mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

fix: dev: convert dnssec system tests to python

Browse Source 
Most of the shell-based tests in the `dnssec` system test have been converted to python.  The only exceptions are the test cases that exercised the `dnssec-*` command line tools, and did not interact with a name server; those have been relocated into a new `dnssectools` system test.

Merge branch 'each-convert-dnssec-test' into 'main'

See merge request isc-projects/bind9!10688
This commit is contained in:
Evan Hunt
2025-07-31 20:34:56 +00:00
parent 1563d71c1b 53be3af05c
commit 321aa313c4
167 changed files with 5843 additions and 7613 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
bin/tests/system/digdelv/tests.sh
View File

@@ -1430,6 +1430,18 @@ if [ -x "$DIG" ]; then
grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check dig's +nocrypto flag ($n)"
ret=0
dig_with_opts +dnssec +norec +nocrypto DNSKEY . @10.53.0.1 >dig.out.dnskey.test$n || ret=1
grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.test$n >/dev/null || ret=1
grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.test$n >/dev/null || ret=1
dig_with_opts +norec +nocrypto DS example \
@10.53.0.1 >dig.out.ds.test$n || ret=1
grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.test$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "$DIG is needed, so skipping these dig tests"
fi

13
bin/tests/system/dnssec/README
View File

@@ -19,14 +19,11 @@ ns4 is a caching-only server, configured with the correct trusted key
for the root.
ns5 is a caching-only server, configured with the an incorrect trusted
key for the root. It is used for testing failure cases.
key for the root, or with unsupported and disabled algorithms. It is used
for testing failure cases.
ns6 is an caching and authoritative server used for testing unusual
server behaviors such as disabled DNSSEC algorithms.
ns7 is used for checking non-cacheable answers.
ns8 is a caching-only server, configured with unsupported and disabled
algorithms. It is used for testing failure cases.
ns6 is a caching and authoritative server used for testing unusual
server behaviors such as disabled DNSSEC algorithms and non-cacheable
responses. It runs with -T nonearest, -T nosoa, and -T tat=3.
ns9 is a forwarding-only server.

99
bin/tests/system/dnssec/dnssec_update_test.pl
View File

@@ -1,99 +0,0 @@
#!/usr/bin/perl
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
#
# DNSSEC Dynamic update test suite.
#
# Usage:
#
# perl update_test.pl [-s server] [-p port] zone
#
# The server defaults to 127.0.0.1.
# The port defaults to 53.
#
# Installation notes:
#
# This program uses the Net::DNS::Resolver module.
# You can install it by saying
#
# perl -MCPAN -e "install Net::DNS"
#
use Getopt::Std;
use Net::DNS;
use Net::DNS::Update;
use Net::DNS::Resolver;
$opt_s = "127.0.0.1";
$opt_p = 53;
getopt('s:p:');
$res = new Net::DNS::Resolver;
$res->nameservers($opt_s);
$res->port($opt_p);
$res->defnames(0); # Do not append default domain.
@ARGV == 1 or die
"usage: perl update_test.pl [-s server] [-p port] zone\n";
$zone = shift @ARGV;
my $failures = 0;
sub assert {
my ($cond, $explanation) = @_;
if (!$cond) {
print "Test Failed: $explanation ***\n";
$failures++
}
}
sub test {
my ($expected, @records) = @_;
my $update = new Net::DNS::Update("$zone");
foreach $rec (@records) {
$update->push(@$rec);
}
$reply = $res->send($update);
# Did it work?
if (defined $reply) {
my $rcode = $reply->header->rcode;
assert($rcode eq $expected, "expected $expected, got $rcode");
} else {
print "Update failed: ", $res->errorstring, "\n";
}
}
sub section {
my ($msg) = @_;
print "$msg\n";
}
section("Add a name");
test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]);
section("Delete the name");
test("NOERROR", ["update", rr_del("a.$zone")]);
if ($failures) {
print "$failures update tests failed.\n";
} else {
print "All update tests successful.\n";
}
exit $failures;

0
bin/tests/system/dnssec/ns1/named.conf.in → bin/tests/system/dnssec/ns1/named.conf.j2
View File

6
bin/tests/system/dnssec/ns1/sign.sh
View File

@@ -22,7 +22,6 @@ zonefile=root.db
(cd ../ns2 && $SHELL sign.sh)
(cd ../ns6 && $SHELL sign.sh)
(cd ../ns7 && $SHELL sign.sh)
echo_i "ns1/sign.sh"
@@ -45,13 +44,12 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a staitc key.
# Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
cp trusted.conf ../ns6/trusted.conf
cp trusted.conf ../ns7/trusted.conf
cp trusted.conf ../ns9/trusted.conf
keyfile_to_static_keys "$ksk" >trusted.keys
@@ -70,4 +68,4 @@ keyfile_to_key_id "$ksk" >managed.key.id
# Also generate a broken trusted-keys file for the dnssec test.
#
broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .)
keyfile_to_static_ds "$broken" >../ns4/broken.conf
keyfile_to_static_ds "$broken" >../ns5/broken.conf

14
bin/tests/system/dnssec/ns2/cds-update.secure.db.in
View File

@@ -1,14 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.

14
bin/tests/system/dnssec/ns2/cds.secure.db.in
View File

@@ -1,14 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.

20
bin/tests/system/dnssec/ns2/child.nsec3.example.db
View File

@@ -1,20 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2006081400 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ IN NS ns2.example.

20
bin/tests/system/dnssec/ns2/child.optout.example.db
View File

@@ -1,20 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2006081400 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ IN NS ns2.example.

21
bin/tests/system/dnssec/ns2/dst.example.db.in
View File

@@ -1,21 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2.example.
a A 10.0.0.1

191
bin/tests/system/dnssec/ns2/example.db.in
View File

@@ -12,10 +12,10 @@
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
NS ns3
@@ -30,8 +30,8 @@ d A 10.0.0.4
foo TXT "testing"
foo A 10.0.1.0
bad-cname CNAME a
bad-dname DNAME @
bad-cname CNAME a
bad-dname DNAME @
; Used for testing CNAME queries
cname1 CNAME cname1-target
@@ -52,150 +52,153 @@ secure NS ns3.secure
ns3.secure A 10.53.0.3
; An insecure subdomain
insecure NS ns.insecure
ns.insecure A 10.53.0.3
insecure NS ns3.insecure
ns3.insecure A 10.53.0.3
; A second insecure subdomain
insecure2 NS ns.insecure2
ns.insecure2 A 10.53.0.3
; A subdomain with an extra DNSKEY in the wrong place
extrakey NS ns3.extrakey
ns3.extrakey A 10.53.0.3
; A secure subdomain we're going to inject bogus data into
bogus NS ns.bogus
ns.bogus A 10.53.0.3
bogus NS ns3.bogus
ns3.bogus A 10.53.0.3
; A subdomain with a corrupt DS
badds NS ns.badds
ns.badds A 10.53.0.3
badds NS ns3.badds
ns3.badds A 10.53.0.3
; A subdomain with a corrupt DS, but locally trusted by the forwarder
localkey NS ns.localkey
ns.localkey A 10.53.0.3
localkey NS ns3.localkey
ns3.localkey A 10.53.0.3
; A dynamic secure subdomain
dynamic NS dynamic
dynamic A 10.53.0.3
dynamic NS ns3.dynamic
ns3.dynamic A 10.53.0.3
; A subdomain with expired signatures
expired NS ns.expired
ns.expired A 10.53.0.3
expired NS ns3.expired
ns3.expired A 10.53.0.3
; A rfc2535 signed zone w/ CNAME
rfc2535 NS ns.rfc2535
ns.rfc2535 A 10.53.0.3
ns.rfc2535 A 10.53.0.2
z A 10.0.0.26
keyless NS ns.keyless
ns.keyless A 10.53.0.3
keyless NS ns3.keyless
ns3.keyless A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
nsec3 NS ns3.nsec3
ns3.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
optout NS ns3.optout
ns3.optout A 10.53.0.3
nsec3-unknown NS ns.nsec3-unknown
ns.nsec3-unknown A 10.53.0.3
nsec3-unknown NS ns3.nsec3-unknown
ns3.nsec3-unknown A 10.53.0.3
optout-unknown NS ns.optout-unknown
ns.optout-unknown A 10.53.0.3
optout-unknown NS ns3.optout-unknown
ns3.optout-unknown A 10.53.0.3
dnskey-unknown NS ns.dnskey-unknown
ns.dnskey-unknown A 10.53.0.3
dnskey-unknown NS ns3.dnskey-unknown
ns3.dnskey-unknown A 10.53.0.3
dnskey-unsupported NS ns.dnskey-unsupported
ns.dnskey-unsupported A 10.53.0.3
dnskey-unsupported NS ns3.dnskey-unsupported
ns3.dnskey-unsupported A 10.53.0.3
ds-unsupported NS ns.ds-unsupported
ns.ds-unsupported A 10.53.0.3
dnskey-unsupported-2 NS ns3.dnskey-unsupported
ns3.dnskey-unsupported-2 A 10.53.0.3
digest-alg-unsupported NS ns.digest-alg-unsupported
ns.digest-alg-unsupported A 10.53.0.3
ds-unsupported NS ns3.ds-unsupported
ns3.ds-unsupported A 10.53.0.3
dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown
ns.dnskey-nsec3-unknown A 10.53.0.3
digest-alg-unsupported NS ns3.digest-alg-unsupported
ns3.digest-alg-unsupported A 10.53.0.3
multiple NS ns.multiple
ns.multiple A 10.53.0.3
dnskey-nsec3-unknown NS ns3.dnskey-nsec3-unknown
ns3.dnskey-nsec3-unknown A 10.53.0.3
multiple NS ns3.multiple
ns3.multiple A 10.53.0.3
*.wild A 10.0.0.27
rsasha256 NS ns.rsasha256
ns.rsasha256 A 10.53.0.3
rsasha256 NS ns3.rsasha256
ns3.rsasha256 A 10.53.0.3
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
rsasha512 NS ns3.rsasha512
ns3.rsasha512 A 10.53.0.3
kskonly NS ns.kskonly
ns.kskonly A 10.53.0.3
kskonly NS ns3.kskonly
ns3.kskonly A 10.53.0.3
update-nsec3 NS ns.update-nsec3
ns.update-nsec3 A 10.53.0.3
update-nsec3 NS ns3.update-nsec3
ns3.update-nsec3 A 10.53.0.3
auto-nsec NS ns.auto-nsec
ns.auto-nsec A 10.53.0.3
auto-nsec NS ns3.auto-nsec
ns3.auto-nsec A 10.53.0.3
auto-nsec3 NS ns.auto-nsec3
ns.auto-nsec3 A 10.53.0.3
auto-nsec3 NS ns3.auto-nsec3
ns3.auto-nsec3 A 10.53.0.3
below-cname CNAME some.where.else.
insecure.below-cname NS ns.insecure.below-cname
ns.insecure.below-cname A 10.53.0.3
insecure.below-cname NS ns3.insecure.below-cname
ns3.insecure.below-cname A 10.53.0.3
secure.below-cname NS ns.secure.below-cname
ns.secure.below-cname A 10.53.0.3
secure.below-cname NS ns3.secure.below-cname
ns3.secure.below-cname A 10.53.0.3
ttlpatch NS ns.ttlpatch
ns.ttlpatch A 10.53.0.3
ttlpatch NS ns3.ttlpatch
ns3.ttlpatch A 10.53.0.3
split-dnssec NS ns.split-dnssec
ns.split-dnssec A 10.53.0.3
split-dnssec NS ns3.split-dnssec
ns3.split-dnssec A 10.53.0.3
split-smart NS ns.split-smart
ns.split-smart A 10.53.0.3
split-smart NS ns3.split-smart
ns3.split-smart A 10.53.0.3
upper NS ns.upper
ns.upper A 10.53.0.3
upper NS ns3.upper
ns3.upper A 10.53.0.3
LOWER NS NS.LOWER
NS.LOWER A 10.53.0.3
LOWER NS NS3.LOWER
NS3.LOWER A 10.53.0.3
expiring NS ns.expiring
ns.expiring A 10.53.0.3
expiring NS ns3.expiring
ns3.expiring A 10.53.0.3
future NS ns.future
ns.future A 10.53.0.3
future NS ns3.future
ns3.future A 10.53.0.3
managed-future NS ns.managed-future
ns.managed-future A 10.53.0.3
managed-future NS ns3.managed-future
ns3.managed-future A 10.53.0.3
revkey NS ns.revkey
ns.revkey A 10.53.0.3
revkey NS ns3.revkey
ns3.revkey A 10.53.0.3
rsasha1 NS ns.rsasha1
ns.rsasha1 A 10.53.0.3
rsasha1 NS ns3.rsasha1
ns3.rsasha1 A 10.53.0.3
rsasha1-1024 NS ns.rsasha1-1024
ns.rsasha1-1024 A 10.53.0.3
rsasha1-1024 NS ns3.rsasha1-1024
ns3.rsasha1-1024 A 10.53.0.3
dname-at-apex-nsec3 NS ns3
rsasha256oid NS ns.rsasha256oid
ns.rsasha256oid A 10.53.0.3
rsasha256oid NS ns3.rsasha256oid
ns3.rsasha256oid A 10.53.0.3
rsasha512oid NS ns.rsasha512oid
ns.rsasha512oid A 10.53.0.3
rsasha512oid NS ns3.rsasha512oid
ns3.rsasha512oid A 10.53.0.3
unknownoid NS ns.unknownoid
ns.unknownoid A 10.53.0.3
unknownoid NS ns3.unknownoid
ns3.unknownoid A 10.53.0.3
extradsoid NS ns.extradsoid
ns.extradsoid A 10.53.0.3
extradsoid NS ns3.extradsoid
ns3.extradsoid A 10.53.0.3
extradsunknownoid NS ns.extradsunknownoid
ns.extradsunknownoid A 10.53.0.3
extradsunknownoid NS ns3.extradsunknownoid
ns3.extradsunknownoid A 10.53.0.3
extended-ds-unknown-oid NS ns.extended-ds-unknown-oid
ns.extended-ds-unknown-oid A 10.53.0.3
extended-ds-unknown-oid NS ns3.extended-ds-unknown-oid
ns3.extended-ds-unknown-oid A 10.53.0.3

