diff --git a/bin/tests/system/checkds/README b/bin/tests/system/checkds/README index 759c4bd336..7fe17db212 100644 --- a/bin/tests/system/checkds/README +++ b/bin/tests/system/checkds/README @@ -14,6 +14,7 @@ The test setup for the checkds tests. These servers are parent servers: - ns2 is a primary authoritative server that serves the parent zone for zones configured in ns9. +- ns3 is a resolver that can be configured as a parental agent. - ns4 is the secondary server for ns2. - ns5 is a primary authoritative server that serves the parent zone for zones configured in ns9, but this one does not publish DS records (to test cases @@ -24,3 +25,65 @@ These servers are parent servers: Finally, ns9 is the authoritative server for the various DNSSEC enabled test domains. + +We need multiple test cases for testing the "checkds" functionality. Basically, +the behavior of "checkds" is of importance in three cases: + +1. Enabling DNSSEC +2. KSK rollover +3. Going insecure + +All these three cases involve publishing DS records into the parent, and +withdrawing them. The named instance is responsible for checking that the +relevant DS records are published or removed from the parent zone. Therefor, +it needs to know what the parental agents are (the servers that it can send +the DS queries to). + +Then there are two ways of retrieving parental agents, either through explicit +configuration ("checkds explicit;"), or through discovery ("checkds yes;"). In +the latter case, the parental agents are retrieved by querying for the parent NS +RRset. + +The third value is "checkds no;", which disables the feature. + +Depending on the DS publication status, the DS state of the key needs to be +updated. In case of DS publication, the "DSPublish" state should be set, only +if all parental agents have the relevant DS published. In case of DS withdrawal, +the "DSRemoved" state should be set, only if none of the parental agents have +the relevant DS in their zone. + +Regardless of how parental agents are retrieved, we identify the following test +cases: + +1. Enabling DNSSEC + +1.1. - With one parental agent +1.1.1. - DS is correctly published in the parent: DSPublish +1.1.2. - DS is not (yet) published in the parent: !DSPublish +1.1.3. - The parental agent is badly configured: !DSPublish +1.1.4. - DS is published, but has bogus signature: !DSPublish + +1.2. - With multiple parental agents +1.2.1. - DS is correctly published in all parents: DSPublish +1.2.2. - DS is not (yet) published in some parents: !DSPublish +1.2.3. - One parental agent is badly configured: !DSPublish +1.2.4. - DS is completely published, bogus signature: !DSPublish + +2. Going insecure + +2.1. - With one parental agent +2.1.1. - DS is correctly withdrawn from the parent: DSRemoved +2.1.2. - DS is (still) published in the parent: !DSRemoved +2.1.3. - The parental agent is badly configured: !DSRemoved +2.1.4. - DS is withdrawn, but has bogus signature: !DSRemoved + +2.2. - With multiple parental agents +2.2.1. - DS is correctly withdrawn from all parents: DSRemoved +2.2.2. - DS is not (yet) withdrawn from some parents: !DSRemoved +2.2.3. - One parental agent is badly configured: !DSRemoved +2.2.4. - DS is removed completely, bogus signature: !DSRemoved + +We deliberately don't test the "KSK Rollover" case in this system test as this +can be considered as the same as "Enabling DNSSEC" for one key and +"Going insecure" for another case. In other words, it is covered by the two +other scenarios (although we might still add the test cases in the future). diff --git a/bin/tests/system/checkds/clean.sh b/bin/tests/system/checkds/clean.sh index c73067f46f..ec51f996dd 100644 --- a/bin/tests/system/checkds/clean.sh +++ b/bin/tests/system/checkds/clean.sh @@ -17,6 +17,7 @@ rm -f dig.out* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/*.jnl ns*/*.jbk rm -f ns*/K*.private ns*/K*.key ns*/K*.state +rm -f ns*/*.keyname rm -f ns*/dsset-* rm -f ns*/*.db ns*/*.jnl ns*/*.jbk ns*/*.db.signed ns*/*.db.infile rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* @@ -24,4 +25,4 @@ rm -f ns*/managed-keys.bind* rm -f ns*/trusted.conf rm -f ns*/*.mkeys rm -f ns*/zones -rm -f *.checkds.out +rm -f ./*.out diff --git a/bin/tests/system/checkds/ns1/root.db.in b/bin/tests/system/checkds/ns1/root.db.in index b2b9924150..89e1b936e6 100644 --- a/bin/tests/system/checkds/ns1/root.db.in +++ b/bin/tests/system/checkds/ns1/root.db.in @@ -20,5 +20,49 @@ $TTL 300 . NS a.root-servers.nil. a.root-servers.nil. A 10.53.0.1 -checkds. NS ns2.checkds. -ns2.checkds. A 10.53.0.2 +ns2. NS ns2.ns2. +ns2.ns2. A 10.53.0.2 + +ns2-4. NS ns2.ns2-4. +ns2-4. NS ns4.ns2-4. +ns2.ns2-4. A 10.53.0.2 +ns4.ns2-4. A 10.53.0.4 + +ns2-4-5. NS ns2.ns2-4-5. +ns2-4-5. NS ns4.ns2-4-5. +ns2-4-5. NS ns5.ns2-4-5. +ns2.ns2-4-5. A 10.53.0.2 +ns4.ns2-4-5. A 10.53.0.4 +ns5.ns2-4-5. A 10.53.0.5 + +ns2-4-6. NS ns2.ns2-4-6. +ns2-4-6. NS ns4.ns2-4-6. +ns2-4-6. NS ns6.ns2-4-6. +ns2.ns2-4-6. A 10.53.0.2 +ns4.ns2-4-6. A 10.53.0.4 +ns6.ns2-4-6. A 10.53.0.6 + +ns2-5-7. NS ns2.ns2-5-7. +ns2-5-7. NS ns5.ns2-5-7. +ns2-5-7. NS ns7.ns2-5-7. +ns2.ns2-5-7. A 10.53.0.2 +ns5.ns2-5-7. A 10.53.0.5 +ns7.ns2-5-7. A 10.53.0.7 + +ns5. NS ns5.ns5. +ns5.ns5. A 10.53.0.5 + +ns5-6-7. NS ns5.ns5-6-7. +ns5-6-7. NS ns6.ns5-6-7. +ns5-6-7. NS ns7.ns5-6-7. +ns5.ns5-6-7. A 10.53.0.5 +ns6.ns5-6-7. A 10.53.0.6 +ns7.ns5-6-7. A 10.53.0.7 + +ns5-7. NS ns5.ns5-7. +ns5-7. NS ns7.ns5-7. +ns5.ns5-7. A 10.53.0.5 +ns7.ns5-7. A 