mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
Extend synthfromdnssec to check insecure responses
add matching tests against a insecure zone to those which which are synthesised.
This commit is contained in:
Mark Andrews
committed by
Petr Špaček
Petr Špaček
parent
27acf56ba3
commit
10a05dc26a
@@ -21,6 +21,8 @@ rm -f ./ns1/K*+*+*.private
|
|||||||
rm -f ./ns1/dsset-*
|
rm -f ./ns1/dsset-*
|
||||||
rm -f ./ns1/example.db
|
rm -f ./ns1/example.db
|
||||||
rm -f ./ns1/example.db.signed
|
rm -f ./ns1/example.db.signed
|
||||||
|
rm -f ./ns1/insecure.example.db
|
||||||
|
rm -f ./ns1/insecure.example.db.signed
|
||||||
rm -f ./ns1/dnamed.db
|
rm -f ./ns1/dnamed.db
|
||||||
rm -f ./ns1/dnamed.db.signed
|
rm -f ./ns1/dnamed.db.signed
|
||||||
rm -f ./ns1/root.db
|
rm -f ./ns1/root.db
|
||||||
@@ -28,7 +30,7 @@ rm -f ./ns1/root.db.signed
|
|||||||
rm -f ./ns1/trusted.conf
|
rm -f ./ns1/trusted.conf
|
||||||
rm -f ./ns2/named_dump.db
|
rm -f ./ns2/named_dump.db
|
||||||
rm -f ./ns*/managed-keys.bind*
|
rm -f ./ns*/managed-keys.bind*
|
||||||
rm -f ./nodata.out
|
rm -f ./nodata.out ./insecure.nodata.out
|
||||||
rm -f ./nxdomain.out
|
rm -f ./nxdomain.out ./insecure.nxdomain.out
|
||||||
rm -f ./wild.out
|
rm -f ./wild.out ./insecure.wild.out
|
||||||
rm -f ./wildcname.out
|
rm -f ./wildcname.out ./insecure.wildcname.out
|
||||||
|
|||||||
@@ -34,6 +34,11 @@ zone "example" {
|
|||||||
file "example.db.signed";
|
file "example.db.signed";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
zone "insecure.example" {
|
||||||
|
type primary;
|
||||||
|
file "insecure.example.db.signed";
|
||||||
|
};
|
||||||
|
|
||||||
zone "dnamed" {
|
zone "dnamed" {
|
||||||
type primary;
|
type primary;
|
||||||
file "dnamed.db.signed";
|
file "dnamed.db.signed";
|
||||||
|
|||||||
@@ -16,6 +16,17 @@ zone=example
|
|||||||
infile=example.db.in
|
infile=example.db.in
|
||||||
zonefile=example.db
|
zonefile=example.db
|
||||||
|
|
||||||
|
keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
|
||||||
|
cat "$infile" "$keyname.key" > "$zonefile"
|
||||||
|
echo insecure NS ns1.insecure >> "$zonefile"
|
||||||
|
echo ns1.insecure A 10.53.0.1 >> "$zonefile"
|
||||||
|
|
||||||
|
$SIGNER -P -o $zone $zonefile > /dev/null
|
||||||
|
|
||||||
|
zone=insecure.example
|
||||||
|
infile=example.db.in
|
||||||
|
zonefile=insecure.example.db
|
||||||
|
|
||||||
keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
|
keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
|
||||||
cat "$infile" "$keyname.key" > "$zonefile"
|
cat "$infile" "$keyname.key" > "$zonefile"
|
||||||
|
|
||||||
|
|||||||
@@ -128,6 +128,50 @@ do
|
|||||||
n=$((n+1))
|
n=$((n+1))
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
|
||||||
|
ret=0
|
||||||
|
dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
|
||||||
|
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out
|
||||||
|
n=$((n+1))
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)"
|
||||||
|
ret=0
|
||||||
|
dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
|
||||||
|
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out
|
||||||
|
n=$((n+1))
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)"
|
||||||
|
ret=0
|
||||||
|
dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1
|
||||||
|
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out
|
||||||
|
n=$((n+1))
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
|
||||||
|
ret=0
|
||||||
|
dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1
|
||||||
|
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out
|
||||||
|
n=$((n+1))
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
done
|
done
|
||||||
|
|
||||||
echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
|
echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
|
||||||
@@ -229,6 +273,59 @@ do
|
|||||||
n=$((n+1))
|
n=$((n+1))
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
|
||||||
|
ret=0
|
||||||
|
nextpart ns1/named.run > /dev/null
|
||||||
|
dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
|
||||||
|
nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1
|
||||||
|
digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1
|
||||||
|
n=$((n+1))
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)"
|
||||||
|
ret=0
|
||||||
|
nextpart ns1/named.run > /dev/null
|
||||||
|
dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
|
||||||
|
nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1
|
||||||
|
digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1
|
||||||
|
n=$((n+1))
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)"
|
||||||
|
ret=0
|
||||||
|
nextpart ns1/named.run > /dev/null
|
||||||
|
dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
|
||||||
|
grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
|
||||||
|
nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1
|
||||||
|
digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1
|
||||||
|
n=$((n+1))
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
|
||||||
|
ret=0
|
||||||
|
nextpart ns1/named.run > /dev/null
|
||||||
|
dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
|
||||||
|
check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1
|
||||||
|
nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1
|
||||||
|
grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
|
||||||
|
digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1
|
||||||
|
n=$((n+1))
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
done
|
done
|
||||||
|
|
||||||
echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
|
echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
|
||||||
|
|||||||
Reference in New Issue
Block a user