27
bin/tests/system/dnssec/ns2/lazy-ksk.db.in
View File

@@ -1,27 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 30 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
30 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.1
*.a A 10.0.0.3
b A 10.0.0.2
d A 10.0.0.4

7
bin/tests/system/dnssec/ns2/named.conf.in → bin/tests/system/dnssec/ns2/named.conf.j2
View File

@@ -185,16 +185,11 @@ zone "cdnskey-auto.secure" {
zone "updatecheck-kskonly.secure" {
type primary;
file "updatecheck-kskonly.secure.db.signed";
file "updatecheck-kskonly.secure.db";
dnssec-policy kskonly;
allow-update { any; };
};
zone "corp" {
type primary;
file "corp.db";
};
zone "hours-vs-days" {
type primary;
file "hours-vs-days.db.signed";

28
bin/tests/system/dnssec/ns2/private.secure.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.2
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
private2secure-nxdomain CNAME r.example.
*.wild CNAME s.example.

0
bin/tests/system/dnssec/ns2/rfc2335.example.db → bin/tests/system/dnssec/ns2/rfc2335.example.db.in
View File

48
bin/tests/system/dnssec/ns2/sign.sh
View File

@@ -29,6 +29,31 @@ done
cp "../ns3/dsset-target.peer-ns-spoof." .
# Set up some unsigned zones:
# insecure
zone=insecure.secure.
infile=template.db.in
zonefile=insecure.secure.example.db
cp $infile $zonefile
# delegated child of an nsec3 zone
zone=child.nsec3.secure.
infile=template.db.in
zonefile=child.nsec3.secure.example.db
cp $infile $zonefile
# delegated child of an optout zone
zone=child.nsec3.secure.
infile=template.db.in
zonefile=child.nsec3.secure.example.db
cp $infile $zonefile
# zone pre-signed with RFC2335 signatures
zone=rfc2335.example.
infile=rfc2335.example.db.in
zonefile=rfc2335.example.db
cp $infile $zonefile
# Sign the "trusted." and "managed." zones.
zone=managed.
infile=key.db.in
@@ -143,7 +168,7 @@ cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
# Sign the badparam secure file
zone=badparam.
infile=badparam.db.in
infile=template.db.in
zonefile=badparam.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
@@ -211,7 +236,7 @@ cat "$key1.key" "$key2.key" >>"$zonefile"
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1
zone=cds.secure
infile=cds.secure.db.in
infile=template.db.in
zonefile=cds.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -220,7 +245,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-x.secure
infile=cds.secure.db.in
infile=template.db.in
zonefile=cds-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
@@ -230,7 +255,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-update.secure
infile=cds-update.secure.db.in
infile=template.db.in
zonefile=cds-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -239,7 +264,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
keyfile_to_key_id "$key1" >cds-update.secure.id
zone=cds-auto.secure
infile=cds-auto.secure.db.in
infile=template.db.in
zonefile=cds-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -247,7 +272,7 @@ $SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
zone=cdnskey.secure
infile=cdnskey.secure.db.in
infile=template.db.in
zonefile=cdnskey.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -256,7 +281,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-x.secure
infile=cdnskey.secure.db.in
infile=template.db.in
zonefile=cdnskey-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
@@ -266,7 +291,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-update.secure
infile=cdnskey-update.secure.db.in
infile=template.db.in
zonefile=cdnskey-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -275,7 +300,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
keyfile_to_key_id "$key1" >cdnskey-update.secure.id
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
infile=template.db.in
zonefile=cdnskey-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -283,7 +308,7 @@ $SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
zone=updatecheck-kskonly.secure
infile=template.secure.db.in
infile=template.db.in
zonefile=${zone}.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -297,7 +322,6 @@ $SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 >settime.out.$zone.zsk 2>&1
# Don't sign, let dnssec-policy maintain do it.
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
mv $zonefile "$zonefile.signed"
zone=hours-vs-days
infile=hours-vs-days.db.in
@@ -322,7 +346,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
# A zone with a secure chain of trust of two KSKs, only one KSK is not signing.
#
zone=lazy-ksk
infile=lazy-ksk.db.in
infile=template.db.in
zonefile=lazy-ksk.db
ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")

11
bin/tests/system/dnssec/ns2/cds-auto.secure.db.in → bin/tests/system/dnssec/ns2/template.db.in
View File

@@ -9,6 +9,13 @@
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
$TTL 300 ; 5 minutes
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
@ NS ns2
ns2 A 10.53.0.2
a A 10.0.0.1
*.a A 10.0.0.3
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

14
bin/tests/system/dnssec/ns2/template.secure.db.in
View File

@@ -1,14 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.

40
bin/tests/system/dnssec/ns3/auto-nsec.example.db.in
View File

@@ -1,40 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2
nosoa NS ns.nosoa
ns.nosoa A 10.53.0.7
normalthenrrsig A 10.0.0.28
rrsigonly A 10.0.0.29

40
bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in
View File

@@ -1,40 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2
nosoa NS ns.nosoa
ns.nosoa A 10.53.0.7
normalthenrrsig A 10.0.0.28
rrsigonly A 10.0.0.29

22
bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in
View File

@@ -1,22 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1

29
bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
View File

@@ -1,29 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.

29
bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
View File

@@ -1,29 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.

29
bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
View File

@@ -1,29 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.

22
bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in
View File

@@ -1,22 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1

25
bin/tests/system/dnssec/ns3/dynamic.example.db.in
View File

@@ -1,25 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; This has the NS and glue at the apex because testing RT #2399
; requires we have only one name in the zone at a certain point
; during the test.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS @
@ A 10.53.0.3

44
bin/tests/system/dnssec/ns3/expired.example.db.in
View File

@@ -1,44 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
MX 10 mx
ns A 10.53.0.3
mx A 10.0.0.30
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2
nosoa NS ns.nosoa
ns.nosoa A 10.53.0.7
normalthenrrsig A 10.0.0.28
rrsigonly A 10.0.0.29

40
bin/tests/system/dnssec/ns3/expiring.example.db.in
View File

@@ -1,40 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
MX 10 mx
ns A 10.53.0.3
mx A 10.0.0.30
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17

28
bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

28
bin/tests/system/dnssec/ns3/extradsoid.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

28
bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

4
bin/tests/system/dnssec/ns3/insecure2.example.db → bin/tests/system/dnssec/ns3/extrakey.example.db.in
View File

@@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
NS ns3
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2

40
bin/tests/system/dnssec/ns3/future.example.db.in
View File

@@ -1,40 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
child NS ns2.example.
insecure.empty NS ns.insecure.empty
ns.insecure.empty A 10.53.0.3
foo.*.empty-wild NS ns

26
bin/tests/system/dnssec/ns3/inline.example.db
View File

@@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

26
bin/tests/system/dnssec/ns3/insecure.below-cname.example.db
View File

@@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

27
bin/tests/system/dnssec/ns3/insecure.example.db
View File

@@ -1,27 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x DNSKEY 258 3 5 Cg==
z A 10.0.0.26

26
bin/tests/system/dnssec/ns3/insecure.nsec3.example.db
View File

@@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

26
bin/tests/system/dnssec/ns3/insecure.optout.example.db
View File

@@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

26
bin/tests/system/dnssec/ns3/kskonly.example.db.in
View File

@@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

21
bin/tests/system/dnssec/ns3/lower.example.db.in
View File

@@ -1,21 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA MNAME1. . (
2012042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS NS
NS A 10.53.0.3

40
bin/tests/system/dnssec/ns3/managed-future.example.db.in
View File

@@ -1,40 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
child NS ns2.example.
insecure.empty NS ns.insecure.empty
ns.insecure.empty A 10.53.0.3
foo.*.empty-wild NS ns

29
bin/tests/system/dnssec/ns3/multiple.example.db.in
View File

@@ -1,29 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.

33
bin/tests/system/dnssec/ns3/named.conf.in → bin/tests/system/dnssec/ns3/named.conf.j2
View File

@@ -13,6 +13,8 @@
// NS3
{% set long_sigs = long_sigs | default(False) %}
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
@@ -121,9 +123,9 @@ zone "insecure.example" {
allow-update { any; };
};
zone "insecure2.example" {
zone "extrakey.example" {
type primary;
file "insecure2.example.db";
file "extrakey.example.db";
allow-update { any; };
};
@@ -464,28 +466,27 @@ zone "extended-ds-unknown-oid.example" {
file "extended-ds-unknown-oid.example.db.signed";
};
dnssec-policy "siginterval1" {
dnssec-policy "siginterval" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
signatures-validity 1d;
signatures-refresh 21h;
{% if long_sigs %}
signatures-validity 35d;
signatures-refresh 28d;
{% else %}
signatures-validity 1d;
signatures-refresh 21h;
{% endif %}
signatures-validity-dnskey 90d;
};
dnssec-policy "siginterval2" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
signatures-validity 35d;
signatures-refresh 28d;
signatures-validity-dnskey 90d;
zone "siginterval.example" {
type primary;
allow-update { any; };
dnssec-policy siginterval;
file "siginterval.example.db";
};
include "siginterval.conf";
include "trusted.conf";

23
bin/tests/system/dnssec/ns3/nosign.example.db.in
View File

@@ -1,23 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1

29
bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in
View File

@@ -1,29 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.

