From: Matthijs Mekking Date: Mon, 14 Jan 2019 13:53:27 +0000 (+0100) Subject: System tests for tools and unsupported algorithms X-Git-Tag: v9.15.0~77^2~8 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=dfcf9bb0edc8d0f75e01cd643dbba176066e478e;p=thirdparty%2Fbind9.git System tests for tools and unsupported algorithms --- diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index f67c61d52fa..b561b0c2cdf 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -26,6 +26,7 @@ rm -f ./delve.out* rm -f ./dig.out.* rm -f ./dsfromkey.out.* rm -f ./keygen.err +rm -f ./dnssectools.out* rm -f ./named.secroots.test* rm -f ./nosign.before rm -f ./ns*/*.nta diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 5fbc31f9231..b07f540c5e4 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1399,6 +1399,41 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" +ret=0 +zone=example +$KEYGEN -a 255 example > dnssectools.out.test$n 2>&1 && ret=0 +grep "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" +ret=0 +zone=example +# Fake an unsupported algorithm key +unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +awk '$3 == "DNSKEY" { $6 = 255; print } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +mv ${unsupportedkey}.tmp ${unsupportedkey}.key +$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=0 +grep "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" +ret=0 +cp ${unsupportedkey}.* signer/ +( +cd signer || exit 1 +cat example.db.in "${unsupportedkey}.key" > example.db +$SIGNER -o example example.db ${unsupportedkey} > ../dnssectools.out.test$n 2>&1 && ret=0 +) && ret=0 +grep "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "checking that we can sign a zone with out-of-zone records ($n)" ret=0 zone=example