mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 23:25:38 +00:00
Code Issues Releases Wiki Activity

- improves tests of negative insecurity proofs, including tests for the

Browse Source 
SOA TTL 0 hack.
- adds +noauth to a few invocations of dig where the authority section is
  not important.
- removes the bogus first half of the dynamic zone test, which didn't
  do anything other than make the test suite fail if run twice.
- fixed the fact that the keyless.example zone wasn't being securely
  delegated.
bwelling
This commit is contained in:
Mark Andrews
2002-07-19 06:20:24 +00:00
parent c54c1eaf26
commit 0f042c7c44
2 changed files with 51 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
bin/tests/system/dnssec/ns2/sign.sh
View File

@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.20 2002/06/17 04:01:14 marka Exp $ # $Id: sign.sh,v 1.21 2002/07/19 06:20:24 marka Exp $
SYSTEMTESTTOP=../.. SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@@ -30,7 +30,7 @@ zonefile=example.db
( cd ../ns3 && sh sign.sh ) ( cd ../ns3 && sh sign.sh )
for subdomain in secure bogus dynamic for subdomain in secure bogus dynamic keyless
do do
cp ../ns3/keyset-$subdomain.example. . cp ../ns3/keyset-$subdomain.example. .
done done

66
bin/tests/system/dnssec/tests.sh
View File

@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.40 2002/06/17 04:01:11 marka Exp $ # $Id: tests.sh,v 1.41 2002/07/19 06:20:24 marka Exp $
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@@ -62,8 +62,8 @@ status=`expr $status + $ret`
echo "I:checking 1-server insecurity proof ($n)" echo "I:checking 1-server insecurity proof ($n)"
ret=0 ret=0
$DIG $DIGOPTS a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 $DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the && # Note - this is looking for failure, hence the &&
@@ -72,6 +72,34 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:checking 1-server negative insecurity proof ($n)"
ret=0
$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
> dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking 1-server negative insecurity proof with SOA hack ($n)"
ret=0
$DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \
> dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Check the secure.example domain # Check the secure.example domain
echo "I:checking multi-stage positive validation ($n)" echo "I:checking multi-stage positive validation ($n)"
@@ -133,9 +161,9 @@ status=`expr $status + $ret`
echo "I:checking 2-server insecurity proof ($n)" echo "I:checking 2-server insecurity proof ($n)"
ret=0 ret=0
$DIG $DIGOPTS a.insecure.secure.example. @10.53.0.2 a \ $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
> dig.out.ns2.test$n || ret=1 > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS a.insecure.secure.example. @10.53.0.4 a \ $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
> dig.out.ns4.test$n || ret=1 > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
@@ -161,6 +189,20 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)"
ret=0
$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \
|| ret=1
$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \
|| ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Check that the query for a security root is successful and has ad set # Check that the query for a security root is successful and has ad set
echo "I:checking security root query ($n)" echo "I:checking security root query ($n)"
@@ -231,9 +273,9 @@ status=`expr $status + $ret`
echo "I:checking cd bit on a negative insecurity proof ($n)" echo "I:checking cd bit on a negative insecurity proof ($n)"
ret=0 ret=0
$DIG $DIGOPTS q.insecure.example. soa @10.53.0.4 \ $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
> dig.out.ns4.test$n || ret=1 > dig.out.ns4.test$n || ret=1
$DIG $DIGOPTS +cdflag q.insecure.example. soa @10.53.0.5 \ $DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \
> dig.out.ns5.test$n || ret=1 > dig.out.ns5.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
@@ -340,16 +382,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:checking positive validation of dynamic zone ($n)"
ret=0
$DIG $DIGOPTS +noauth dynamic.example. SOA @10.53.0.3 > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth dynamic.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Run a minimal update test if possible. This is really just # Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added. # a regression test for RT #2399; more tests should be added.