diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 2279e6828c..acfc574c4a 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -11,9 +11,9 @@ rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed rm -f */example.bk +rm -f */named.conf rm -f */named.memstats rm -f */named.run -rm -f */named.conf rm -f */named.secroots rm -f */tmp* */*.jnl */*.bk */*.jbk rm -f */trusted.conf */managed.conf */revoked.conf @@ -27,6 +27,7 @@ rm -f keygen.err rm -f named.secroots.test* rm -f nosign.before rm -f ns*/*.nta +rm -f ns*/managed-keys.bind* ns*/*.mkeys* rm -f ns*/named.lock rm -f ns1/managed.key.id rm -f ns1/root.db ns2/example.db ns3/secure.example.db @@ -47,6 +48,7 @@ rm -f ns2/private.secure.example.db rm -f ns2/single-nsec3.db rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db rm -f ns3/badds.example.db +rm -f ns3/dname-at-apex-nsec3.example.db rm -f ns3/dnskey-nsec3-unknown.example.db rm -f ns3/dnskey-nsec3-unknown.example.db.tmp rm -f ns3/dnskey-unknown.example.db @@ -84,17 +86,16 @@ rm -f ns6/optout-tld.db rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit rm -f nsupdate.out* +rm -f python.out.* rm -f rndc.out.* rm -f signer/*.db rm -f signer/*.signed.post* rm -f signer/*.signed.pre* rm -f signer/example.db.after signer/example.db.before rm -f signer/example.db.changed -rm -f signer/nsec3param.out -rm -f signer/signer.out.* +rm -f signer/general/dsset* rm -f signer/general/signed.zone rm -f signer/general/signer.out.* -rm -f signer/general/dsset* +rm -f signer/nsec3param.out +rm -f signer/signer.out.* rm -f signing.out* -rm -f python.out.* -rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 0b831ec94e..79424b4a0a 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -158,3 +158,5 @@ ns.managed-future A 10.53.0.3 revkey NS ns.revkey ns.revkey A 10.53.0.3 + +dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 0a63a6bd4f..cce4658f2e 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -24,7 +24,8 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \ nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ ttlpatch split-dnssec split-smart expired expiring upper lower \ - dnskey-unknown dnskey-nsec3-unknown managed-future revkey + dnskey-unknown dnskey-nsec3-unknown managed-future revkey \ + dname-at-apex-nsec3 do cp ../ns3/dsset-$subdomain.example$TP . done diff --git a/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in new file mode 100644 index 0000000000..c538b735df --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in @@ -0,0 +1,4 @@ +$TTL 600 +@ SOA ns3.example. . 1 1200 1200 1814400 3600 +@ NS ns3.example. +@ DNAME example. diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 683b2c6694..87b10533a0 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -294,6 +294,11 @@ zone "revkey.example" { file "revkey.example.db.signed"; }; +zone "dname-at-apex-nsec3.example" { + type master; + file "dname-at-apex-nsec3.example.db.signed"; +}; + include "siginterval.conf"; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index a248840e9e..f2155959dc 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -543,3 +543,14 @@ zsk1=`$KEYGEN -q -a RSASHA1 -3 $zone` cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile $SIGNER -P -o $zone $zonefile > /dev/null 2>&1 + +# +# Check that NSEC3 are correctly signed and returned from below a DNAME +# +zone=dname-at-apex-nsec3.example +infile=dname-at-apex-nsec3.example.db.in +zonefile=dname-at-apex-nsec3.example.db +kskname=`$KEYGEN -q -a RSASHA256 -3fk $zone` +zskname=`$KEYGEN -q -a RSASHA256 -3 $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 6fcc264ed3..c5cd425c6d 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3569,6 +3569,14 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" +ret=0 +$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "RRSIG.NSEC3 8 3 3600" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + # Note: after this check, ns4 will not be validating any more; do not add any # further validation tests employing ns4 below this check. echo_i "check that validation defaults to off when dnssec-enable is off ($n)"