diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py index 9e23b9a6ef..2ade4dafbe 100644 --- a/bin/tests/system/isctest/kasp.py +++ b/bin/tests/system/isctest/kasp.py @@ -971,16 +971,13 @@ def check_apex(server, zone, ksks, zsks, tsig=None): # test dnskey query dnskeys, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.DNSKEY, tsig=tsig) - assert len(dnskeys) > 0 check_dnskeys(dnskeys, ksks, zsks) - assert len(rrsigs) > 0 check_signatures(rrsigs, dns.rdatatype.DNSKEY, fqdn, ksks, zsks) # test soa query soa, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.SOA, tsig=tsig) assert len(soa) == 1 assert f"{zone}. {DEFAULT_TTL} IN SOA" in soa[0].to_text() - assert len(rrsigs) > 0 check_signatures(rrsigs, dns.rdatatype.SOA, fqdn, ksks, zsks) # test cdnskey query @@ -1016,7 +1013,6 @@ def check_subdomain(server, zone, ksks, zsks, tsig=None): else: assert match in rrset.to_text() - assert len(rrsigs) > 0 check_signatures(rrsigs, qtype, fqdn, ksks, zsks) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index fd41fd231a..12f2c200a3 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -85,15 +85,6 @@ retry_quiet 30 _wait_for_done_apexnsec || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -# Test max-zone-ttl rejects zones with too high TTL. -n=$((n + 1)) -echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)" -ret=0 -set_zone "max-zone-ttl.kasp" -grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - set_keytimes_csk_policy() { # The first key is immediately published and activated. created=$(key_get KEY1 CREATED) @@ -119,16 +110,6 @@ set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" -# -# A zone with special characters. -# -set_zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." -set_policy "default" "1" "3600" -set_server "ns3" "10.53.0.3" -# It is non-trivial to adapt the tests to deal with all possible different -# escaping characters, so we will just try to verify the zone. -dnssec_verify - # # Zone: checkds-ksk.kasp. # @@ -474,53 +455,16 @@ if [ $RSASHA1_SUPPORTED = 1 ]; then dnssec_verify fi -# -# Zone: unsigned.kasp. -# -set_zone "unsigned.kasp" -set_policy "none" "0" "0" -set_server "ns3" "10.53.0.3" - -key_clear "KEY1" -key_clear "KEY2" -key_clear "KEY3" -key_clear "KEY4" - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -check_apex -check_subdomain -# Make sure the zone file is untouched. -n=$((n + 1)) -echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)" -ret=0 -diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# -# Zone: insecure.kasp. -# -set_zone "insecure.kasp" -set_policy "insecure" "0" "0" -set_server "ns3" "10.53.0.3" - -key_clear "KEY1" -key_clear "KEY2" -key_clear "KEY3" -key_clear "KEY4" - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -check_apex -check_subdomain - # # Zone: unlimited.kasp. # set_zone "unlimited.kasp" set_policy "unlimited" "1" "1234" set_server "ns3" "10.53.0.3" +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" # Key properties. set_keyrole "KEY1" "csk" set_keylifetime "KEY1" "0" diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index 3daa5eebcc..adc83988c2 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -338,6 +338,52 @@ def test_kasp_dynamic(servers): assert f"zone_resigninc: zone {zone}/IN (unsigned): enter" not in "ns3/named.run" +def test_kasp_special_characters(servers): + server = servers["ns3"] + + # A zone with special characters. + isctest.log.info("check special characters") + + zone = r'i-am.":\;?&[]\@!\$*+,|=\.\(\)special.kasp' + # It is non-trivial to adapt the tests to deal with all possible different + # escaping characters, so we will just try to verify the zone. + isctest.kasp.check_dnssec_verify(server, zone) + + +def test_kasp_insecure(servers): + server = servers["ns3"] + + # Insecure zones. + isctest.log.info("check insecure zones") + + zone = "insecure.kasp" + expected = [] + keys = isctest.kasp.keydir_to_keylist(zone, "ns3") + isctest.kasp.check_keys(zone, keys, expected) + isctest.kasp.check_dnssecstatus(server, zone, keys, policy="insecure") + isctest.kasp.check_apex(server, zone, keys, []) + isctest.kasp.check_subdomain(server, zone, keys, []) + + zone = "unsigned.kasp" + expected = [] + keys = isctest.kasp.keydir_to_keylist(zone, "ns3") + isctest.kasp.check_keys(zone, keys, expected) + isctest.kasp.check_dnssecstatus(server, zone, keys, policy=None) + isctest.kasp.check_apex(server, zone, keys, []) + isctest.kasp.check_subdomain(server, zone, keys, []) + # Make sure the zone file is untouched. + isctest.check.file_contents_equal(f"ns3/{zone}.db.infile", f"ns3/{zone}.db") + + +def test_kasp_bad_maxzonettl(servers): + server = servers["ns3"] + + # check that max-zone-ttl rejects zones with too high TTL. + isctest.log.info("check max-zone-ttl rejects zones with too high TTL") + zone = "max-zone-ttl.kasp" + assert f"loading from master file {zone}.db failed: out of range" in server.log + + def test_kasp_dnssec_keygen(): def keygen(zone, policy, keydir=None): if keydir is None: