nsec3: skip tests that depend on RSASHA1 in FIPS mode

2025-09-05 00:55:24 +00:00 · 2022-08-25 11:05:40 +10:00
parent 2e997e2248
commit 1362360e8f
7 changed files with 337 additions and 290 deletions
--- a/bin/tests/system/nsec3/clean.sh
+++ b/bin/tests/system/nsec3/clean.sh
@@ -13,10 +13,11 @@

 set -e

+rm -f created.key-* *.created unused.key-*
 rm -f dig.out.* rndc.reload.* rndc.signing.* update.out.* verify.out.*
-rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
 rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state
 rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
 rm -f ns*/keygen.out.* ns*/settime.out.*
-rm -f created.key-* *.created unused.key-*
+rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns3/named-fips.conf
--- a/bin/tests/system/nsec3/ns3/named-fips.conf.in
+++ b/bin/tests/system/nsec3/ns3/named-fips.conf.in
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+	// no need to change configuration: if no 'nsec3param' is set,
+	// NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+dnssec-policy "optout" {
+	nsec3param optout yes;
+};
+
+dnssec-policy "nsec3-other" {
+	nsec3param iterations 11 optout yes salt-length 8;
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+	type primary;
+	file "nsec-to-nsec3.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec";
+};
+
+/* These zones use the default NSEC3 settings. */
+zone "nsec3.kasp" {
+	type primary;
+	file "nsec3.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic.kasp" {
+	type primary;
+	file "nsec3-dynamic.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+	type primary;
+	file "nsec3-other.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3-other";
+};
+
+/* These zones will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+	type primary;
+	file "nsec3-change.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic-change.kasp" {
+	type primary;
+	file "nsec3-dynamic-change.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+	type primary;
+	file "nsec3-to-optout.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+	type primary;
+	file "nsec3-from-optout.kasp.db";
+	inline-signing yes;
+	dnssec-policy "optout";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+	type primary;
+	file "nsec3-to-nsec.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+/* The zone fails to load, this should not prevent shutdown. */
+zone "nsec3-fails-to-load.kasp" {
+	type primary;
+	file "nsec3-fails-to-load.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* These zones switch from dynamic to inline-signing or vice versa. */
+zone "nsec3-dynamic-to-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-to-inline.kasp.db";
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};
+
+zone "nsec3-inline-to-dynamic.kasp" {
+       type primary;
+       file "nsec3-inline-to-dynamic.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec3";
+};
+
+/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
+zone "nsec3-dynamic-update-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-update-inline.kasp.db";
+       inline-signing yes;
+       allow-update { any; };
+       dnssec-policy "nsec";
+};
+
+zone "nsec3-xfr-inline.kasp" {
+       type secondary;
+       file "nsec3-xfr-inline.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec";
+       primaries { 10.53.0.2; };
+};
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -13,10 +13,7 @@

 // NS3

-dnssec-policy "nsec" {
-	// no need to change configuration: if no 'nsec3param' is set,
-	// NSEC will be used;
-};
+include "named-fips.conf";

 dnssec-policy "rsasha1" {
 	keys {
@@ -24,47 +21,6 @@ dnssec-policy "rsasha1" {
 	};
 };