8
bin/tests/system/dnssec/ns3/nsec3.example.db.in
View File

@@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
NS ns3
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
@@ -31,8 +31,8 @@ insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
nsec3 NS ns3.nsec3
ns3.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17

35
bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in
View File

@@ -1,35 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2

35
bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in
View File

@@ -1,35 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2

29
bin/tests/system/dnssec/ns3/optout-unknown.example.db.in
View File

@@ -1,29 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.

20
bin/tests/system/dnssec/ns3/optout.example.db.in
View File

@@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
NS ns3
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
@@ -26,14 +26,14 @@ d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
insecure NS ns3.insecure
ns3.insecure A 10.53.0.3
secure NS ns3.secure
ns3.secure A 10.53.0.3
nsec3 NS ns3.nsec3
ns3.nsec3 A 10.53.0.3
optout NS ns3.optout
ns3.optout A 10.53.0.3
child NS ns2.example.
insecure.empty NS ns.insecure.empty
ns.insecure.empty A 10.53.0.3

35
bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in
View File

@@ -1,35 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2

35
bin/tests/system/dnssec/ns3/optout.optout.example.db.in
View File

@@ -1,35 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2

26
bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
View File

@@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

63
bin/tests/system/dnssec/ns3/rsasha1-1024.example.db
View File

@@ -1,63 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; File written on Tue Jan 11 18:07:57 2022
; dnssec_signzone version 9.17.21
rsasha1-1024.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600
rsasha1-1024.example. 300 IN RRSIG SOA 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. kM6ztqAaLkxcRxYWrw2oe3qofzoIRjDv/tLD/A5edreqzzwj7H6Ihm0s JHfzqVOWBTwYzX0XgD0PXCqMdkXP7QlcWGYK7uCWnisayZIwNCdkywPC sS2ky1d0eK1A7kJ9nEH/eOgLba5uFZcAo8+9dD/6o6Rt1jTeTQkL4RHI UC8=
; resign=20900129082204
rsasha1-1024.example. 300 IN NS ns.rsasha1-1024.example.
rsasha1-1024.example. 300 IN RRSIG NS 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. jxbsZlgK4B6IkCrZuNDVv/EIqgCU8pTOyWEt2DqvzRI8AeL3I+U9Nbcz 9gmQRaNEtffLVR/sfht6v1ms4AFJKd0xLSZj9ywsZKCmG12UxfNIoZ49 4d1ono8hGYU8xr1Qh1BU2HwgGY1JF4OyO28cgrkT2F9dAvG8MSMEW5Sg 9A8=
; resign=20900129082204
rsasha1-1024.example. 300 IN NSEC a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY
rsasha1-1024.example. 300 IN RRSIG NSEC 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. AfEX9beXrft4d1moQD1VP3Em9cMgJmx2EYBKMlW5e5XFNk2Z5Wj1N//3 sBuUPNppxUilUEydqH5psVw7IMhrz8Q1+bhABNV7cPm1EOuq0NuQJ2LN JNlTnjfaRT6IAtY7d+NOCO2eKlDzMC/q8t2oaB+iHhgO7yc5+fxMGyQ/ PVc=
; resign=20900129082204
rsasha1-1024.example. 300 IN DNSKEY 256 3 5 AwEAAaYD3SqsLtFHSfDhA8HhNKQJOToRptRmFhsYbqre+lq/BLpLQNkA 7Kq+chsUhOe+8OHMfkNXfr3XFyuUA3rBg15kq57NZ5gLzkHyeGqB9Ths M5pdwDCqPjJKP43W2+EXXHWsg5P94yldWcvMx1v80vrxGvUimfiQSznE hok/6oqR
rsasha1-1024.example. 300 IN DNSKEY 257 3 5 AwEAAeEe/ohrvXtDqYgrz5Q1WAKRstnnH0xi/4Mne49PLO56TcVPf6sg xpv/SaHSlQGJnVbQBLebPemKDAC1vVOUqdTDxHJbLuO28brIWMzf0pc1 5G2RNtrQf44E4yaibSROhyBmWoerUHTPGJw6BGDI4fb/CVWujFQ1ieBy WC0p1NWH
rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. nBLPJfoZe4G3wOe17bBSMooRZHe523pjdaTAK2PmXEa8exXH+OWCHh7f Jnh/SI89Hp9a2ru1Skze3FcUcTj/SlwtEuWpxOs9B1R29P1xVPCwkAfb xsmtmE6u5+oeLGrt88zA/kpjx6t0sFbU7A8/qxlpuoH+hdAu1jI2tlP4 d30=
rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 1151 rsasha1-1024.example. 0oNrcBsFySVjBT60SX3m7cKIPmuCOUH0ZFucrmEVXJLGpNOXe37aXbnC Iz+NHcaaeZQP/w4aYSTyQvZs6Vl5Tufeic3SWalzTGv0f01mIIk24v1a h4ePUB8w0b0+/qq89zl6Ccr2/PgTaLvjuSGYcgX15cigqPRcKQNYCwO1 Vsk=
; resign=20900129082204
z.rsasha1-1024.example. 300 IN A 10.0.0.26
z.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Zf/ynA7APXpNjcMPusIjRan0/ITLmeeY7GJfhCLeD3lEjnAd7dWRl7sC N5sBzUG78Mtgm39Ov/Kj2EwQjFcwcMUmppan3NzS+1YtYuZqlN9iAW+b UUfv8UQUHvM3x/hW4kNCPd2PHIzV2uedIp7VG3Lz72FvjHxECbI7g79V 18c=
; resign=20900129082204
z.rsasha1-1024.example. 300 IN NSEC rsasha1-1024.example. A RRSIG NSEC
z.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. FPlYMJ41r79tkhIkDTX9/uVtcKXfHa+5oXb8fdo7/2CugjBfp5uihn57 3gMmY7Mi2aVsW64hRkehPJr+sTUOk5+ILhO2Qhjdrm2DpHgeSK29BTQr Okn9ruvpLhRFHwI/DllnKvBOyCmKSzJZE7PDOrqouGclNue07IXz+K2R bME=
; resign=20900129082204
b.rsasha1-1024.example. 300 IN A 10.0.0.2
b.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. gQmhCIwai57iscF2s5CJ5DbSy0Z9TiOWYGeFeZITxQ/koFOOjyuZXAZn 6f7mTUcFPhNm4AT/PJAs/L/tzcE16pcVwwDnHszdY28XwEU6OqaXUB3E T/Qu4Sh0BWet9U6JcSSqLG5317qJxqSGfnIJOXMucYi3MH3W8uSpapr+ 4Qk=
; resign=20900129082204
b.rsasha1-1024.example. 300 IN NSEC d.rsasha1-1024.example. A RRSIG NSEC
b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Do6VghMEcHk35Q7fI2VrrQBYhChT4pnw791qUFhHZeol5fIKtEnrlviA RN2fbEY+7OrQQXo7Ywxo7nTD9sYsFgOwGKqKJ+yLNPcr++0csbkgt5rU ch1Lv+t7jOUuUX8IzgjOoCH5j9eoU5QtGkEBxf6z0nvlsLJaTWwTqvbr 7aU=
; resign=20900129082204
a.rsasha1-1024.example. 300 IN A 10.0.0.1
a.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. CaPXSTPLNeQ4MyRylYP/Ztb6kRT9/QdgpTnZxUHCjSdWEBXsrkEr55/z dBSQ8zGGOfCxlOkmgH/UrR7JmHTQrIqsb/iVq+6D0mfvNJDyNpT92bo8 r+C62/9NXLlkS5zcpyNG8Ls66EQ7dcFa6SxwdxF1qaoeBjJvkrGUMnzP UFo=
; resign=20900129082204
a.rsasha1-1024.example. 300 IN NSEC b.rsasha1-1024.example. A RRSIG NSEC
a.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. DJlfCVMSPZ6KUIUhWUBt7LOCB8vBbxOFaR4PoHs/fLpGBWrQj46sjLKO W/TImquBg3ygYTOIyWEzVb177HryRmx65AKnfGLbzaTdTgHzcELwg88t EYFT4ODalqTn68o2RfWtNl95FNqJR/kguxxzFVgpN4zfGKXdhTWAA4JW zG0=
; resign=20900129082204
a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN A 10.0.0.27
a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG A 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. PVFCHIXgDCZOHsTsr3G9wMnPPmiY4CfOXC3b1ZF2qEDqloIT+YX5oKKE uiT6fCBteS6Cq8XTXdezXjqTqxrdY4qMMOBDnIZhf8eOxjFzMEUKKZuH 9c5rt8u35TihuIdKv9OPXdWuTJ4dVSEZjNNxvh3VoMW6XFagYmu3f8Gr 0rg=
; resign=20900129082204
a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN NSEC ns.rsasha1-1024.example. A RRSIG NSEC
a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG NSEC 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. VOOEksRwMWNO2ESMrcMyPFAHuXyYgeLVODy46DwDx8PTli3/UwOH1e3l qd3Poh2K/OFP2v8TuzkXXnPW48Lg90haHtG9yLr5UUNoKntmBC9PFeqt P/qdOBiHszvcyyjJ4gabEX2gn+o/sL/klQV4m3mB4Vf5sg2dfX8Qyuw6 nDQ=
; resign=20900129082204
d.rsasha1-1024.example. 300 IN A 10.0.0.4
d.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. XcxbM4wA+yTOAwPePwRIg6E58HuMr5qIkdghNn/R5ck1JdirLbMB/Wpp Si+5a4q9F02Bs8uZv2YXtXRIa32i1/L6OPeU3RFQfvkpHbQNTvPtsuAL bmFGB/zdR6XQpqC6G+ip9qY+mk2hXwCZZ24NW90O9qYlE8Rp145/dIVM DPo=
; resign=20900129082204
d.rsasha1-1024.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. A RRSIG NSEC
d.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. fmBjPGTNWOXAs51XO1fIRCKAbf9TLTV04TmlgLm50oOouEXsXpwKo6tb MbCGI2f+u986mtzLW4gWY+rcAPrMCndu5BPIYPk/Ngd6zqylWJzAfKyg PIqO0lf6jg0J3FfP39fw9bf+xB+AI1PWBrVZ55LotBYgIBZYhQ1LKPZ2 iyU=
; resign=20900129082204
ns.rsasha1-1024.example. 300 IN A 10.53.0.3
ns.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. beHl0WxLgPYkzKs/tdQnphXDzHx6FqdQRlVtJIYHGoWmWe4X6JWg4ENB a0xPeOGFQPBMgNuKbwyjAVmX0B3Su4LiBM7GcmfJbd4YRNCa4hQvhDpG o5A54Pxo2Qdo9Cffhzva5z4iO+DNnmBsfKGPna4sO2lRNfIxXlxCTbnE zps=
; resign=20900129082204
ns.rsasha1-1024.example. 300 IN NSEC z.rsasha1-1024.example. A RRSIG NSEC
ns.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. aZTImJ5QFufIQEIuX+5ZYVW2Yq4ctxeX9zm9yrQaUODvVRm3X3WjncrU hkgDaW3a/j8RRG0cdAnzSWCzIMz0Yv4kWxrxCEJyIgmVUQ3fzxzpGwMF ZwCtNb9aWmImcAugTnjocn5+iCiyTEVipZmTASEyN0Bgp5Q4oFChnzIj kjk=
; resign=20900129082204