10.53.0.7 + +ns6. NS ns6.ns6. +ns6.ns6. A 10.53.0.6 diff --git a/bin/tests/system/checkds/ns1/setup.sh b/bin/tests/system/checkds/ns1/setup.sh index 537fb42a6f..218ef6313d 100644 --- a/bin/tests/system/checkds/ns1/setup.sh +++ b/bin/tests/system/checkds/ns1/setup.sh @@ -22,8 +22,6 @@ zonefile=root.db echo_i "ns1/setup.sh" -cp "../ns2/dsset-checkds." . - ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cp "$ksk.key" "../ns10/" @@ -44,3 +42,4 @@ cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" keyfile_to_static_ds "$ksk" > trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns8/trusted.conf +cp trusted.conf ../ns9/trusted.conf diff --git a/bin/tests/system/checkds/ns2/named.conf.in b/bin/tests/system/checkds/ns2/named.conf.in index f49cec8c94..4436fca811 100644 --- a/bin/tests/system/checkds/ns2/named.conf.in +++ b/bin/tests/system/checkds/ns2/named.conf.in @@ -39,8 +39,83 @@ zone "." { file "../../common/root.hint"; }; -zone "checkds" { +zone "ns2" { type primary; + allow-update { any; }; allow-transfer { 10.53.0.2; 10.53.0.4; }; - file "checkds.db"; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns2.db"; +}; + +zone "ns2-4" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; }; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; }; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; }; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; }; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; }; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; }; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; }; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns5-7.db"; +}; + +zone "ns6" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; }; + also-notify { 10.53.0.4; }; + dnssec-policy default; + file "ns6.db"; }; diff --git a/bin/tests/system/checkds/ns2/ns2-4-5.db.in b/bin/tests/system/checkds/ns2/ns2-4-5.db.in new file mode 100644 index 0000000000..9ea5b889c2 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2-4-5.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 + NS ns5 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 +ns5 A 10.53.0.5 + +$ORIGIN explicit.dspublish.ns2-4-5. +incomplete NS ns9.incomplete +ns9.imcomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-4-6.db.in b/bin/tests/system/checkds/ns2/ns2-4-6.db.in new file mode 100644 index 0000000000..f30962852b --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2-4-6.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 + NS ns6 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 +ns6 A 10.53.0.6 + +$ORIGIN explicit.dspublish.ns2-4-6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-4.db.in b/bin/tests/system/checkds/ns2/ns2-4.db.in new file mode 100644 index 0000000000..5ed06dbb92 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2-4.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 + +$ORIGIN explicit.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-5-7.db.in b/bin/tests/system/checkds/ns2/ns2-5-7.db.in new file mode 100644 index 0000000000..689f316e5c --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2-5-7.db.in @@ -0,0 +1,30 @@ + ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns5 + NS ns7 +ns2 A 10.53.0.2 +ns5 A 10.53.0.5 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns2-5-7. +incomplete NS ns9.incomplete +ns9.incomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/template.db.in b/bin/tests/system/checkds/ns2/ns2.db.in similarity index 52% rename from bin/tests/system/checkds/ns2/template.db.in rename to bin/tests/system/checkds/ns2/ns2.db.in index 13d814f871..200129ef1b 100644 --- a/bin/tests/system/checkds/ns2/template.db.in +++ b/bin/tests/system/checkds/ns2/ns2.db.in @@ -21,19 +21,14 @@ $TTL 300 NS ns2 ns2 A 10.53.0.2 -dspublished NS ns9.dspublished +$ORIGIN explicit.dspublish.ns2. +good NS ns9.good reference NS ns9.reference -missing-dspublished NS ns9.missing-dspublished -bad-dspublished NS ns9.bad-dspublished -multiple-dspublished NS ns9.multiple-dspublished -incomplete-dspublished NS ns9.incomplete-dspublished -bad2-dspublished NS ns9.bad2-dspublished -resolver-dspublished NS ns9.resolver-dspublished +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.reference A 10.53.0.9 +ns9.resolver A 10.53.0.9 -dswithdrawn NS ns9.dswithdrawn -missing-dswithdrawn NS ns9.missing-dswithdrawn -bad-dswithdrawn NS ns9.bad-dswithdrawn -multiple-dswithdrawn NS ns9.multiple-dswithdrawn -incomplete-dswithdrawn NS ns9.incomplete-dswithdrawn -bad2-dswithdrawn NS ns9.bad2-dswithdrawn -resolver-dswithdrawn NS ns9.resolver-dswithdrawn +$ORIGIN explicit.dsremoved.ns2. +still-there NS ns9.still-there +ns9.still-there A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5-6-7.db.in b/bin/tests/system/checkds/ns2/ns5-6-7.db.in new file mode 100644 index 0000000000..5a4200bda9 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns5-6-7.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 + NS ns6 + NS ns7 +ns5 A 10.53.0.5 +ns6 A 10.53.0.6 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns5-6-7. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5-7.db.in b/bin/tests/system/checkds/ns2/ns5-7.db.in new file mode 100644 index 0000000000..f051c5eafb --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns5-7.