Extend synthfromdnssec to check insecure responses

add matching tests against a insecure zone to those which which are synthesised.
2025-08-30 05:57:52 +00:00 · 2021-10-18 15:12:34 +11:00 · 2021-10-18 15:12:34 +11:00 · 10a05dc26a
commit 10a05dc26a
parent 27acf56ba3
4 changed files with 119 additions and 4 deletions
--- a/bin/tests/system/synthfromdnssec/clean.sh
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@ -21,6 +21,8 @@ rm -f ./ns1/K*+*+*.private
 rm -f ./ns1/dsset-*
 rm -f ./ns1/example.db
 rm -f ./ns1/example.db.signed
+rm -f ./ns1/insecure.example.db
+rm -f ./ns1/insecure.example.db.signed
 rm -f ./ns1/dnamed.db
 rm -f ./ns1/dnamed.db.signed
 rm -f ./ns1/root.db
@ -28,7 +30,7 @@ rm -f ./ns1/root.db.signed
 rm -f ./ns1/trusted.conf
 rm -f ./ns2/named_dump.db
 rm -f ./ns*/managed-keys.bind*
-rm -f ./nodata.out
-rm -f ./nxdomain.out
-rm -f ./wild.out
-rm -f ./wildcname.out
+rm -f ./nodata.out ./insecure.nodata.out
+rm -f ./nxdomain.out ./insecure.nxdomain.out
+rm -f ./wild.out ./insecure.wild.out
+rm -f ./wildcname.out ./insecure.wildcname.out
--- a/bin/tests/system/synthfromdnssec/ns1/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
@ -34,6 +34,11 @@ zone "example" {
 	file "example.db.signed";
 };

+zone "insecure.example" {
+	type primary;
+	file "insecure.example.db.signed";
+};
+
 zone "dnamed" {
 	type primary;
 	file "dnamed.db.signed";
--- a/bin/tests/system/synthfromdnssec/ns1/sign.sh
+++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh
@ -16,6 +16,17 @@ zone=example
 infile=example.db.in
 zonefile=example.db

+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+echo insecure NS ns1.insecure >> "$zonefile"
+echo ns1.insecure A 10.53.0.1 >> "$zonefile"
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+zone=insecure.example
+infile=example.db.in
+zonefile=insecure.example.db
+
 keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
 cat "$infile" "$keyname.key" > "$zonefile"

--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@ -128,6 +128,50 @@ do
    n=$((n+1))
    if [ $ret != 0 ]; then echo_i "failed"; fi
    status=$((status+ret))
+
+    echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done

 echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
@ -229,6 +273,59 @@ do
    n=$((n+1))
    if [ $ret != 0 ]; then echo_i "failed"; fi
    status=$((status+ret))
+
+    echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1
+    digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1
+    digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1
+    digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1
+    nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1
+    grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done

 echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"