68
bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in
View File

@@ -9,19 +9,55 @@
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
; File written on Sat Jul 5 14:07:41 2025
; dnssec-signzone version 9.21.10-dev
rsasha1-1024.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600
rsasha1-1024.example. 300 IN RRSIG SOA 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. PJOZW7DeXBMB3VJ3RGFHbq5sWGc8zas7y8BKaEz4rWmScEfJrmt5ZGtm XPuQ08roCQjirb6ltLGMBorOZ5PrKkF998FhihCzUjJm9FSAVu3VW0FH 0AHGRuoErR7goE8kp3mQtqDjQfKN3RYisffzXC8K8WDb9AXNo6tdPl6d efA=
; resign=20930723222148
rsasha1-1024.example. 300 IN NS ns3.rsasha1-1024.example.
rsasha1-1024.example. 300 IN RRSIG NS 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 7bxj7Z1i+Yfn9GzJg7eYbx46KPQOybj/aqhJUDp4ajlYKHrHHtlhHiez DfDj5RlgLGdAzRQPBs51L9KWWl+S6+MPujeVOIT+8SLWbkAWiaY2xLl4 YvZOFFelI1msoBPsXHt28OZz395Iun0VRTnOYAVR/M8lFAwhwYKxnK6S pD8=
; resign=20930723222148
rsasha1-1024.example. 300 IN NSEC a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY
rsasha1-1024.example. 300 IN RRSIG NSEC 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. ranydIBWyrsp6gvreVGLy8jlHnQh6fL36grp1Rqp6OBNsSn+WegQP5uQ alksR/mDvSAFAeCEX6jJ+GbZan9SUYpkrqbyZtrX1+xKnbbu12ogx/lc Egph/QTXsD6iFBXRB7psiqV1mJx2PjmSHEsDN6zxbOvCrSBSoUQZOkeJ ePc=
; resign=20930723222148
rsasha1-1024.example. 300 IN DNSKEY 256 3 5 AwEAAfrnP/8ng5St8Ok9VOJ4QWrOIfAp1pzT0quT8+Else7jAOI55qAB qcWOOMfkgF3AGfmD/OkTo17fq4HeoULrnOw8mTPjbQFowrnPRWpClj3N lRUVfYpVaKOzy3WnUSiqtegktKMaZgvBz5BgAeJOkG6IpHCqYab5135K JplSUlBz
rsasha1-1024.example. 300 IN DNSKEY 257 3 5 AwEAAfF0adqZOjSh1ADpmABpTwEAD/cWy/+9R42G+DqZK/8pkxfvC6N9 b9zWsa9LhyBge97aq7LyzlKO4HJvYK7su16y3ZeEQUplrwIwD6OPoffu X7vjNA+O7vikjdSN6sXI/x7eKwU+ZQbLyCao4COGy+Xl8VowWmIGJ3DZ wEhwOd+t
rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222148 20250705200741 29488 rsasha1-1024.example. qGZmNE1DZMvZ/OwZXuRtebtpIIE3pzYUQngQD9VUHyA9D1cLuElyevgl /pjOh5Vpt0nid1Y0HrLrXYe6xRsT8a+hhp+5ybUqjOpusBDkj/LYnlev y27Nor/GcHNy03R+B/Piu+1T3UA+dxvYc+YJrmmx7XU5tMpqFyV4C4if IyU=
rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. eMnV0gdwLW5SY+gL5CsTilyz3qN9YJBnD/EgaK4xXxnV8hoTXB/QgtAP +/jylOSIMqCT+VA9UlV2q2WyQd3n2ycdAaXIrZhMJDo/ErXcNrfi4h2G aKLVr/NiX6VlNhyNgbYgz0dM6CjcMbFQSr43hFJ4oWbOrEAS5a708/6t uUU=
; resign=20930723222148
a.rsasha1-1024.example. 300 IN A 10.0.0.1
a.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 41BzMHFHRo79n2jipZYetBEeJ2tb/HD2wj28I++yPLmVbn2IUnA0qOQV ypYQmAjhIKgDD+KHq0SB+WbPnVj6buV7WZ8mlknFDNxmMc6erdStBwsO shtL5kNUv33QTsyRGtreCnEjjWSSMzC63sdBXyjN5+ZWVqxKIFKGwMJZ uwg=
; resign=20930723222148
a.rsasha1-1024.example. 300 IN NSEC b.rsasha1-1024.example. A RRSIG NSEC
a.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. KXNm/3ISKA9TJqFUAgrFVVwrRqIMZ9IhaLALTD8nZl5guNfq1NUnjKQW kbM24C2b9Wb3ID+lIlz8NygSdVyGpUsxvyn3s72wxRHyAQjWSgXMsxHH K7OlPMWKOKEaa27uGjbXkcITPstqveaZNdCdNba7hrjiBuETsLBRQoyi pO8=
; resign=20930723222148
b.rsasha1-1024.example. 300 IN A 10.0.0.2
b.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. sFXNp9u1KLmGALRtBygUQa4jNug25BWHJlBjKiaIQHal4YN2wpNMBfP5 8pwAfTJHpMZmnIfTQKpYHFYI+AZ0VUh8KRjkUfZYtgviu6BqPshuhNVa hKYpSzpUDCjjg29oYPC36sIZSnZDbhbRYLzERXMVB/tLujDgjoGD4z3b dzM=
; resign=20930723222148
b.rsasha1-1024.example. 300 IN NSEC a.b.rsasha1-1024.example. A RRSIG NSEC
b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. mz7zYeNU967NoqNLTbi9ggh+jG8c4AQK8nfkP6f09EuH76BcU9T/BzKI lLPws1PYmBeT+WXmcwuFyDxPlSntO/xlU/t5wMGOjMwHWRPaFiaAx3H9 PZj9JC4UDfEKOB/2icS9HQrBqzsPlzYVWrdqkAgm4ErVl4DNU0zUhv6y Xpk=
; resign=20930723222148
a.b.rsasha1-1024.example. 300 IN A 10.0.0.1
a.b.rsasha1-1024.example. 300 IN RRSIG A 5 4 300 20930723222148 20250705200741 58758 rsasha1-1024.example. e4R1G9oEo5I2kPqVsbUYBgP0Bv5Eyp9BTesgKqAJ0q9NfZGtjh/03kCr A8CPw7mwL3qLEVo/oupkzpLj/gt5Zszdlmu7Bw81cJfV+x5cPyLjXJty Z9+T9KZIFa/tqW8FFF3/owEecTjcPjJs/mrlNy7lbp1kLXBIk6S7yt+c dpo=
; resign=20930723222148
a.b.rsasha1-1024.example. 300 IN NSEC d.rsasha1-1024.example. A RRSIG NSEC
a.b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 4 300 20930723222148 20250705200741 58758 rsasha1-1024.example. Y3N3uY1kIyY9WlgWF8ZQ9gmo3Xi74G+UF195ljexwkjlU7LOX7TuaJpJ PyaqASJBGNF6aLbcwR89rItxJknSdNk4oqvQiwykZ0e02MXb/zPeqqkG +y9jS9M+ygKjMcyY+qHVgjy5UaldUqOV/bjg7cq2Z2FsCjkD+lCmGzfl pd4=
; resign=20930723222148
d.rsasha1-1024.example. 300 IN A 10.0.0.4
d.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 1jqKrIB7M9la2A8cRVdy92TV19elq3pGvu19DGz77sbn3HYrb3lF+zSl O2g+75RxuwzN8yoGe5P6/EfaZviOPNBV5s5e+xKHQwAxE0RCdnLUcuE9 8PAuNBogBvhrDzZJQh0p1ap4vyuxCEH3jDYua9Ul7VMy8UmGcBO0BuaS f+A=
; resign=20930723222148
d.rsasha1-1024.example. 300 IN NSEC ns3.rsasha1-1024.example. A RRSIG NSEC
d.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. JA2sayAAdp9pCtOSsv66hD6LlgA8IFC2gzVSIjYVnz5vevoXHcok7HTi UbaaWoE0UaCI5DrMTSc9x6IOMe0OTC4PLPl3dntnaiOZJfe1Fr97zyme jaMzqd61Tla/dGM58KUKKSL30hj/5o5DwW7ppdHKIW0sq3YXufnDOCgx TT8=
; resign=20930723222148
ns3.rsasha1-1024.example. 300 IN A 10.53.0.3
ns3.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. NTFkNDGrOnrz1BvHEgqq3I02y+unDlUmkd2RM5pFz4wMWlZm7b2sPFsi kGH8AwE7U5RBR4Pi6YLS7im+GKXRKEChYbHy7QU2XyvGueQ0AK8jLN3+ daSr0vK5RGSDihl3lWELQPGF4/qrYYVQI8itrewvYWA2EKmPjgJAtjKV DO4=
; resign=20930723222148
ns3.rsasha1-1024.example. 300 IN NSEC z.rsasha1-1024.example. A RRSIG NSEC
ns3.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. Dx7nC3ZCVV+BTR06WOG6vh9mt81aQijpKH7N03GopNejfbEN3dtGR2n4 cEnc/rofcy0HaDiRGKptrxYNDez6g9awh73p9FDQgE/gnnOJ1WAOIyVi XE4OHSwxfRRdYNV5oDY5Dsl9/ZNuewwc22hfEHTALKDv5ncOeGlk4r/U cds=
; resign=20930723222148
z.rsasha1-1024.example. 300 IN A 10.0.0.26
z.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. RO5OYSdypaZuuB+cYQLfj9nZ6PgCpd3iSOZETdY0/RYcH31dX/mDWa/s ODefiUOcyZNJYbJmcZXbOboBQOsHSB2+SsYwc6hfkKiACvB564/6u/5v hujJJQqEpJfuGEaGfJtQHjPgXQoa33juX7k+4zOQJFAs0z4loIb5s9d2 Gyw=
; resign=20930723222148
z.rsasha1-1024.example. 300 IN NSEC rsasha1-1024.example. A RRSIG NSEC
z.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. hLdkoNjYFvJ0xYYOp2D0mqoZntJ8M0crDboQ5CGQ5fZD3eIFWG/uWqky 9tt6udqkqrVv7cniTlyoD1GQqBpx4FR9P5qgMXDQ5EvZ7WncjfVg2IFV PYZAqV1iFiQXackDd3jipKGFgx8NKvfl/jr1tdNR+5LqxHFM51zb7Hak J08=
; resign=20930723222148