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 + NS ns7 +ns5 A 10.53.0.5 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5.db.in b/bin/tests/system/checkds/ns2/ns5.db.in new file mode 100644 index 0000000000..33449d340c --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns5.db.in @@ -0,0 +1,32 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 +ns5 A 10.53.0.5 + +$ORIGIN explicit.dspublish.ns5. +not-yet NS ns9.not-yet +ns9.not-yet A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns5. +good NS ns9.good +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.resolver A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns6.db.in b/bin/tests/system/checkds/ns2/ns6.db.in new file mode 100644 index 0000000000..27cbb03d99 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns6.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +$ORIGIN explicit.dspublish.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/setup.sh b/bin/tests/system/checkds/ns2/setup.sh index 37019480c1..a549e3a2ca 100644 --- a/bin/tests/system/checkds/ns2/setup.sh +++ b/bin/tests/system/checkds/ns2/setup.sh @@ -16,21 +16,19 @@ echo_i "ns2/setup.sh" -for subdomain in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished \ - resolver-dspublished \ - dswithdrawn missing-dswithdrawn bad-dswithdrawn \ - multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \ - resolver-dswithdrawn +for zn in \ + ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \ + ns5 ns5-6-7 ns5-7 ns6 do - cp "../ns9/dsset-$subdomain.checkds." . + zone="${zn}" + infile="${zn}.db.infile" + zonefile="${zn}.db" + + # The signing key is copied from ns5. + CSK=$(cat "${zn}.keyname") + cat "${zn}.db.in" "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + $SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 + + cp "dsset-${zn}." ../ns1/ done - -zone="checkds" -infile="checkds.db.infile" -zonefile="checkds.db" - -CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 diff --git a/bin/tests/system/checkds/ns4/named.conf.in b/bin/tests/system/checkds/ns4/named.conf.in index e808287b38..1d551cfbb5 100644 --- a/bin/tests/system/checkds/ns4/named.conf.in +++ b/bin/tests/system/checkds/ns4/named.conf.in @@ -34,8 +34,56 @@ controls { inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -zone "checkds" { +zone "ns2" { type secondary; - file "checkds.db"; - primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2.db"; +}; + +zone "ns2-4" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns5-7.db"; +}; + +zone "ns6" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns6.db"; }; diff --git a/bin/tests/system/checkds/ns5/named.conf.in b/bin/tests/system/checkds/ns5/named.conf.in index dd0f0790d4..0d558cd1fa 100644 --- a/bin/tests/system/checkds/ns5/named.conf.in +++ b/bin/tests/system/checkds/ns5/named.conf.in @@ -39,8 +39,83 @@ zone "." { file "../../common/root.hint"; }; -zone "checkds" { +zone "ns2" { type primary; + allow-update { any; }; allow-transfer { 10.53.0.5; 10.53.0.7; }; - file "checkds.db"; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns2.db"; +}; + +zone "ns2-4" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; }; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; }; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; }; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; }; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; }; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; }; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; }; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns5-7.db"; +}; + +zone "ns6" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; }; + also-notify { 10.53.0.7; }; + dnssec-policy default; + file "ns6.db"; }; diff --git a/bin/tests/system/checkds/ns5/ns2-4-5.db.in b/bin/tests/system/checkds/ns5/ns2-4-5.db.in new file mode 100644 index 0000000000..9ea5b889c2 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2-4-5.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 + NS ns5 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 +ns5 A 10.53.0.5 + +$ORIGIN explicit.dspublish.ns2-4-5. +incomplete NS ns9.incomplete +ns9.imcomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-4-6.db.in b/bin/tests/system/checkds/ns5/ns2-4-6.db.in new file mode 100644 index 0000000000..f30962852b --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2-4-6.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 + NS ns6 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 +ns6 A 10.53.0.6 + +$ORIGIN explicit.dspublish.ns2-4-6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-4.db.in b/bin/tests/system/checkds/ns5/ns2-4.db.in new file mode 100644 index 0000000000..5ed06dbb92 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2-4.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 + +$ORIGIN explicit.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-5-7.db.in b/bin/tests/system/checkds/ns5/ns2-5-7.db.in new file mode 100644 index 0000000000..689f316e5c --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2-5-7.db.in @@ -0,0 +1,30 @@ + ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns5 + NS ns7 +ns2 A 10.53.0.2 +ns5 A 10.53.0.5 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns2-5-7. +incomplete NS ns9.incomplete +ns9.incomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2.db.in b/bin/tests/system/checkds/ns5/ns2.db.in new file mode 100644 index 0000000000..200129ef1b --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +$ORIGIN explicit.dspublish.ns2. +good NS ns9.good +reference NS ns9.reference +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.reference A 10.53.0.9 +ns9.resolver A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns2. +still-there NS ns9.still-there +ns9.still-there A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5-6-7.db.in b/bin/tests/system/checkds/ns5/ns5-6-7.db.in new file mode 100644 index 0000000000..5a4200bda9 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns5-6-7.