa7e8fe85744c20093ddab41af8fbad..a711b335756e1b37814099c9087db962930e4a63 100644 (file)
--- a/bin/tests/system/dlv/ns5/named.conf.in
+++ b/bin/tests/system/dlv/ns5/named.conf.in
@@ -26,6 +26,7 @@ options {
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside "." trust-anchor "dlv.utld";
+       disable-algorithms "utld." { @DISABLED_ALGORITHM@; };
 };
 
 zone "." { type hint; file "hints"; };

diff --git a/bin/tests/system/dlv/ns7/hints b/bin/tests/system/dlv/ns7/hints
new file mode 100644 (file)
index 0000000..cdf0f26
--- /dev/null
+++ b/bin/tests/system/dlv/ns7/hints
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
+

diff --git a/bin/tests/system/dlv/ns7/named.conf.in b/bin/tests/system/dlv/ns7/named.conf.in
new file mode 100644 (file)
index 0000000..fd9c7c8
--- /dev/null
+++ b/bin/tests/system/dlv/ns7/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "trusted.conf";
+include "trusted-dlv-unsupported.conf";
+
+options {
+       query-source address 10.53.0.7;
+       notify-source 10.53.0.7;
+       transfer-source 10.53.0.7;
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.7; };
+       listen-on-v6 { none; };
+       recursion yes;
+       notify yes;
+       dnssec-enable yes;
+       dnssec-validation yes;
+       dnssec-lookaside "." trust-anchor "unsupported-algorithm-dlv.utld";
+};
+
+zone "." { type hint; file "hints"; };
+

diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh
index 17b3dbb4e97b7339ee4dc4c56b353e2c73866ec9..b89da828c76b172fe72a31001e92d5d14071bfe7 100644 (file)
--- a/bin/tests/system/dlv/setup.sh
+++ b/bin/tests/system/dlv/setup.sh
@@ -22,5 +22,6 @@ copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
 
 (cd ns1 && $SHELL -e sign.sh)

diff --git a/bin/tests/system/dlv/tests.sh b/bin/tests/system/dlv/tests.sh
index fdf31d954ebf7beeae37cf7166c607f575b44d11..3f139f75795d891bafe3b11a3518a7b28eda13f2 100644 (file)
--- a/bin/tests/system/dlv/tests.sh
+++ b/bin/tests/system/dlv/tests.sh
@@ -19,37 +19,67 @@ rm -f dig.out.*
 
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
 
-echo_i "checking that DNSKEY reference by DLV validates as secure ($n)"
+echo_i "checking that unsigned TLD zone DNSKEY referenced by DLV validates as secure ($n)"
 ret=0
 $DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking that child DNSKEY reference by DLV validates as secure ($n)"
+echo_i "checking that unsigned TLD child zone DNSKEY referenced by DLV validates as secure ($n)"
 ret=0
 $DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+echo_i "checking that no chain of trust SOA referenced by DLV validates as secure ($n)"
 ret=0
 $DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+echo_i "checking that no chain of trust child SOA referenced by DLV validates as secure ($n)"
 ret=0
 $DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+# Test that a child zone that is signed with an unsupported algorithm,
+# referenced by a good DLV zone, yields an insecure response.
+echo_i "checking that unsupported algorithm TXT referenced by DLV validates as insecure ($n)"
+ret=0
+$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+grep -q "foo\.unsupported-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test that a child zone that is signed with a known algorithm, referenced by
+# a DLV zone that is signed with an unsupported algorithm, yields a bogus
+# response.
+echo_i "checking that good signed TXT referenced by unsupported algorithm DLV validates as bogus ($n)"
+ret=0
+$DIG $DIGOPTS foo.child5.utld txt @10.53.0.7 > dig.out.ns7.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns7.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns7.test$n > /dev/null && ret=1
+grep -q "foo\.child5\.utld\..*TXT.*\"foo\"" dig.out.ns7.test$n && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1