63
bin/tests/system/dnssec/ns3/rsasha1.example.db
View File

@@ -1,63 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; File written on Tue Jan 4 17:29:34 2022
; dnssec_signzone version 9.17.20
rsasha1.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600
rsasha1.example. 300 IN RRSIG SOA 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. wg8k4y/Cs/+u2QfUnBURhD4isSFTzCofpdhMzVJEUfBqu1DBVO+FECQ4 U80NCg9iksxm7xsWAZiQx6Rzvh1rUqEA7OhCy7XiPuz+jR1TYHXJhRMu t9gu7aCdTkcXYCMtppd49/2vT+WPKB98QIKD6wgl4LFFhwbUCoXavin4 babUiJrJeAnuxmIeD5HtM5a+++p0F8QemdP5FkX3WCRBHNFGnoVYJjc7 PZ+L8ZpKElah47XzJwAYWDr34TwqU9llCOcXlXYKBqDKO9fEtJJ1hyk9 Sf4fGOdzZD9Pj4Zz83UlHumeZPfIC1N0xVBYvGPu8LU41WZ4BgZfKSoS UIpbPQ==
; resign=20900122074341
rsasha1.example. 300 IN NS ns.rsasha1.example.
rsasha1.example. 300 IN RRSIG NS 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. VqOKkNo7CRH2uquL/46cIVoIPvFYT2WrpwpG6ienlJoLF/mZn0ReoMaK G29R8Q0tklalk14CGShiD409lXDRynyHgmLGIFjkXMd6aNRQOdD1O+7C wEhAj4/FEz+qpk/xRGMslxCCF1P7DxpX5ZPI9DuPVVvTRk4131CALaFQ EPblDzEgd7JeoO0tKnPjpzXLdr86NDeDVZXonimjEhQNrvrrurQ5/u2F x7jVmovN47Z06+XCbleC2ag8ZazNkYfU8GlFvkozZMGZtnpja1/SllNJ ZdURisd3JFMw/xsZd1v2MspKYcZePTfzyk/keXSJ0AlO7TA1X2sjiFOo 1fhSnQ==
; resign=20900122074341
rsasha1.example. 300 IN NSEC a.rsasha1.example. NS SOA RRSIG NSEC DNSKEY
rsasha1.example. 300 IN RRSIG NSEC 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. U7SEGuJ95CKk6+sWNCNHfPuvjJ2KChhutImWmSTc9lgb3uSfptzwbYnP UZ3xG0IqkayRJhBSizLb5kntvBZbcz4pEWZ+o7ZJdiBHcCARj82OJaLF d147VB3XJa6rIi+o/Zm8SIbxU7gugqRds7KfSTxAIjHzLpCcu12hlgfc Qso1LYiVeU5GVnmfuNJQL7QvS3BQuTylTI1+HQpiY6W8Bzev/TcbhoDJ Ywp4hvgF4VGCvrO2glSO4VycLjluawKSlrNaLbAtWIYYUSPbvtktM8tQ GBqOij4l7eMCTGRCoExWEnr+CzWAauoemhLDh27Bq6VNjD5iIvjzt3Ym uGDQUg==
; resign=20900122074341
rsasha1.example. 300 IN DNSKEY 256 3 5 AwEAAe31msH3kL5cIQ6C1vTnB8GvbFDm0t/j5XWnLonaKDSUoHtKLlRq pBPuwlORRUZxRSs7VDAaKE0YGky/YklSCqvo8gBD4dkNjWD/6XGkmtEq DOL8XCz1KO+djs7WLCuCyGIkG282+sntuZJj4IMd+ZDW1urCwaP94t3u W9N+PgrSacK9Ff1bwLR9KIgkRFpJ+JxPeaFYnVEyB4ZaZ8DgPWYNJ+aC awL0nATybC8asPeCGvft3lSS99z55IMfkpjF1rwHIVybqhiukRighazQ ljjVQdlXj3YxFgD0fpscJ6yN0QXdseagxiT4PahnwaHYHUhgGm+HB1zA pA49L9dg2RE=
rsasha1.example. 300 IN DNSKEY 257 3 5 AwEAAcQdnpcda8XlNxllEGbWy9EGkD5TtHEbxThaB9c6ZNQPTf3gJw0A LpIZ787sepWND7vPcq6Qb/xZEmC6ER5OfaYbDznUh8q5NaaTbSwv0tng gE8KPwtvlgH+4eUmOcEkGrfR9G6J9S8JTT5bUWKTUbprxE65/8xcY33S cEeOpi34DLR9GLNvPLTSLuWQcYrq1YZFHbivQ45oFD9PvWPJWOoAN68N T28e0ZV8QHuXqW0IEheeW+AEemywupdaxun6Cvvolfz2EMYFnYX8YycE 0qUoDC4W9w3xB4nOllWQfJzgQkSTr/I4XCgepFunBeuAHZhCoQHPt9fK IfPUYxQzaa8=
rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. tODh3LiRuG/ao3ZtJSLBPCy74pkfHXMPRUgFP7MhNR3X6gq75daTVHLi ApTesgAXPAbHI404ps/8M2Z84dkMKBhRDdp1e9OwR8IB4Iw0IOGp2rV7 oZSYNzgnlwRfQ2G75G3xbCjiQhY0H+7IlSiys3sAaI67plvI3nDC3C/r zyDKiY90pK31e+q72SSK+1t/MlsRm0nAYHyUZGLuBMoXYHwonLImeH9Q jwy+cXLwhzOfPfm97ailNifEk38+P+H+Yq35Cp1ezpMzxAi67AcY83sR XB7RVRCf/4uUErh5rYcl6EcnHFh1xA9oSHsaPQbd39PO2fNanyvdPH+p b0ey0A==
rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20900122074341 20220104052934 9662 rsasha1.example. Ksyrf1lseBMSQGyPWrSve/X09Nb1CWB//Yvjw9HAEBwna9wseI6cH6mi B1G2JyFmTFzxGgVmf0wB+oec2w7nt5/uUJbyVfLQvCs9RXBGEpKAwhVf GKIwcSF1VTyVfx+PYPHvCpeN01Qm3C/5pJ28dkT65Hry2a7f39kk/8YZ 4zVM1nYaTsBUQdQWvR5UlSm0S3SUMBc2MIEUGUFBhtBJ10W8VkIfNzma ONjMHthu8vLAfwuBYX8zzJIVB31XvnxZDa4LSM4PesyPZ+KVR27o5dlL gQS62u3PWJDgEhUNFIa8A+5kDENC24p7DSfG+Aipe3upefBpBAW3VEdN A/nwQQ==
; resign=20900122074341
b.rsasha1.example. 300 IN A 10.0.0.2
b.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. ivXu+xAyZThIsY2T1c1wczdeeIG/37z+nO9sbUOzcUyf4+T9lX+6rU0D gxQTxHVdcsw3ge/C+dU2qcrs3EHHW4JcpT1yZMbXcyo+w5ocj5oHGYD2 L3iKLCEZrzdkIwmY4GXNyTznk0X5GKuaP7P6PeNrwWEBficB6xLSiLm7 tsswVcc4XyHa+zKBbxevIt2bKvRUfruyztgENZXJ5125Kx1Ee70Hwvgw bNc2J7lqpJw5c5O8yUaXq5gsxcaLBuONbQ4ANL5PtFQJJY7B5GhqlRTy gVrThJsoZj66pfa8gK92yn8uRG6sFpAbtPrTMQaReiExOhCUdBZRBmA+ RWUTKQ==
; resign=20900122074341
b.rsasha1.example. 300 IN NSEC d.rsasha1.example. A RRSIG NSEC
b.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. hHtS5Bev1RkOJhsz4QnWJzzn/BBRLJil1l1RCbX+nbVbPE93l/2aDi12 jgctWKIfAiVfdFn93uno11+7Lq+bJaiMvaozJ+f7XWMAPsITOlKGNtiw l9kqZJExugH3q0RC1W0xxnb6HlIbwYGn6refUexaZKjgBsUg302pY7bh 6z4WuPakuxAqsaI6KLxLAlm7CWmdXvpFMCc1dnIVDplxOAvEINTrEesY sffjfmRbP3YAXC6/xvu0WVlikgklJjjiRqdeiSqPLGlnb79OAF5whHSL nYvWscX00/f+SOiniFoAFH2KeSb7VdJ2jvpTaqWjrYxxvwuZMsKNzwRI 4pnH/w==
; resign=20900122074341
a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN A 10.0.0.27
a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN RRSIG A 5 13 300 20900122074341 20220104052934 30286 rsasha1.example. BQT+sZ6SJUbGDJ0eG6WBM19+UoBGZEie96E7EXaeS4It3M+EaMkIWIGD hp0MwiC0yW8u0zWjlA57t3yRpVhvCic8kl4SPs5tOmDXyy5RRJ7YOHNx 3PCuAbkoTfoLt5ReVtGcs5LTz+lmPUKZw/dwols5x8v1PIC2O/Ud6Yep TE9Qeymj1/C3GxxLVPLxXQhirkhT6LfMmFH6fNwec6U7bVRyMo3twcvK TDxkEZu5qA0+6bSrLC/xdyZYE38RQOlicmmGfYAIkDWKDdDXYbfBeJq6 zP8aFvdqOckDBvXQcnP9Cq+IvQX1noO90ePYf5AzNxAEQFJ4S1LUm/0q mQqNLA==
; resign=20900122074341
a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN NSEC ns.rsasha1.example. A RRSIG NSEC
a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN RRSIG NSEC 5 13 300 20900122074341 20220104052934 30286 rsasha1.example. jvJup/Pg4BpAjh+eLMKEYFkpK/iOVt3QggGL7CRMxzxkYYMJNPwXqdAt 5MovIAFjFKBQm0RDe8/tqav/zdOZrDTyRZ2Zsh9qOp7hlOhy4oqQF+4n Wqg3x8v9gSgrzSAsiJAhb3fbbfdAb3Esc1R0Ec/RcLYEUXiD1eLTG0cB qtVmX3McwXTmu0OGpn0Dsg8CTSuQnrvo24bvsah5SEL1/NVkPtEE7KDT Q8orR7LNM0EeIL1CHxT5dqCAo5MvUm9L8GL/YIOZgtifD/uL23T0ej4j 0JYN7EYoDyFT0fyGeBoS2jkCZTsQZivfnkE5J4Ch1nAU5bUmSeX1eZHK nvce9Q==
; resign=20900122074341
d.rsasha1.example. 300 IN A 10.0.0.4
d.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. 1mZnG0HsIygSfEue9vMlqWpIQ59EmrktvFrGBzNUEDQDjsoGHv+syMFi A8BtRPkrHZzGaYTqy4L8ZL6V5vZPN1icETNVebx7teBTNFIwlvubdKoQ Zg/37W8gW6U1PN4khQlfX7W5XMFifF4qfCfI3XhkPgKacVaucHQhvGth ZzgCbhCQBVMooRb+v+nzknin0qpIWm7pVPh94BaajxQJ0mNwVQ8hjdJP jy16PH4z/aQ6oPjPKMbnMwTQOdWVUKsZtEkBGcAjJWLFmUJYpR5PPdRB /VsEtjexNKZtDwn0/QUIqUi4GcSp0ISTDBTNDjImJhWVJUoFh6S6zuRW tPYZGA==
; resign=20900122074341
d.rsasha1.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. A RRSIG NSEC
d.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. oWJRAhXbXUA84Nc56NyMocBq93bn3k4uGeqv+XL2L5l6yjxQYxKzjqq1 O5m72K6GiIjoIeun5TxJlEI7/o1EivTxdGYVP4Fsb//Wrv422QcHwS27 xNsFhLMFQglBCOaZzj1v3G2nXRRjP8x81ysg048THlhH5Jm7cW3aUmuS P6kXebWVwIc2nywLHVr/U4dCT2sHOk2gkUuaj8p6rMLVYwj/5dBRijVl Wm131ZeimetxrrRVxXtOfof7W4pqx3bpYRqb/Exdh035Hen+QesxRYTA zcxY7CywJY59afc9/abQBWGkPLfF7rgfJjPIc3MpJlP4SPf0SV4bTNUU nptZ/A==
; resign=20900122074341
ns.rsasha1.example. 300 IN A 10.53.0.3
ns.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. ONQph6nkFWSS6dqe/agbVnbjwTtA8ZZATpTCqoRJp2QoEgIjZ/0Yh7Fl Axz4PnpMYsEoie0IZ0/g+xTH7nXYphZzzzgedK8WK0vdTW3Pspyoiek/ tWjiGshqq1atHgi+jjRiuhnEvkaX0UDipMCQvI7oFHMOJxmnwZBCNWMc kBu9vbqtr/+HM4y+jGywg5l2XVkmHC5RZv1CoYc5PhfvV4zMI2RCb/Km i5eNCrUZefRfAq4fK9M67Jh/WnfRWfnHZKZN3O0yiRdnKOh2tOQP3X46 fIuNldCeg1PPnkbs4R+ekqJYhpEydNuWKEoKw2ZgeIrmbcRqepD6y3SZ UP/TAw==
; resign=20900122074341
ns.rsasha1.example. 300 IN NSEC z.rsasha1.example. A RRSIG NSEC
ns.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. s7P7k9FDJrO1JhUVjgVUDQXNXfNOJrYVt44OoD45e7w4Q7QkyeZe+6z1 Arj9tW1bI9nIVNo63DT51bsJmj4vPf4SuJgHO05ElkLFSvHn17qMdw8Q Kpx8MQa7plAISqzl9hJip0exMuV+1IHujO9VGE42CxKl0q6l2b/x3+Il afx47bcEePkdhHXyhOSdrtxFTayzjMd/7uSy6p1jFSEVrheejQ/r44t3 9uxEc4EYfiP+HVfnjJ178j2Xa4dZyi3ljhJjaH5oleiy5c2Y5kXRIuXH OcIQ2axO7LT/yupRcBPlo7ulwI9iEVd2Q2gueMqaJ9YEWlcoOSFu1H75 7IRAbA==
; resign=20900122074341
z.rsasha1.example. 300 IN A 10.0.0.26
z.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. nuqG+ILECKKCQockETu4yLRKZzv9qjXJpfD0/yw5Cw7nSrZFvAjpkQR2 f+xmzbcxP4xiYqs1I+nz8cnHs6NNkJA8vcmk9dnzRu78X0x8MFFV0Yha jQKK/cSzhEhys7GMYv3Jz6lKfmFOAoq1et9PaQT6w8zQD8Q5vBzKrvZm pg+QzZvvgToZfj4e5J7nrhnyOVo7Jec5l/aBCGJbgRMDxjyyC0ufOjnm POvsTZk+wM3+wuN6zYwDpproPiH/6vC/yPlDHeh6kDt971dMsdvRv+kS KAzPyN8rweptJ/HRprb9x6zcAJOrK0T1sJ+EhMbYMgC/py6aAn+T7G5D FGY1tg==
; resign=20900122074341
z.rsasha1.example. 300 IN NSEC rsasha1.example. A RRSIG NSEC
z.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. Wj5DkrGppeMFn8bWLUMfFPCzDAO2HeabbEIMaAHBH/g0hdn+2PPkQc8D D6WCSc4q5gyGNRSXj2Kik2TojD9n/5WuwDAA3W2AOso+4d616lSy9pyj x+e4WZ6y6tAYRRIGIVTdDEOxrZ8KspclWk7H6OAAPIYvgZeYjox21qXN BknpIifVoaYUoxi3e81k25erm/Xww4uU2SMQgvq3sBrs0YGANembfxas BRVmSmBykpugHgS1/Fl19Hp40y/JTBzqOLrHgPgHO4aH89dgta0WlMhb 8uCUOjHNjcR+KO3KUpKDZkH8IuJHWWFd0TabdV0KBhpInQh6Yorhpjg7 qNBbgA==
; resign=20900122074341
a.rsasha1.example. 300 IN A 10.0.0.1
a.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. eJyAqMArSagK54kSFvJxE5qYXFSDYxj6Vt8l4gi58BQigO7p5v0BUWcS icToRx3a9+rSdhnBuGbOWGNlrKFfCKrLmqYrlI9GFSAFLAFj7DETSKDJ X5dQ0KnpyGL3SneQsDWAvAof0y9B17dnBHQMSjeVqqQLjYEnq3ZIdT3c b6emCGMhcbfIAOYWt7t9nk/J2tsTsdoKtTCHP1SHjn5sE++BPXOce49X gFnNMD+pOcoLH8Z07RcTQ8IeNIa9hO8UaypyicaHQ2F0JtsiL1pqREXf QsBeLC12Gbi0rxJX3gdj0LXsmSerVl6BgaNjPTp3840WKrW3nTG/8Lre bxgkow==
; resign=20900122074341
a.rsasha1.example. 300 IN NSEC b.rsasha1.example. A RRSIG NSEC
a.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. 6fZ5/GXrFAc9lEspMNlPa40F8O/tGq1oaSZXVstwLH124TNWxRK+i8eT H77Kq80vZkDus8rkLr4fiLP3ApXVBffCRHZWecGrYaPGDbQXALQEktld NhmLr9Nf30Jq7KvVV9Qf4daPC7ZwkB8EsikJxjpQ/paHlU/Pua7ZonnH /x9HHRJBLWb/PPQWEc++8SSjA79+HZVbB8rBwXyxHO1tFBCbBpK/JNwu KpRqNp/mwxPpSaJGZIuhHlzfbLsS4WoXjdG+fob4RqsPPwrf/uAAzKM2 dHVuqZ1erH3ryb4JdRo+MhqD0+vC/7+eNccEXraBsE5xGw4M62Se37WC kyQDQA==
; resign=20900122074341