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 + NS ns6 + NS ns7 +ns5 A 10.53.0.5 +ns6 A 10.53.0.6 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns5-6-7. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5-7.db.in b/bin/tests/system/checkds/ns5/ns5-7.db.in new file mode 100644 index 0000000000..f051c5eafb --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns5-7.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 + NS ns7 +ns5 A 10.53.0.5 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5.db.in b/bin/tests/system/checkds/ns5/ns5.db.in new file mode 100644 index 0000000000..33449d340c --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns5.db.in @@ -0,0 +1,32 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 +ns5 A 10.53.0.5 + +$ORIGIN explicit.dspublish.ns5. +not-yet NS ns9.not-yet +ns9.not-yet A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns5. +good NS ns9.good +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.resolver A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns6.db.in b/bin/tests/system/checkds/ns5/ns6.db.in new file mode 100644 index 0000000000..27cbb03d99 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns6.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +$ORIGIN explicit.dspublish.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/setup.sh b/bin/tests/system/checkds/ns5/setup.sh index 79d7b71c26..d2466f51e5 100644 --- a/bin/tests/system/checkds/ns5/setup.sh +++ b/bin/tests/system/checkds/ns5/setup.sh @@ -16,11 +16,21 @@ echo_i "ns5/setup.sh" -zone="checkds" -infile="checkds.db.infile" -zonefile="checkds.db" +for zn in \ + ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \ + ns5 ns5-6-7 ns5-7 ns6 +do + zone="${zn}" + infile="${zn}.db.infile" + zonefile="${zn}.db" -CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 + CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) + cat "${zn}.db.in" "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + $SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 + + # Copy key to ns2, the other primary. + echo "${CSK}" > "../ns2/${zn}.keyname" + cp "${CSK}.key" ../ns2/ + cp "${CSK}.private" ../ns2/ +done diff --git a/bin/tests/system/checkds/ns5/template.db.in b/bin/tests/system/checkds/ns5/template.db.in deleted file mode 100644 index 54e4881a6f..0000000000 --- a/bin/tests/system/checkds/ns5/template.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 -@ IN SOA secondary.example. hostmaster.example. ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - - NS ns5 -ns5 A 10.53.0.5 - -dspublished NS ns9.dspublished -reference NS ns9.reference -missing-dspublished NS ns9.missing-dspublished -bad-dspublished NS ns9.bad-dspublished -multiple-dspublished NS ns9.multiple-dspublished -incomplete-dspublished NS ns9.incomplete-dspublished -bad2-dspublished NS ns9.bad2-dspublished -resolver-dspublished NS ns9.resolver-dspublished - -dswithdrawn NS ns9.dswithdrawn -missing-dswithdrawn NS ns9.missing-dswithdrawn -bad-dswithdrawn NS ns9.bad-dswithdrawn -multiple-dswithdrawn NS ns9.multiple-dswithdrawn -incomplete-dswithdrawn NS ns9.incomplete-dswithdrawn -bad2-dswithdrawn NS ns9.bad2-dswithdrawn -resolver-dswithdrawn NS ns9.resolver-dswithdrawn - diff --git a/bin/tests/system/checkds/ns7/named.conf.in b/bin/tests/system/checkds/ns7/named.conf.in index e8ea33306c..dc17b657c8 100644 --- a/bin/tests/system/checkds/ns7/named.conf.in +++ b/bin/tests/system/checkds/ns7/named.conf.in @@ -34,13 +34,56 @@ controls { inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -zone "." { - type hint; - file "../../common/root.hint"; +zone "ns2" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2.db"; }; -zone "checkds" { +zone "ns2-4" { type secondary; - file "checkds.db"; - primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns5-7.db"; +}; + +zone "ns6" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns6.db"; }; diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index d4f56a318d..e9c6075efc 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -13,6 +13,8 @@ // NS9 +include "trusted.conf"; + options { query-source address 10.53.0.9; notify-source 10.53.0.9; @@ -44,113 +46,31 @@ zone "." { }; /* - * Zone with parental agent configured, due for DS checking. + * 1. Enabling DNSSEC + * 1.1 - With one parental agent + * 1.1.1. - DS is correctly published in the parent. */ -zone "dspublished.checkds" { +zone "good.explicit.dspublish.ns2" { type primary; - file "dspublished.checkds.db"; + file "good.explicit.dspublish.ns2.db"; inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; }; }; -/* - * Zone with parental agent configured, due for DS checking. - * Same as above, but now with a reference to parental-agents. - */ -zone "reference.checkds" { +/* Same as above, but now with a reference to parental-agents. */ +zone "reference.explicit.dspublish.ns2" { type primary; - file "reference.checkds.db"; + file "reference.explicit.dspublish.ns2.db"; inline-signing yes; dnssec-policy "default"; parental-agents { "ns2"; }; }; -/* - * Zone with parental agent configured, due for DS checking. - * The parental agent does not have the DS yet. - */ -zone "missing-dspublished.checkds" { +/* Same