From: Matthijs Mekking Date: Tue, 11 Oct 2022 09:15:34 +0000 (+0200) Subject: Add two more nsec3 system tests X-Git-Tag: v9.16.35~7^2~5 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ee18cfe215e12a320560bdf20f4dc15d60417eaf;p=thirdparty%2Fbind9.git Add two more nsec3 system tests Add one more case that tests reconfiguring a zone to turn off inline-signing. It should still be a valid DNSSEC zone and the NSEC3 parameters should not change. Add another test to ensure that you cannot update the zone with a NSEC3 record. (cherry picked from commit 4cd8e8e9c34d7bf56a1a51d0c489b8a433076f27) --- diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh index 6383f29beae..b8e83179ce9 100644 --- a/bin/tests/system/nsec3/clean.sh +++ b/bin/tests/system/nsec3/clean.sh @@ -13,7 +13,7 @@ set -e -rm -f dig.out.* rndc.signing.* +rm -f dig.out.* rndc.signing.* update.out.* verify.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind rm -f ns*/K*.private ns*/K*.key ns*/K*.state diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index c99dc3335fa..ab253963dfb 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -129,10 +129,26 @@ zone "nsec3-fails-to-load.kasp" { allow-update { any; }; }; -/* The zone switches from dynamic to inline-signing. */ +/* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { type primary; file "nsec3-dynamic-to-inline.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ +zone "nsec3-dynamic-update-inline.kasp" { + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + inline-signing yes; + allow-update { any; }; + dnssec-policy "nsec"; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index 1b8cbec20c7..5c3b9705711 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -135,7 +135,7 @@ zone "nsec3-fails-to-load.kasp" { allow-update { any; }; }; -/* The zone switches from dynamic to inline-signing. */ +/* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { type primary; file "nsec3-dynamic-to-inline.kasp.db"; @@ -143,3 +143,11 @@ zone "nsec3-dynamic-to-inline.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing no; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index b4c744ac26e..b7c449aefcf 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -26,7 +26,8 @@ setup() { for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ nsec3-to-optout nsec3-from-optout nsec3-dynamic \ - nsec3-dynamic-change nsec3-dynamic-to-inline + nsec3-dynamic-change nsec3-dynamic-to-inline \ + nsec3-inline-to-dynamic nsec3-dynamic-update-inline do setup "${zn}.kasp" done diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index f8863527399..bfa416e6603 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -193,6 +193,12 @@ set_nsec3param "0" "5" "8" echo_i "initial check zone ${ZONE}" check_nsec3 +# Zone: nsec3-inline-to-dynamic.kasp. +set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 + # Zone: nsec3-to-nsec.kasp. set_zone_policy "nsec3-to-nsec.kasp" "nsec3" set_nsec3param "0" "5" "8" @@ -221,7 +227,25 @@ echo_i "initial check zone ${ZONE}" check_nsec3 dnssec_verify +# Zone: nsec3-dynamic-update-inline.kasp. +set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600 +echo_i "initial check zone ${ZONE}" +check_nsec + +n=$((n+1)) +echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)" +ret=0 +$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1 +server 10.53.0.3 ${PORT} +zone ${ZONE}. +update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG +send +END +wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1 +check_nsec + # Reconfig named. +ret=0 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -261,12 +285,18 @@ echo_i "check zone ${ZONE} after reconfig" check_nsec3 dnssec_verify -# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured) +# Zone: nsec3-dynamic-to-inline.kasp. (same) set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 set_nsec3param "0" "5" "8" echo_i "check zone ${ZONE} after reconfig" check_nsec3 +# Zone: nsec3-inline-to-dynamic.kasp. (same) +set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 + # Zone: nsec3-to-nsec.kasp. (reconfigured) set_zone_policy "nsec3-to-nsec.kasp" "nsec" set_nsec3param "1" "11" "0"