-dnssec-policy "nsec3" {
-	nsec3param;
-};
-
-dnssec-policy "optout" {
-	nsec3param optout yes;
-};
-
-dnssec-policy "nsec3-other" {
-	nsec3param iterations 11 optout yes salt-length 8;
-};
-
-options {
-	query-source address 10.53.0.3;
-	notify-source 10.53.0.3;
-	transfer-source 10.53.0.3;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.3; };
-	listen-on-v6 { none; };
-	allow-transfer { any; };
-	recursion no;
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
-zone "nsec-to-nsec3.kasp" {
-	type primary;
-	file "nsec-to-nsec3.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec";
-};
-
 /*
 * This zone starts with NSEC, but will be reconfigured to use NSEC3.
 * This should work despite the incompatible RSAHSHA1 algorithm,
@@ -113,106 +69,3 @@ zone "nsec3-to-rsasha1-ds.kasp" {
 	inline-signing yes;
 	dnssec-policy "nsec3";
 };
-
-
-/* These zones use the default NSEC3 settings. */
-zone "nsec3.kasp" {
-	type primary;
-	file "nsec3.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3";
-};
-
-zone "nsec3-dynamic.kasp" {
-	type primary;
-	file "nsec3-dynamic.kasp.db";
-	dnssec-policy "nsec3";
-	allow-update { any; };
-};
-
-/* This zone uses non-default NSEC3 settings. */
-zone "nsec3-other.kasp" {
-	type primary;
-	file "nsec3-other.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3-other";
-};
-
-/* These zones will be reconfigured to use other NSEC3 settings. */
-zone "nsec3-change.kasp" {
-	type primary;
-	file "nsec3-change.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3";
-};
-
-zone "nsec3-dynamic-change.kasp" {
-	type primary;
-	file "nsec3-dynamic-change.kasp.db";
-	dnssec-policy "nsec3";
-	allow-update { any; };
-};
-
-/* The zone will be reconfigured to use opt-out. */
-zone "nsec3-to-optout.kasp" {
-	type primary;
-	file "nsec3-to-optout.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3";
-};
-
-/* The zone will be reconfigured to disable opt-out. */
-zone "nsec3-from-optout.kasp" {
-	type primary;
-	file "nsec3-from-optout.kasp.db";
-	inline-signing yes;
-	dnssec-policy "optout";
-};
-
-/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
-zone "nsec3-to-nsec.kasp" {
-	type primary;
-	file "nsec3-to-nsec.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3";
-};
-
-/* The zone fails to load, this should not prevent shutdown. */
-zone "nsec3-fails-to-load.kasp" {
-	type primary;
-	file "nsec3-fails-to-load.kasp.db";
-	dnssec-policy "nsec3";
-	allow-update { any; };
-};
-
-/* These zones switch from dynamic to inline-signing or vice versa. */
-zone "nsec3-dynamic-to-inline.kasp" {
-	type primary;
-	file "nsec3-dynamic-to-inline.kasp.db";
-	dnssec-policy "nsec3";
-	allow-update { any; };
-};
-
-zone "nsec3-inline-to-dynamic.kasp" {
-	type primary;
-	file "nsec3-inline-to-dynamic.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3";
-};
-
-/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
-zone "nsec3-dynamic-update-inline.kasp" {
-	type primary;
-	file "nsec3-dynamic-update-inline.kasp.db";
-	inline-signing yes;
-	allow-update { any; };
-	dnssec-policy "nsec";
-};
-
-zone "nsec3-xfr-inline.kasp" {
-	type secondary;
-	file "nsec3-xfr-inline.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec";
-	primaries { 10.53.0.2; };
-};
--- a/bin/tests/system/nsec3/ns3/named2-fips.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2-fips.conf.in
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+	// no need to change configuration: if no 'nsec3param' is set,
+	// NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+dnssec-policy "optout" {
+	nsec3param optout yes;
+};
+
+dnssec-policy "nsec3-other" {
+	nsec3param iterations 11 optout yes salt-length 0;
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+	type primary;
+	file "nsec-to-nsec3.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "nsec";
+	dnssec-policy "nsec3";
+};
+
+/* These zones use the default NSEC3 settings. */
+zone "nsec3.kasp" {
+	type primary;
+	file "nsec3.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic.kasp" {
+	type primary;
+	file "nsec3-dynamic.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+	type primary;
+	file "nsec3-other.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3-other";
+};
+
+/* These zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+	type primary;
+	file "nsec3-change.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec3-other";
+};
+
+zone "nsec3-dynamic-change.kasp" {
+	type primary;
+	file "nsec3-dynamic-change.kasp.db";
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec3-other";
+	allow-update { any; };
+};
+
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+	type primary;
+	file "nsec3-to-optout.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "nsec3";
+	dnssec-policy "optout";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+	type primary;
+	file "nsec3-from-optout.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "optout";
+	dnssec-policy "nsec3";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+	type primary;
+	file "nsec3-to-nsec.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec";
+};
+
+/* The zone fails to load, but is fixed after a reload. */
+zone "nsec3-fails-to-load.kasp" {
+	type primary;
+	file "nsec3-fails-to-load.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* These zones switch from dynamic to inline-signing or vice versa. */
+zone "nsec3-dynamic-to-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-to-inline.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};
+
+zone "nsec3-inline-to-dynamic.kasp" {
+       type primary;
+       file "nsec3-inline-to-dynamic.kasp.db";
+       inline-signing no;
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -13,10 +13,7 @@

 // NS3

-dnssec-policy "nsec" {
-	// no need to change configuration: if no 'nsec3param' is set,
-	// NSEC will be used;
-};
+include "named-fips.conf";

 dnssec-policy "rsasha1" {
 	keys {
@@ -24,48 +21,6 @@ dnssec-policy "rsasha1" {
 	};
 };