68
bin/tests/system/dnssec/ns3/rsasha1.example.db.in
View File

@@ -9,19 +9,55 @@
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
; File written on Sat Jul 5 14:07:24 2025
; dnssec-signzone version 9.21.10-dev
rsasha1.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600
rsasha1.example. 300 IN RRSIG SOA 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. HD26wOumxWQ/epo0958sjThZr0yfTMHnIn5hC2ZdOia9uuBBnHR0kPyS ++zd/Q9lFb6MRzkfLEHGexv2fXIHnWcCLp93gYvMm/HWf0/MhUzhabzO YJfcDKRT3PUEgDvuE0tiHEGWHYAb0iXQi1cjpZhvw6yikAQ2o3UUn3e2 QTQ0JO7EnG4wNxPnr92VPcTLTqajczCz63cvCvJpkaUCjAFyTKvCpgyl /eRKagX0UA8lv+DmOwFCTG0p1JeIQMQoW7xZELEWb9mAR/o1VmcJnYT3 Awi35hTj9XhM+bPCK4qqOkq6JNMSnOA4Xxg1baTEqjrFJZmEG+iyImoL 5d1DLQ==
; resign=20930723222131
rsasha1.example. 300 IN NS ns3.rsasha1.example.
rsasha1.example. 300 IN RRSIG NS 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. KAZovbd0Urp3LIrLsCV7UldT5ze4fYG8iaXWpyrw7/JmZIZOWA3X4rgF hlhxes8xD73qrV96dWuNZmTMs+mp665bAbX78sjfZZdmWGWrpPzse6G3 YEm6EGSOWjrsb/kOmKPiRTaVUhTanAjJC17rhixEYRBrvekpnDx/3PjX HnJRR8a75DXVrhm47u4/hHD7cS2hOfZj4xqNyWOlpNIaH7ZWPzO34SR9 iuPReF4Q06NG741TdAfsl3h9YeCfZWBH1DQ7jwrq5hRGPTtZmq7OTyMm dH0ovRF6ntYYbU0aOanS4l7sjEVwr+AkrFG8Pu9Ipey5Tlgn3bx40cAn 5TDkfg==
; resign=20930723222131
rsasha1.example. 300 IN NSEC a.rsasha1.example. NS SOA RRSIG NSEC DNSKEY
rsasha1.example. 300 IN RRSIG NSEC 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. DIhZ8/JkklG9nAC0CB98mmOVnXy7KS+CbG4vC8OrnOSi8nyyHuNC2Zt7 p2taM2KshEJ3piXUsICLbQDpHwrbbRx5RbctaLQz5S3lhx+0j3TNZWaT 2kWP5jMyhNDxaNn35xh7yTamDEKC20Bk5YyN76YClEkwqAr9ksj/FUNY RYIG9+4jjOt962Vj/5e0pgK+1ZbM3lF8WvJAh44YgWD9U4D1nBmyrkTq gBwJUbCvEmyoCxOQfSQhTwaAqKQ3IalnC2hfHfYQsEwpbVwfvt4LGEy+ b0vNnBGHKriM2T/p59vtblWirsxDc8QNpYmtOvjVket4nvzBuA7eqUFt /QijRQ==
; resign=20930723222131
rsasha1.example. 300 IN DNSKEY 256 3 5 AwEAAYnqt4hwxo/oi63pCLz4EQaUyQU1viMhQ6EVnIXKdPdymJ51tKuh qJ+uT1MxcMwH97b/2CtqTtbI4MP7ksxDWh7JE4R2kzdKrtb1darcvSiy Ewh73TG+1wvt1f7ZC8Hw2TdiU+mLL3vFBfmnUN1Q0xSULKckdlOwH9I/ 20xeS6mz8tYxOC/N9N3AH8gPF4pxoEHkX2XpzdmBSKlgD4Sp1Iqqnebg U/JK2JK2SUZr2ZmCeSMmAmPCt5rT6B6hN8XQkhqPLG3vygqsoLbGngVV nBXFpziMi3VyQ48yvjnNTpzrkfNo/3vrRyrLpBw9I8ZtZNOrypwayBdu fgbfk7veeqk=
rsasha1.example. 300 IN DNSKEY 257 3 5 AwEAAcWJul/er9Gsevi3PxbuJV2iGlbCC1WF1PZ9dluBKZFFCRbl45Mt D32nMBjpr0TkwVRVoTa2tNYdPIo/GrS6EZfUzM6coA3IEK68j0tgqz9b S8fJAaBYMTWlcvho/o9aEZjcnVW3c6IwjxAqUq+4wdokgjV64s+RBPZF 1zRbJz8ONINHmxvKHBzZzVa2Cq7FaHoQpF0NVrHhEuic8IXrW5F9Djah 0svAdethvpfpwVIsthfkv8/E4CfLDFymSe93g4mwMgcIBCZs1ikk1tbG 2oTrUjFui+iXJWIAoKZ8PqfBAWnxckTt1FJCg2cNrxtWAo1WncJdX3py hK7TjQ+DIKc=
rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222131 20250705200724 55127 rsasha1.example. qrWtbMhGFKeRoXgphkmpTQJxI04Cl/hmtE81YuB9Em7F/cNAu7yFi0O4 ZDmm8qRyV4a7itK0Ce/WzFBrCp3CuyJ9MG3hyvJDtIoLTHtCL0QeMwDA j9V68ajgTBNYC1ZwhbDTiD53EJDjplU2U6lCB0zxzJkEE4wPdkotddjG Q6LOy0qSej4raIoOwptaTIkRXa0fAYXz696A2S8bDq74Z9Bw6qcYoj0X EwqFnngFS2Wf4scpeoplR/psRP6n345inw8duF+XieGdt8XSaBw3Qf/E h0eReXQcA/GFpRj4Rvevj+vN1LSBnuwZMd5aC3+xHYf99jAzPYdglScc Rv19qw==
rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. hvncQdiu+zpcYQRPG19nmbpPPCCGFAT5s4dITGslA5/V764XGvuowX24 CuZMMTefS1KkR79GzRYuTOw/T+vbinMZcU1KvSWaSNsKwYUIsP6cYZXG DX8ug0X+eijggV2bm+43yGjjNKe00e+Aoj8xHNDJhyy+qbKOHUp87Fbc mAKwpq35gEeuBt13PaJxkuQZVxAe88F9TXwhmaUOrlGrj+5XASJR6Cz0 DmlW4p26X//Uvs44bbyDN/hxF1rGOu/D470Q4Lkhsu9B3wtG3vPoNwSv BaMoFU717YJ3a2li7mean6IXIvyCmS1YQk+EvNfcpiW9yPWHjB/0kycH 37HSDw==
; resign=20930723222131
a.rsasha1.example. 300 IN A 10.0.0.1
a.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. V0TqYXv83i25Ir50MPgxnWrdhhE1nIMCpAca7e7FKUrLkGlsypFzbTX+ 5hBHaYENXYr+Risr7B4ZdV0LQk4aXfmKqvPLqU0nYfsh/g86bq9wklaU R3QywkOEJqOfirpTWz/wybAE1ELasFncx/VaPrYQ8Zqw6H/Vb1yVSJWs ZqnfDFbZ7mYfEF4wgfc4St3UzjpuoDwfAhbwWg91t85UbYs0SvgYpgbS QLNL+/ltG0hLKNsIzp/aYQQ3IOeeiofDCDOZSl9k3KAezJofJUy3YRBb YVpbe89h6Gb6m4/kO17rLrwQLg7I90ctPgdqQSCKk8x0WzK3N1gfhxxM fcFnsw==
; resign=20930723222131
a.rsasha1.example. 300 IN NSEC b.rsasha1.example. A RRSIG NSEC
a.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. MxKko8nlw+QysAsrOjR7UtXgHsEsvsDMji/riMT0PbSEDMPJv22hQHbs hDhBD7xNygGZ6bSIX6gXd2uBVfUePzmXCk5tBraXywZ173SvFy/cMJu/ Q9FAFkPKvyEAhswiYUnrXWnujyNmDUK8JFrjI7TSLzQ6mXh4+PO+7b4E GpRCyhArL0Ov1iDipA1CpxCGfLJNaY+kvA+8VPcxob78Ly7cv81kwafY oV635DUp6D4tqSYgPMgwJyOuiek9D7bZJIHPiH/59jWZ0Ik9TNC4EVNF 1Fy4VjdMAFGnW9KIAUWMfSIxImzbh7V17H3H4C96LMNZIWJJG9zxOtMf r6fS2Q==
; resign=20930723222131
b.rsasha1.example. 300 IN A 10.0.0.2
b.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. dM6MhQGCqyBNdEbr0YMS/+sUjNDrdkkBcKhrtZ271WDx07838oY9XbpZ v+cKtLuhk69Gm0xErN32k+Qaa+LhqP1YPdqmnyAEycUJXUE7HsH6E9Fz 8AKp/BDQshb209++d3JQxlbch9sqodpIRkxYIkTVJfBt6vsAstYwZHCF I8+PbjTn2zNkBZz0rmj5+AxDDNfnRmcPOoXVJXKNkasQgagSWr1bieb8 15CMDnk/PJhFpHdJ5NiQck8Y9bUMaz8mPBJpFeJwwssY3jCe2qb96IaJ e+XLRpJntHpZvBy3DpO0jA2WHf9WkS1/4toVh4ePHc+FgJBEUXJyPqXc OzjGog==
; resign=20930723222131
b.rsasha1.example. 300 IN NSEC a.b.rsasha1.example. A RRSIG NSEC