as above, but now with resolver parental agent configured. */ +zone "resolver.explicit.dspublish.ns2" { type primary; - file "missing-dspublished.checkds.db"; - inline-signing yes; - dnssec-policy "default"; - parental-agents { - 10.53.0.5 port @PORT@; // missing - }; -}; - - -/* - * Zone with parental agent configured, due for DS checking. - * This case, the server is badly configured. - */ -zone "bad-dspublished.checkds" { - type primary; - file "bad-dspublished.checkds.db"; - inline-signing yes; - dnssec-policy "default"; - parental-agents { - 10.53.0.6 port @PORT@; // bad - }; -}; - -/* - * Zone with multiple parental agents configured, due for DS checking. - * All need to have the DS before the rollover may continue. - */ -zone "multiple-dspublished.checkds" { - type primary; - file "multiple-dspublished.checkds.db"; - inline-signing yes; - dnssec-policy "default"; - parental-agents { - 10.53.0.2 port @PORT@; - 10.53.0.4 port @PORT@; - }; -}; - -/* - * Zone with multiple parental agents configured, due for DS checking. - * All need to have the DS before the rollover may continue. - * This case, one server is still missing the DS. - */ -zone "incomplete-dspublished.checkds" { - type primary; - file "incomplete-dspublished.checkds.db"; - inline-signing yes; - dnssec-policy "default"; - parental-agents { - 10.53.0.2 port @PORT@; - 10.53.0.4 port @PORT@; - 10.53.0.5 port @PORT@; // missing - }; -}; - - -/* - * Zone with multiple parental agents configured, due for DS checking. - * All need to have the DS before the rollover may continue. - * This case, one server is badly configured. - */ -zone "bad2-dspublished.checkds" { - type primary; - file "bad2-dspublished.checkds.db"; - inline-signing yes; - dnssec-policy "default"; - parental-agents { - 10.53.0.2 port @PORT@; - 10.53.0.4 port @PORT@; - 10.53.0.6 port @PORT@; // bad - }; -}; - -/* - * Zone with resolver parental agent configured, due for DS checking. - */ -zone "resolver-dspublished.checkds" { - type primary; - file "resolver-dspublished.checkds.db"; + file "resolver.explicit.dspublish.ns2.db"; inline-signing yes; dnssec-policy "default"; parental-agents { @@ -158,84 +78,217 @@ zone "resolver-dspublished.checkds" { }; }; +/* + * 1. Enabling DNSSEC + * 1.1 - With one parental agent + * 1.1.2. - DS is not (yet) published in the parent. + */ +zone "not-yet.explicit.dspublish.ns5" { + type primary; + file "not-yet.explicit.dspublish.ns5.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.5 port @PORT@; // missing + }; +}; + +/* + * 1. Enabling DNSSEC + * 1.1 - With one parental agent + * 1.1.3. - The parental agent is badly configured. + */ +zone "bad.explicit.dspublish.ns6" { + type primary; + file "bad.explicit.dspublish.ns6.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.6 port @PORT@; // bad + }; +}; + +/* + * 1. Enabling DNSSEC + * 1.1 - With one parental agent + * 1.1.4. - DS is published, but has bogus signature + */ +// TODO + +/* + * 1. Enabling DNSSEC + * 1.2 - With multiple parental agent + * 1.2.1. - DS is correctly published in all parents. + */ +zone "good.explicit.dspublish.ns2-4" { + type primary; + file "good.explicit.dspublish.ns2-4.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.2 port @PORT@; + 10.53.0.4 port @PORT@; + }; +}; + +/* + * 1. Enabling DNSSEC + * 1.2 - With multiple parental agent + * 1.2.2. - DS is not (yet) published in some parents. + */ +zone "incomplete.explicit.dspublish.ns2-4-5" { + type primary; + file "incomplete.explicit.dspublish.ns2-4-5.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.2 port @PORT@; + 10.53.0.4 port @PORT@; + 10.53.0.5 port @PORT@; // missing + }; +}; + +/* + * 1. Enabling DNSSEC + * 1.2 - With multiple parental agent + * 1.2.3. - DS is not (yet) published in some parents. + */ +zone "bad.explicit.dspublish.ns2-4-6" { + type primary; + file "bad.explicit.dspublish.ns2-4-6.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.2 port @PORT@; + 10.53.0.4 port @PORT@; + 10.53.0.6 port @PORT@; // bad + }; +}; + +/* + * 1. Enabling DNSSEC + * 1.2 - With multiple parental agent + * 1.2.4. - DS is completely published, bogus signature. + */ +// TODO + // TODO: Other test cases: -// - Test with bogus response // - check with TSIG // - check with TLS - /* - * Zones that are going insecure (test DS withdrawn polling). + * 2. Going insecure + * 2.1 - With one parental agent + * 2.1.1. - DS is correctly withdrawn from the parent. */ -zone "dswithdrawn.checkds" { +zone "good.explicit.dsremoved.ns5" { type primary; - file "dswithdrawn.checkds.db"; + file "good.explicit.dsremoved.ns5.db"; inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.5 port @PORT@; }; }; -zone "missing-dswithdrawn.checkds" { +zone "resolver.explicit.dsremoved.ns5" { type primary; - file "missing-dswithdrawn.checkds.db"; - inline-signing yes; - dnssec-policy "insecure"; - parental-agents { - 10.53.0.2 port @PORT@; // still published - }; -}; - -zone "bad-dswithdrawn.checkds" { - type primary; - file "bad-dswithdrawn.checkds.db"; - inline-signing yes; - dnssec-policy "insecure"; - parental-agents { - 10.53.0.6 port @PORT@; // bad - }; -}; - -zone "multiple-dswithdrawn.checkds" { - type primary; - file "multiple-dswithdrawn.checkds.db"; - inline-signing yes; - dnssec-policy "insecure"; - parental-agents { - 10.53.0.5 port @PORT@; - 10.53.0.7 port @PORT@; - }; -}; - -zone "incomplete-dswithdrawn.checkds" { - type primary; - file "incomplete-dswithdrawn.checkds.db"; - inline-signing yes; - dnssec-policy "insecure"; - parental-agents { - 10.53.0.2 port @PORT@; // still published - 10.53.0.5 port @PORT@; - 10.53.0.7 port @PORT@; - }; -}; - -zone "bad2-dswithdrawn.checkds" { - type primary; - file "bad2-dswithdrawn.checkds.db"; - inline-signing yes; - dnssec-policy "insecure"; - parental-agents { - 10.53.0.5 port @PORT@; - 10.53.0.7 port @PORT@; - 10.53.0.6 port @PORT@; // bad - }; -}; - -zone "resolver-dswithdrawn.checkds" { - type primary; - file "resolver-dswithdrawn.checkds.db"; + file "resolver.explicit.dsremoved.ns5.db"; inline-signing yes; dnssec-policy "default"; parental-agents { - 10.53.0.8 port @PORT@; + 10.53.0.3 port @PORT@; }; }; + +/* + * 2. Going insecure + * 2.1 - With one parental agent + * 2.1.2. - DS is (still) published in the parent. + */ +zone "still-there.explicit.dsremoved.ns2" { + type primary; + file "still-there.explicit.dsremoved.ns2.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.2 port @PORT@; // still published + }; +}; + +/* + * 2. Going insecure + * 2.1 - With one parental agent + * 2.1.3. - The parental agent is badly configured. + */ +zone "bad.explicit.dsremoved.ns6" { + type primary; + file "bad.explicit.dsremoved.ns6.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.6 port @PORT@; // bad + }; +}; + +/* + * 2. Going insecure + * 2.1 - With one parental agent + * 2.1.4. - DS is withdrawn, but has bogus signature. + */ +// TODO + +/* + * 2. Going insecure + * 2.2. - With multiple parental agents + * 2.2.1. - DS is correctly withdrawn from all parents. + */ +zone "good.explicit.dsremoved.ns5-7" { + type primary; + file "good.explicit.dsremoved.ns5-7.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.5 port @PORT@; + 10.53.0.7 port @PORT@; + }; +}; + +/* + * 2. Going insecure + * 2.2. - With multiple parental agents + * 2.2.2. - DS is not (yet) withdrawn from some parents. + */ +zone "incomplete.explicit.dsremoved.ns2-5-7" { + type primary; + file "incomplete.explicit.dsremoved.ns2-5-7.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.2 port @PORT@; // still published + 10.53.0.5 port @PORT@; + 10.53.0.7 port @PORT@; + }; +}; + +/* + * 2. Going insecure + * 2.2. - With multiple parental agents + * 2.2.3. - One parental agent is badly configured. + */ +zone "bad.explicit.dsremoved.ns5-6-7" { + type primary; + file "bad.explicit.dsremoved.ns5-6-7.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.5 port @PORT@; + 10.53.0.7 port @PORT@; + 10.53.0.6 port @PORT@; // bad + }; +}; + +/* + * 2. Going insecure + * 2.2. - With multiple parental agents + * 2.2.4. - DS is removed completely, bogus signature + */ +// TODO diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh index e4d1586612..cb399c2288 100644 --- a/bin/tests/system/checkds/ns9/setup.sh +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -33,31 +33,54 @@ T="now-30d" Y="now-1y" # DS Publication. -for zn in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished +for checkds in explicit do - setup "${zn}.checkds" - cp template.db.in "$zonefile" - keytimes="-P $T -P sync $T -A $T" - CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) - $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 - cat template.db.in "${CSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + for zn in \ + good.${checkds}.dspublish.ns2 \ + reference.${checkds}.dspublish.ns2 \ + resolver.${checkds}.dspublish.ns2 \ + not-yet.${checkds}.dspublish.ns5 \ + bad.${checkds}.dspublish.ns6 \ + good.${checkds}.dspublish.ns2-4 \ + incomplete.${checkds}.dspublish.ns2-4-5 \ + bad.${checkds}.dspublish.ns2-4-6 + do + setup "${zn}" + cp template.db.in "$zonefile" + keytimes="-P $T -P sync $T -A $T" + CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) + $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 + cat "$zonefile" "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + + cp "dsset-${zone}." ../ns2/ + done done # DS Withdrawal. -for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \ - incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn +for checkds in explicit do - setup "${zn}.checkds" - cp template.db.in "$zonefile" - keytimes="-P $Y -P sync $Y -A $Y" - CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) - $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 - cat template.db.in "${CSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + for zn in \ + good.${checkds}.dsremoved.ns5 \ + resolver.${checkds}.dsremoved.ns5 \ + still-there.${checkds}.dsremoved.ns2 \ + bad.${checkds}.dsremoved.ns6 \ + good.${checkds}.dsremoved.ns5-7 \ + incomplete.${checkds}.dsremoved.ns2-5-7 \ + bad.${checkds}.dsremoved.ns5-6-7 + do + setup "${zn}" + cp template.db.in "$zonefile" + keytimes="-P $Y -P sync $Y -A $Y" + CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) + $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 + cat "$zonefile" "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + + cp "dsset-${zone}." ../ns2/ + done done diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py index fbd0c74bdc..ef6bec143e 100755 --- a/bin/tests/system/checkds/tests_checkds.py +++ b/bin/tests/system/checkds/tests_checkds.py @@ -36,9 +36,10 @@ def has_signed_apex_nsec(zone, response): ttl = 300 nextname = "a." + labelcount = zone.count(".") # zone is specified as FQDN types = "NS SOA RRSIG NSEC DNSKEY" match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types) - sig = "{0} {1} IN RRSIG NSEC 13 2 