-dnssec-policy "nsec3" {
-	nsec3param;
-};
-
-dnssec-policy "optout" {
-	nsec3param optout yes;
-};
-
-dnssec-policy "nsec3-other" {
-	nsec3param iterations 11 optout yes salt-length 0;
-};
-
-options {
-	query-source address 10.53.0.3;
-	notify-source 10.53.0.3;
-	transfer-source 10.53.0.3;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.3; };
-	listen-on-v6 { none; };
-	allow-transfer { any; };
-	recursion no;
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
-zone "nsec-to-nsec3.kasp" {
-	type primary;
-	file "nsec-to-nsec3.kasp.db";
-	inline-signing yes;
-	//dnssec-policy "nsec";
-	dnssec-policy "nsec3";
-};
-
 /*
 * This zone starts with NSEC, but will be reconfigured to use NSEC3.
 * This should work despite the incompatible RSAHSHA1 algorithm,
@@ -118,95 +73,3 @@ zone "nsec3-to-rsasha1-ds.kasp" {
 	//dnssec-policy "nsec3";
 	dnssec-policy "rsasha1";
 };
-
-/* These zones use the default NSEC3 settings. */
-zone "nsec3.kasp" {
-	type primary;
-	file "nsec3.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3";
-};
-
-zone "nsec3-dynamic.kasp" {
-	type primary;
-	file "nsec3-dynamic.kasp.db";
-	dnssec-policy "nsec3";
-	allow-update { any; };
-};
-
-/* This zone uses non-default NSEC3 settings. */
-zone "nsec3-other.kasp" {
-	type primary;
-	file "nsec3-other.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3-other";
-};
-
-/* These zone will be reconfigured to use other NSEC3 settings. */
-zone "nsec3-change.kasp" {
-	type primary;
-	file "nsec3-change.kasp.db";
-	inline-signing yes;
-	//dnssec-policy "nsec3";
-	dnssec-policy "nsec3-other";
-};
-
-zone "nsec3-dynamic-change.kasp" {
-	type primary;
-	file "nsec3-dynamic-change.kasp.db";
-	//dnssec-policy "nsec3";
-	dnssec-policy "nsec3-other";
-	allow-update { any; };
-};
-
-/* The zone will be reconfigured to use opt-out. */
-zone "nsec3-to-optout.kasp" {
-	type primary;
-	file "nsec3-to-optout.kasp.db";
-	inline-signing yes;
-	//dnssec-policy "nsec3";
-	dnssec-policy "optout";
-};
-
-/* The zone will be reconfigured to disable opt-out. */
-zone "nsec3-from-optout.kasp" {
-	type primary;
-	file "nsec3-from-optout.kasp.db";
-	inline-signing yes;
-	//dnssec-policy "optout";
-	dnssec-policy "nsec3";
-};
-
-/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
-zone "nsec3-to-nsec.kasp" {
-	type primary;
-	file "nsec3-to-nsec.kasp.db";
-	inline-signing yes;
-	//dnssec-policy "nsec3";
-	dnssec-policy "nsec";
-};
-
-/* The zone fails to load, but is fixed after a reload. */
-zone "nsec3-fails-to-load.kasp" {
-	type primary;
-	file "nsec3-fails-to-load.kasp.db";
-	dnssec-policy "nsec3";
-	allow-update { any; };
-};
-
-/* These zones switch from dynamic to inline-signing or vice versa. */
-zone "nsec3-dynamic-to-inline.kasp" {
-	type primary;
-	file "nsec3-dynamic-to-inline.kasp.db";
-	inline-signing yes;
-	dnssec-policy "nsec3";
-	allow-update { any; };
-};
-
-zone "nsec3-inline-to-dynamic.kasp" {
-	type primary;
-	file "nsec3-inline-to-dynamic.kasp.db";
-	inline-signing no;
-	dnssec-policy "nsec3";
-	allow-update { any; };
-};
--- a/bin/tests/system/nsec3/setup.sh
+++ b/bin/tests/system/nsec3/setup.sh
@@ -23,7 +23,15 @@ copy_setports ns2/named.conf.in ns2/named.conf
 	cd ns2
 	$SHELL setup.sh
 )
-copy_setports ns3/named.conf.in ns3/named.conf
+
+if $FEATURETEST --have-fips-mode
+then
+    copy_setports ns3/named-fips.conf.in ns3/named.conf
+else
+    copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
+    # includes named-fips.conf
+    cp ns3/named.conf.in ns3/named.conf
+fi
 (
 	cd ns3
 	$SHELL setup.sh
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -391,7 +391,14 @@ check_nsec
 # Reconfig named.
 ret=0
 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
-copy_setports ns3/named2.conf.in ns3/named.conf
+if $FEATURETEST --have-fips-mode
+then
+    copy_setports ns3/named2-fips.conf.in ns3/named.conf
+else
+    copy_setports ns3/named2-fips.conf.in ns3/named-fips.conf
+    # includes named-fips.conf
+    cp ns3/named2.conf.in ns3/named.conf
+fi
 rndc_reconfig ns3 10.53.0.3

 # Zone: nsec-to-nsec3.kasp. (reconfigured)