b.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. VV6Z1mhegfATU+mN9gEqrL9oJNpPeZY+Ld7p9kp4oBL+omWo5c/DQ1LR xFUUA6mp1fm81vQwxkxqSwfixABF40lX82ooKQZkgOMKEDvsfkZR4dE5 bN5Dp0JUQTH9fuEX4mo9jrto0gPVKuI0PihHzNfgo8aBFIiXZA86D3/w phVgC+x/o/kZ5Keau01kY8DRxK8Fb1dU3FMjJB8gQFpPwv2wde8yxYgn HUql7sSkmFpQO9heh9+lPqQTwThaiM+PnYY7D96O/28Y4FTfS3D/RCnS Xb4gGM//gkbTmXPlFsaYqYeBdFJbkh0cI4YZxk4ynVXsWL1D0Nb2FqqS XnjBAQ==
; resign=20930723222131
a.b.rsasha1.example. 300 IN A 10.0.0.1
a.b.rsasha1.example. 300 IN RRSIG A 5 4 300 20930723222131 20250705200724 56181 rsasha1.example. Ctc9dyCVDi7ptbp/g2H5NmCmPSGhYTKcES2bCXz6xnByyISpjyrJjG9X 71RVB1ZfF9FIiaHu97K96zmYB0GsvhHiYx+WV0En3gYhzWEze3IoCrYf wxYkYwhYeaqRksl4utpDlzURUsxlqGbKw0XFT8vV8lm9nAg7E0hI10Bj VAVvc2Wuf3niV+GE0t2wXa17ccPeL78B7ab59extwCKG/gYLm8gJ547u 9kAdnw2Hi7FWBSXSoM02PESZLcN+GEWJ9Jc6O/m2aGSryer6W4UV8HLF TtN72HJvog1ky3RArlkUwvuwD2w8eiVHARN85t0hnykVT25K0q1dwIR+ d3B2Mw==
; resign=20930723222131
a.b.rsasha1.example. 300 IN NSEC d.rsasha1.example. A RRSIG NSEC
a.b.rsasha1.example. 300 IN RRSIG NSEC 5 4 300 20930723222131 20250705200724 56181 rsasha1.example. U48IEvy4W8MhJaTxZvemh31MxAU6Xwn5K2MCJhu9MenDRWQqrmPSBKfo nIMSp+a1Wcjsu9UQgBDzoOTuNWKCSI5H2YwhGQsIpCYpIiK/j8X4DCqm cIS0ipTipTbLGPBHfgvwA1KFJhtMi0FOaqe9OXODZFJ3vCz5J/uvmG4H O8PADlUX1clFR4iipLhCa4bvfojUGMM401oDIIxaQLpsrbm1iOqjTvrm glnDQFvFvO3+3J4wLRuVDtV5Z21AhzLIgIXwhh1P4zI4B5aELHB8rrec W6CWkbb6WdZ/rHIiMspe03dby7aW5qbP5pwXwhiycqCqkIvlQAGaxphj 1Hcd3g==
; resign=20930723222131
d.rsasha1.example. 300 IN A 10.0.0.4
d.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. fMn2pTXdK3X+l5cwvP/Lk+luqWhC12mxkvK2GNScLGWG6xq9PZzzLUPU mAiEvzUnFPswZzKDgN99OORpPRJXNN7c0S3qqejBhEpz1kkDM1zTaFdY yGwzuNn9I5O6O+//adYkFZu/qCD90ggVA71KSUQVkHfdWt0WiqUdZExY sRbxDf36moVaJ+PtWnnvbXPcdlALouSv3msyf3FwIrfQcr9PpV9bE+rZ jKN+sab4n1/YkSBdFyTht2MSUzxKyfn+TgxCzBdGeSk00JNzyKBlDau8 ebmR7oYLQcAhj43v4u+wPbuilDw4tyhxcgrRMr5ZnjG7XzaivcoLpZMA umrQLw==
; resign=20930723222131
d.rsasha1.example. 300 IN NSEC ns3.rsasha1.example. A RRSIG NSEC
d.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. G+FZFvRZm4GXf/zfkLH7gWKuTxIhZ3rO/iP9e4Xg2Dcz9Jt/yCIXVkr4 I7bbBOnE8NGS43E55NILYS3aA7llzJtutENqBw9TRW3EcqFlYsFUBUeK T/FCV3zEYlEPeiO82jK7l+1CpiVeVvbX3pLYDrME/lbYeu8KUYsj/fBa Iq5S8mnWD7ZzR7KiSBQU97bn0YAi9pyhA4t3YqrR1MClf3/lpzLq5Rv9 YSzW+7O/jpvCGUotr3bgOpZWtZ0v5QxKdf8Anx6KHgH9n6ZdbareopeO y8mKVk0FmtuYZefMm/0n8uU0aYrwf38bpLMQMcqrT9gVaAPullFC9D/R Z670cw==
; resign=20930723222131
ns3.rsasha1.example. 300 IN A 10.53.0.3
ns3.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. V/B0gi6v54YeufttfGwEVEy8+UivueXqqb2BOj+U4wMpFcunT71Y5Sqf iTs5uH42EkyKbBrz+wXyx4ar4VNSp0ONA3oPx0rZTFA6FV18L7BkYPtW Mh2Fs2qxc4XdGUgHqt4K3LT4ond7a2hek0aBA7EWc0hggs2YflE60766 zmjK/OWaUinG/bZqM1KaaMMlporXaGp9yDyvs6ikgI0YKaQd5GtOK5XC xEJPsIovvyvChXPP/OFPnqOjcXS7zZtxey4krqFUe3Ttbb7sQGrAqv2f 59cB7TO5O/uMZ+iy4Q4sih1FPuDYoBCVT/9LzyOp7glyHyvq4Emp9QkA zlYGKg==
; resign=20930723222131
ns3.rsasha1.example. 300 IN NSEC z.rsasha1.example. A RRSIG NSEC
ns3.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. NpqZAR5fkDzDzqBYzeKD+FbAtMWHj0rcKsJloAsO4bNqAH5575v07oAz CtqIU8QD55zSya6glTWXOImUtPZia7KQAq84k85UmEnI7idDezpO5g5a gwDb8p6/L8a5YFL0i7QmjVjxGxWha7E2dDma3fDIICaF/sMqixE6Qi06 NBXvVwbPYsI27tXEDugigEEoO6mmwUxih8O0ifOjy9rVh8zA7UTT0NtI ZavRYz5grUZ6Otrqf6q1d27PaGxRvBjltmXBZTSmQvHVexkjPlrLcIIN LygvWnYIZfY8csF+5gOlYN6jR6eTnMgjy0Xf4kitUjXAI4apeBe1/nRO P3HlQw==
; resign=20930723222131
z.rsasha1.example. 300 IN A 10.0.0.26
z.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. K8Cz5MTHdD6loMbfXOSCuwTwsuwGUmqmI7BlKhRULTk5RZRDrXPfiBQa Hr2umtzrnclgm+LSpuFrRPoQOWaJ1cAXzpM8bF+WvL8UKasIxBD5rxzW en/QvmfpgQQH/LwUW+MnsIMuDxs8P5GQ4267crMPfZ7kwaA69FIz/TCJ B0mt5bw/6I7MABqxD3YfZ69uxh04WtjhHFGTBV9CUhsvB1IXgSU7udKg 2+ZTJJqRf4+6hy3ztJFy28HRcBHPkdcJ1AR++pPb8PTFTIUdBqzZQ8h7 kFYQP6jOP34rw8HuvNB6El5scCr7emhMt0yuEdA4+hbQc8UUU7qo1z4C l/gj+A==
; resign=20930723222131
z.rsasha1.example. 300 IN NSEC rsasha1.example. A RRSIG NSEC
z.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. eJ35f6tSE8yUMR+z+vnJwdg8eAS/VM2e0oVaGLD5JBwboocJW45IaRv0 DIbq62NBt+BHSv2LZlKXaZwA+rNGmcDXqhlscTMYoqIu2AItNBRJaQwj 3aF3AySSOADG1obymVM+HLVO12kifQTJBSPHUcpuvtBtnz1o4POaBFAa icCJf33cNirEDIYWGTmc2MejhrvfU/uuy3YIHUFYkAiX6WISva9pmNiJ pPq+5zRUZpsFISHc0W6coUuwgyQlVLmziTVesfgxSER0rp0BJ/B7M14+ xvWPSoHHhSU0fR8DkzUWJA6hbEpgB7sLNDL4NPnaUDiZGdTXCGzXbnum Ttcm8Q==
; resign=20930723222131

28
bin/tests/system/dnssec/ns3/rsasha256.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

28
bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

28
bin/tests/system/dnssec/ns3/rsasha512.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

28
bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

26
bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in
View File

@@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

4
bin/tests/system/dnssec/ns3/secure.example.db.in
View File

@@ -38,8 +38,8 @@ ns.private A 10.53.0.2
insecure NS ns2.insecure
ns2.insecure A 10.53.0.2
nosoa NS ns.nosoa
ns.nosoa A 10.53.0.7
nosoa NS ns6.nosoa
ns6.nosoa A 10.53.0.6
normalthenrrsig A 10.0.0.28
rrsigonly A 10.0.0.29

