Add two more nsec3 system tests

Add one more case that tests reconfiguring a zone to turn off
inline-signing. It should still be a valid DNSSEC zone and the NSEC3
parameters should not change.

Add another test to ensure that you cannot update the zone with a
NSEC3 record.

(cherry picked from commit 4cd8e8e9c34d7bf56a1a51d0c489b8a433076f27)

diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh
index 6383f29beaea7e997f150eba04f71f0853f3e3ee..b8e83179ce924a040602cf7982bb5540b2250310 100644 (file)
--- a/bin/tests/system/nsec3/clean.sh
+++ b/bin/tests/system/nsec3/clean.sh
@@ -13,7 +13,7 @@
 
 set -e
 
-rm -f dig.out.* rndc.signing.*
+rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
 rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
 rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state

diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
index c99dc3335fae6c1ff943d66f604c68f4a545106e..ab253963dfb268b6ec079a489f9574aca9b6a1de 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -129,10 +129,26 @@ zone "nsec3-fails-to-load.kasp" {
        allow-update { any; };
 };
 
-/* The zone switches from dynamic to inline-signing. */
+/* These zones switch from dynamic to inline-signing or vice versa. */
 zone "nsec3-dynamic-to-inline.kasp" {
        type primary;
        file "nsec3-dynamic-to-inline.kasp.db";
        dnssec-policy "nsec3";
        allow-update { any; };
 };
+
+zone "nsec3-inline-to-dynamic.kasp" {
+       type primary;
+       file "nsec3-inline-to-dynamic.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec3";
+};
+
+/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
+zone "nsec3-dynamic-update-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-update-inline.kasp.db";
+       inline-signing yes;
+       allow-update { any; };
+       dnssec-policy "nsec";
+};

diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
index 1b8cbec20c71c73c5320703a1569e81f7681f6d6..5c3b9705711a43f625aa32ce1d7a2af0d2dc683e 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -135,7 +135,7 @@ zone "nsec3-fails-to-load.kasp" {
        allow-update { any; };
 };
 
-/* The zone switches from dynamic to inline-signing. */
+/* These zones switch from dynamic to inline-signing or vice versa. */
 zone "nsec3-dynamic-to-inline.kasp" {
        type primary;
        file "nsec3-dynamic-to-inline.kasp.db";
@@ -143,3 +143,11 @@ zone "nsec3-dynamic-to-inline.kasp" {
        dnssec-policy "nsec3";
        allow-update { any; };
 };
+
+zone "nsec3-inline-to-dynamic.kasp" {
+       type primary;
+       file "nsec3-inline-to-dynamic.kasp.db";
+       inline-signing no;
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};

diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index b4c744ac26e77f0bf164892828e8d0d41d3cdbdd..b7c449aefcf5339b2121fa06b79496643f30d482 100644 (file)
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -26,7 +26,8 @@ setup() {
 
 for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
          nsec3-to-optout nsec3-from-optout nsec3-dynamic \
-         nsec3-dynamic-change nsec3-dynamic-to-inline
+         nsec3-dynamic-change nsec3-dynamic-to-inline \
+         nsec3-inline-to-dynamic nsec3-dynamic-update-inline
 do
        setup "${zn}.kasp"
 done

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index f8863527399ff5eb49622c0fa40c7c0c69622071..bfa416e660317f9d0f67da34a0c2e6b155a45495 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -193,6 +193,12 @@ set_nsec3param "0" "5" "8"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
+# Zone: nsec3-inline-to-dynamic.kasp.
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
 set_nsec3param "0" "5" "8"
@@ -221,7 +227,25 @@ echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
+# Zone: nsec3-dynamic-update-inline.kasp.
+set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600
+echo_i "initial check zone ${ZONE}"
+check_nsec
+
+n=$((n+1))
+echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)"
+ret=0
+$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1
+server 10.53.0.3 ${PORT}
+zone ${ZONE}.
+update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG
+send
+END
+wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1
+check_nsec
+
 # Reconfig named.
+ret=0
 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
 copy_setports ns3/named2.conf.in ns3/named.conf
 rndc_reconfig ns3 10.53.0.3
@@ -261,12 +285,18 @@ echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
-# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured)
+# Zone: nsec3-dynamic-to-inline.kasp. (same)
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
 set_nsec3param "0" "5" "8"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
+# Zone: nsec3-inline-to-dynamic.kasp. (same)
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec"
 set_nsec3param "1" "11" "0"