300".format(zone, ttl) + sig = "{0} {1} IN RRSIG NSEC 13 {2} 300".format(zone, ttl, labelcount) for rr in response.answer: if match in rr.to_text(): @@ -258,107 +259,134 @@ def test_checkds_dspublished(named_port): parent.nameservers = ["10.53.0.2"] parent.port = named_port - # DS correctly published in parent. - zone_check(server, "dspublished.checkds.") - wait_for_log( - "ns9/named.run", - "zone dspublished.checkds/IN (signed): checkds: DS response from 10.53.0.2", - ) - keystate_check(parent, "dspublished.checkds.", "DSPublish") + # + # 1.1.1: DS is correctly published in parent. + # parental-agents: ns2 + # - # DS correctly published in parent (reference to parental-agent). - zone_check(server, "reference.checkds.") + # The simple case. + zone_check(server, "good.explicit.dspublish.ns2.") wait_for_log( "ns9/named.run", - "zone reference.checkds/IN (signed): checkds: DS response from 10.53.0.2", + "zone good.explicit.dspublish.ns2/IN (signed): checkds: " + "DS response from 10.53.0.2", ) - keystate_check(parent, "reference.checkds.", "DSPublish") + keystate_check(parent, "good.explicit.dspublish.ns2.", "DSPublish") - # DS not published in parent. - zone_check(server, "missing-dspublished.checkds.") + # Using a reference to parental-agents. + zone_check(server, "reference.explicit.dspublish.ns2.") wait_for_log( "ns9/named.run", - "zone missing-dspublished.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.5", + "zone reference.explicit.dspublish.ns2/IN (signed): " + "checkds: DS response from 10.53.0.2", ) - keystate_check(parent, "missing-dspublished.checkds.", "!DSPublish") + keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish") - # Badly configured parent. - zone_check(server, "bad-dspublished.checkds.") + # Using a resolver as parental-agent (ns3). + zone_check(server, "resolver.explicit.dspublish.ns2.") wait_for_log( "ns9/named.run", - "zone bad-dspublished.checkds/IN (signed): checkds: " - "bad DS response from 10.53.0.6", - ) - keystate_check(parent, "bad-dspublished.checkds.", "!DSPublish") - - # TBD: DS published in parent, but bogus signature. - - # DS correctly published in all parents. - zone_check(server, "multiple-dspublished.checkds.") - wait_for_log( - "ns9/named.run", - "zone multiple-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2", - ) - wait_for_log( - "ns9/named.run", - "zone multiple-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.4", - ) - keystate_check(parent, "multiple-dspublished.checkds.", "DSPublish") - - # DS published in only one of multiple parents. - zone_check(server, "incomplete-dspublished.checkds.") - wait_for_log( - "ns9/named.run", - "zone incomplete-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2", - ) - wait_for_log( - "ns9/named.run", - "zone incomplete-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.4", - ) - wait_for_log( - "ns9/named.run", - "zone incomplete-dspublished.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.5", - ) - keystate_check(parent, "incomplete-dspublished.checkds.", "!DSPublish") - - # One of the parents is badly configured. - zone_check(server, "bad2-dswithdrawn.checkds.") - wait_for_log( - "ns9/named.run", - "zone bad2-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2", - ) - wait_for_log( - "ns9/named.run", - "zone bad2-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.4", - ) - wait_for_log( - "ns9/named.run", - "zone bad2-dspublished.checkds/IN (signed): checkds: " - "bad DS response from 10.53.0.6", - ) - keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish") - - # Check with resolver parental-agent. - zone_check(server, "resolver-dspublished.checkds.") - wait_for_log( - "ns9/named.run", - "zone resolver-dspublished.checkds/IN (signed): checkds: " + "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: " "DS response from 10.53.0.3", ) - keystate_check(parent, "resolver-dspublished.checkds.", "DSPublish") + keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish") - # TBD: DS published in all parents, but one has bogus signature. + # + # 1.1.2: DS is not published in parent. + # parental-agents: ns5 + # + zone_check(server, "not-yet.explicit.dspublish.ns5.") + wait_for_log( + "ns9/named.run", + "zone not-yet.explicit.dspublish.ns5/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + keystate_check(parent, "not-yet.explicit.dspublish.ns5.", "!DSPublish") + + # + # 1.1.3: The parental agent is badly configured. + # parental-agents: ns6 + # + zone_check(server, "bad.explicit.dspublish.ns6.") + wait_for_log( + "ns9/named.run", + "zone bad.explicit.dspublish.ns6/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) + keystate_check(parent, "bad.explicit.dspublish.ns6.", "!DSPublish") + + # + # 1.1.4: DS is published, but has bogus signature. + # + # TBD + + # + # 1.2.1: DS is correctly published in all parents. + # parental-agents: ns2, ns4 + # + zone_check(server, "good.explicit.dspublish.ns2-4.") + wait_for_log( + "ns9/named.run", + "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) + keystate_check(parent, "good.explicit.dspublish.ns2-4.", "DSPublish") + + # + # 1.2.2: DS is not published in some parents. + # parental-agents: ns2, ns4, ns5 + # + zone_check(server, "incomplete.explicit.dspublish.ns2-4-5.") + wait_for_log( + "ns9/named.run", + "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + keystate_check(parent, "incomplete.explicit.dspublish.ns2-4-5.", "!DSPublish") + + # + # 1.2.3: One parental agent is badly