From 10a05dc26adfa27e9eb19b01d6f338cc9eb0d074 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 18 Oct 2021 15:12:34 +1100 Subject: [PATCH] Extend synthfromdnssec to check insecure responses add matching tests against a insecure zone to those which which are synthesised. --- bin/tests/system/synthfromdnssec/clean.sh | 10 +- .../system/synthfromdnssec/ns1/named.conf.in | 5 + bin/tests/system/synthfromdnssec/ns1/sign.sh | 11 +++ bin/tests/system/synthfromdnssec/tests.sh | 97 +++++++++++++++++++ 4 files changed, 119 insertions(+), 4 deletions(-) diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh index 2fc1361baf..e4b7913887 100644 --- a/bin/tests/system/synthfromdnssec/clean.sh +++ b/bin/tests/system/synthfromdnssec/clean.sh @@ -21,6 +21,8 @@ rm -f ./ns1/K*+*+*.private rm -f ./ns1/dsset-* rm -f ./ns1/example.db rm -f ./ns1/example.db.signed +rm -f ./ns1/insecure.example.db +rm -f ./ns1/insecure.example.db.signed rm -f ./ns1/dnamed.db rm -f ./ns1/dnamed.db.signed rm -f ./ns1/root.db @@ -28,7 +30,7 @@ rm -f ./ns1/root.db.signed rm -f ./ns1/trusted.conf rm -f ./ns2/named_dump.db rm -f ./ns*/managed-keys.bind* -rm -f ./nodata.out -rm -f ./nxdomain.out -rm -f ./wild.out -rm -f ./wildcname.out +rm -f ./nodata.out ./insecure.nodata.out +rm -f ./nxdomain.out ./insecure.nxdomain.out +rm -f ./wild.out ./insecure.wild.out +rm -f ./wildcname.out ./insecure.wildcname.out diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in index 3f75553d93..bb1d073830 100644 --- a/bin/tests/system/synthfromdnssec/ns1/named.conf.in +++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in @@ -34,6 +34,11 @@ zone "example" { file "example.db.signed"; }; +zone "insecure.example" { + type primary; + file "insecure.example.db.signed"; +}; + zone "dnamed" { type primary; file "dnamed.db.signed"; diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh index 72e242119c..9a5819e618 100644 --- a/bin/tests/system/synthfromdnssec/ns1/sign.sh +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -16,6 +16,17 @@ zone=example infile=example.db.in zonefile=example.db +keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" +echo insecure NS ns1.insecure >> "$zonefile" +echo ns1.insecure A 10.53.0.1 >> "$zonefile" + +$SIGNER -P -o $zone $zonefile > /dev/null + +zone=insecure.example +infile=example.db.in +zonefile=insecure.example.db + keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) cat "$infile" "$keyname.key" > "$zonefile" diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh index 0c88583f15..f3553b45a3 100644 --- a/bin/tests/system/synthfromdnssec/tests.sh +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -128,6 +128,50 @@ do n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) + + echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) done echo_i "prime redirect response (+nodnssec) (synth-from-dnssec ;) ($n)" @@ -229,6 +273,59 @@ do n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) + + echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1 + digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1 + digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1 + digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1 + grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) done echo_i "check redirect response (+dnssec) (synth-from-dnssec ;) ($n)"