configured. + # parental-agents: ns2, ns4, ns6 + # + zone_check(server, "bad.explicit.dspublish.ns2-4-6.") + wait_for_log( + "ns9/named.run", + "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) + wait_for_log( + "ns9/named.run", + "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) + keystate_check(parent, "bad.explicit.dspublish.ns2-4-6.", "!DSPublish") + + # + # 1.2.4: DS is completely published, bogus signature. + # + # TBD # TBD: Check with TSIG - # TBD: Check with TLS @@ -372,94 +400,120 @@ def test_checkds_dswithdrawn(named_port): parent.nameservers = ["10.53.0.2"] parent.port = named_port - # DS correctly published in single parent. - zone_check(server, "dswithdrawn.checkds.") + # + # 2.1.1: DS correctly withdrawn from the parent. + # parental-agents: ns5 + # + + # The simple case. + zone_check(server, "good.explicit.dsremoved.ns5.") wait_for_log( "ns9/named.run", - "zone dswithdrawn.checkds/IN (signed): checkds: " + "zone good.explicit.dsremoved.ns5/IN (signed): checkds: " "empty DS response from 10.53.0.5", ) - keystate_check(parent, "dswithdrawn.checkds.", "DSRemoved") + keystate_check(parent, "good.explicit.dsremoved.ns5.", "DSRemoved") - # DS not withdrawn from parent. - zone_check(server, "missing-dswithdrawn.checkds.") + # Using a resolver as parental-agent (ns3). + zone_check(server, "resolver.explicit.dsremoved.ns5.") wait_for_log( "ns9/named.run", - "zone missing-dswithdrawn.checkds/IN (signed): checkds: " + "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: " + "empty DS response from 10.53.0.3", + ) + keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved") + + # + # 2.1.2: DS is published in the parent. + # parental-agents: ns2 + # + zone_check(server, "still-there.explicit.dsremoved.ns2.") + wait_for_log( + "ns9/named.run", + "zone still-there.explicit.dsremoved.ns2/IN (signed): checkds: " "DS response from 10.53.0.2", ) - keystate_check(parent, "missing-dswithdrawn.checkds.", "!DSRemoved") + keystate_check(parent, "still-there.explicit.dsremoved.ns2.", "!DSRemoved") - # Badly configured parent. - zone_check(server, "bad-dswithdrawn.checkds.") + # + # 2.1.3: The parental agent is badly configured. + # parental-agents: ns6 + # + zone_check(server, "bad.explicit.dsremoved.ns6.") wait_for_log( "ns9/named.run", - "zone bad-dswithdrawn.checkds/IN (signed): checkds: " + "zone bad.explicit.dsremoved.ns6/IN (signed): checkds: " "bad DS response from 10.53.0.6", ) - keystate_check(parent, "bad-dswithdrawn.checkds.", "!DSRemoved") + keystate_check(parent, "bad.explicit.dsremoved.ns6.", "!DSRemoved") - # TBD: DS published in parent, but bogus signature. + # + # 2.1.4: DS is withdrawn, but has bogus signature. + # + # TBD - # DS correctly withdrawn from all parents. - zone_check(server, "multiple-dswithdrawn.checkds.") + # + # 2.2.1: DS is correctly withdrawn from all parents. + # parental-agents: ns5, ns7 + # + zone_check(server, "good.explicit.dsremoved.ns5-7.") wait_for_log( "ns9/named.run", - "zone multiple-dswithdrawn.checkds/IN (signed): checkds: " + "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: " "empty DS response from 10.53.0.5", ) wait_for_log( "ns9/named.run", - "zone multiple-dswithdrawn.checkds/IN (signed): checkds: " + "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: " "empty DS response from 10.53.0.7", ) - keystate_check(parent, "multiple-dswithdrawn.checkds.", "DSRemoved") + keystate_check(parent, "good.explicit.dsremoved.ns5-7.", "DSRemoved") - # DS withdrawn from only one of multiple parents. - zone_check(server, "incomplete-dswithdrawn.checkds.") + # + # 2.2.2: DS is not withdrawn from some parents. + # parental-agents: ns2, ns5, ns7 + # + zone_check(server, "incomplete.explicit.dsremoved.ns2-5-7.") wait_for_log( "ns9/named.run", - "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: " "DS response from 10.53.0.2", ) wait_for_log( "ns9/named.run", - "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: " "empty DS response from 10.53.0.5", ) wait_for_log( "ns9/named.run", - "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: " "empty DS response from 10.53.0.7", ) - keystate_check(parent, "incomplete-dswithdrawn.checkds.", "!DSRemoved") + keystate_check(parent, "incomplete.explicit.dsremoved.ns2-5-7.", "!DSRemoved") - # One of the parents is badly configured. - zone_check(server, "bad2-dswithdrawn.checkds.") + # + # 2.2.3: One parental agent is badly configured. + # parental-agents: ns5, ns6, ns7 + # + zone_check(server, "bad.explicit.dsremoved.ns5-6-7.") wait_for_log( "ns9/named.run", - "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: " "empty DS response from 10.53.0.5", ) wait_for_log( "ns9/named.run", - "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: " "empty DS response from 10.53.0.7", ) wait_for_log( "ns9/named.run", - "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: " "bad DS response from 10.53.0.6", ) - keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved") + keystate_check(parent, "bad.explicit.dsremoved.ns5-6-7.", "!DSRemoved") - # Check with resolver parental-agent. - zone_check(server, "resolver-dswithdrawn.checkds.") - wait_for_log( - "ns9/named.run", - "zone resolver-dswithdrawn.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.8", - ) - keystate_check(parent, "resolver-dswithdrawn.checkds.", "DSRemoved") - - # TBD: DS withdrawn from all parents, but one has bogus signature. + # + # 2.2.4:: DS is removed completely, bogus signature. + # + # TBD