35
bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in
View File

@@ -1,35 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2

35
bin/tests/system/dnssec/ns3/secure.optout.example.db.in
View File

@@ -1,35 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2

21
bin/tests/system/dnssec/ns3/siginterval.example.db.in
View File

@@ -1,21 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2012042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS ns
ns A 10.53.0.3

19
bin/tests/system/dnssec/ns3/siginterval1.conf
View File

@@ -1,19 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "siginterval.example" {
type primary;
allow-update { any; };
dnssec-policy siginterval1;
file "siginterval.example.db";
};

19
bin/tests/system/dnssec/ns3/siginterval2.conf
View File

@@ -1,19 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "siginterval.example" {
type primary;
allow-update { any; };
dnssec-policy siginterval2;
file "siginterval.example.db";
};

4
bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh
View File

@@ -20,8 +20,8 @@
zone=rsasha1-1024.example
k1=$("$KEYGEN" -a rsasha1 -b 1024 $zone)
k2=$("$KEYGEN" -a rsasha1 -b 1024 -f KSK $zone)
cat $zone.db.in $k1.key $k2.key >$zone.tmp
# use maximum expirey period (-e 2^31-1-3600)
cat template.db.in $k1.key $k2.key >$zone.tmp
# use maximum expiry period (-e 2^31-1-3600)
# use output format full for easy extraction of KSK (-O full)
"$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp
rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp

6
bin/tests/system/dnssec/ns3/sign-rsasha1.sh
View File

@@ -20,8 +20,8 @@
zone=rsasha1.example
k1=$("$KEYGEN" -a rsasha1 $zone)
k2=$("$KEYGEN" -a rsasha1 -f KSK $zone)
cat $zone.db.in $k1.key $k2.key >$zone.tmp
# use maximum expirey period (-e 2^31-1-3600)
cat template.db.in $k1.key $k2.key >$zone.tmp
# use maximum expiry period (-e 2^31-1-3600)
# use output format full for easy extraction of KSK (-O full)
"$SIGNER" +2147480047 -o $zone -f $zone.db -O full $zone.tmp
"$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp
rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp

130
bin/tests/system/dnssec/ns3/sign.sh
View File

@@ -53,7 +53,7 @@ for tld in managed trusted; do
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
# Make trusted-keys and managed keys conf sections for ns8.
# Make trusted-keys and managed keys conf sections for ns5/many_anchors.
mv ${keyname4}.key ${keyname4}.tmp
awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key
@@ -67,16 +67,24 @@ for tld in managed trusted; do
case $tld in
"managed")
keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf
keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns5/many-managed.conf
;;
"trusted")
keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf
keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns5/many-trusted.conf
;;
esac
done
echo_i "ns3/sign.sh: example zones"
# first set up some insecure zones:
cp template.db.in insecure.example.db
cp template.db.in insecure.below-cname.example.db
cp template.db.in insecure.nsec3.example.db
cp template.db.in insecure.optout.example.db
cp extrakey.example.db.in extrakey.example.db
# now the signed zones:
zone=secure.example.
infile=secure.example.db.in
zonefile=secure.example.db
@@ -92,7 +100,7 @@ cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
mv "$zonefile".tmp "$zonefile".signed
zone=bogus.example.
infile=bogus.example.db.in
infile=template.db.in
zonefile=bogus.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -102,7 +110,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
zone=dynamic.example.
infile=dynamic.example.db.in
infile=template.db.in
zonefile=dynamic.example.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -113,7 +121,7 @@ cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -o "$zone" "$zonefile" >/dev/null
zone=keyless.example.
infile=generic.example.db.in
infile=template.db.in
zonefile=keyless.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -134,7 +142,7 @@ rm -f "$zonefiletmp"
# NSEC3/NSEC test zone
#
zone=secure.nsec3.example.
infile=secure.nsec3.example.db.in
infile=template.db.in
zonefile=secure.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -147,7 +155,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# NSEC3/NSEC3 test zone
#
zone=nsec3.nsec3.example.
infile=nsec3.nsec3.example.db.in
infile=template.db.in
zonefile=nsec3.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -160,7 +168,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# OPTOUT/NSEC3 test zone
#
zone=optout.nsec3.example.
infile=optout.nsec3.example.db.in
infile=template.db.in
zonefile=optout.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -186,7 +194,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# OPTOUT/NSEC test zone
#
zone=secure.optout.example.
infile=secure.optout.example.db.in
infile=template.db.in
zonefile=secure.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -199,7 +207,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# OPTOUT/NSEC3 test zone
#
zone=nsec3.optout.example.
infile=nsec3.optout.example.db.in
infile=template.db.in
zonefile=nsec3.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -212,7 +220,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# OPTOUT/OPTOUT test zone
#
zone=optout.optout.example.
infile=optout.optout.example.db.in
infile=template.db.in
zonefile=optout.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -238,7 +246,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
#
zone=nsec3-unknown.example.
infile=nsec3-unknown.example.db.in
infile=template.db.in
zonefile=nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -251,7 +259,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
#
zone=optout-unknown.example.
infile=optout-unknown.example.db.in
infile=template.db.in
zonefile=optout-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -265,7 +273,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# Algorithm 7 is replaced by 100 in the zone and dsset.
#
zone=dnskey-unknown.example
infile=dnskey-unknown.example.db.in
infile=template.db.in
zonefile=dnskey-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -284,7 +292,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
# Algorithm 7 is replaced by 255 in the zone and dsset.
#
zone=dnskey-unsupported.example
infile=dnskey-unsupported.example.db.in
infile=template.db.in
zonefile=dnskey-unsupported.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -303,7 +311,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
# digest for another DNSKEY
#
zone=digest-alg-unsupported.example.
infile=digest-alg-unsupported.example.db.in
infile=template.db.in
zonefile=digest-alg-unsupported.example.db
cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone")
@@ -324,10 +332,10 @@ $DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE"
#
# A zone which is fine by itself (supported algorithm) but that is used
# to mimic unsupported DS digest (see ns8).
# to mimic unsupported DS digest (see ns5/many_anchors).
#
zone=ds-unsupported.example.
infile=ds-unsupported.example.db.in
infile=template.db.in
zonefile=ds-unsupported.example.db
cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone")
@@ -345,13 +353,13 @@ mv "$zonefile".tmp "$zonefile".signed
# Different from above because this key is not intended for signing.
#
zone=dnskey-unsupported-2.example
infile=dnskey-unsupported-2.example.db.in
infile=template.db.in
zonefile=dnskey-unsupported-2.example.db
ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key.in >"$zonefile"
"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null
@@ -360,7 +368,7 @@ cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"
# Algorithm 7 is replaced by 100 in the zone and dsset.
#
zone=dnskey-nsec3-unknown.example
infile=dnskey-nsec3-unknown.example.db.in
infile=template.db.in
zonefile=dnskey-nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -378,7 +386,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
# A multiple parameter nsec3 zone.
#
zone=multiple.example.
infile=multiple.example.db.in
infile=template.db.in
zonefile=multiple.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -386,23 +394,23 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC
awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC.db
"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3.db
"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db
"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db
"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db
"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null
cat NSEC NSEC3 >>"$zonefile".signed
cat NSEC.db NSEC3.db >>"$zonefile".signed
#
# A RSASHA256 zone.
#
zone=rsasha256.example.
infile=rsasha256.example.db.in
infile=template.db.in
zonefile=rsasha256.example.db
keyname=$("$KEYGEN" -q -a RSASHA256 "$zone")
@@ -415,7 +423,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# A RSASHA512 zone.
#
zone=rsasha512.example.
infile=rsasha512.example.db.in
infile=template.db.in
zonefile=rsasha512.example.db
keyname=$("$KEYGEN" -q -a RSASHA512 "$zone")
@@ -428,7 +436,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# A RSASHA256OID zone.
#
zone=rsasha256oid.example.
infile=rsasha256oid.example.db.in
infile=template.db.in
zonefile=rsasha256oid.example.db
keyname=$("$KEYGEN" -q -a RSASHA256OID "$zone")
@@ -441,7 +449,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# A RSASHA512OID zone.
#
zone=rsasha512oid.example.
infile=rsasha512oid.example.db.in
infile=template.db.in
zonefile=rsasha512oid.example.db
keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
@@ -456,7 +464,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# 1.2.840.113549.1.1.14
#
zone=unknownoid.example
infile=unknownoid.example.db.in
infile=template.db.in
zonefile=unknownoid.example.db
keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
@@ -481,7 +489,7 @@ sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* unknownoid.example./\1 ${tag} unknownoid.
# A PRIVATEOID zone with a extra DS record for a non-existent DNSKEY.
#
zone=extradsoid.example.
infile=extradsoid.example.db.in
infile=template.db.in
zonefile=extradsoid.example.db
keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
@@ -502,7 +510,7 @@ keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
# the DNSKEY RRset with using this unknown OID.
#
zone=extradsunknownoid.example
infile=extradsunknownoid.example.db.in
infile=template.db.in
zonefile=extradsunknownoid.example.db
keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
@@ -536,7 +544,7 @@ sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zon
# match the DNSKEY RRset with using this unknown OID.
#
zone=extended-ds-unknown-oid.example
infile=extended-ds-unknown-oid.example.db.in
infile=template.db.in
zonefile=extended-ds-unknown-oid.example.db
keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
@@ -568,7 +576,7 @@ fi
# A zone with the DNSKEY set only signed by the KSK
#
zone=kskonly.example.
infile=kskonly.example.db.in
infile=template.db.in
zonefile=kskonly.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
@@ -580,7 +588,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
# A zone with the expired signatures
#
zone=expired.example.
infile=expired.example.db.in
infile=template.db.in
zonefile=expired.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
@@ -593,7 +601,7 @@ rm -f "$kskname.*" "$zskname.*"
# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE.
#
zone=update-nsec3.example.
infile=update-nsec3.example.db.in
infile=template.db.in
zonefile=update-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
@@ -606,7 +614,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
# extra keys not in the initial signed zone.
#
zone=auto-nsec.example.
infile=auto-nsec.example.db.in
infile=template.db.in
zonefile=auto-nsec.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
@@ -621,7 +629,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
# extra keys not in the initial signed zone.
#
zone=auto-nsec3.example.
infile=auto-nsec3.example.db.in
infile=template.db.in
zonefile=auto-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
@@ -635,7 +643,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
# Secure below cname test zone.
#
zone=secure.below-cname.example.
infile=secure.below-cname.example.db.in
infile=template.db.in
zonefile=secure.below-cname.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$keyname.key" >"$zonefile"
@@ -645,7 +653,7 @@ cat "$infile" "$keyname.key" >"$zonefile"
# Patched TTL test zone.
#
zone=ttlpatch.example.
infile=ttlpatch.example.db.in
infile=template.db.in
zonefile=ttlpatch.example.db
signedfile=ttlpatch.example.db.signed
patchedfile=ttlpatch.example.db.patched
@@ -661,7 +669,7 @@ $CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \
# Separate DNSSEC records.
#
zone=split-dnssec.example.
infile=split-dnssec.example.db.in
infile=template.db.in
zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed
@@ -675,7 +683,7 @@ echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
# Separate DNSSEC records smart signing.
#
zone=split-smart.example.
infile=split-smart.example.db.in
infile=template.db.in
zonefile=split-smart.example.db
signedfile=split-smart.example.db.signed
@@ -690,7 +698,7 @@ echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
# Zone with signatures about to expire, but no private key to replace them
#
zone="expiring.example."
infile="expiring.example.db.in"
infile="template.db.in"
zonefile="expiring.example.db"
signedfile="expiring.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -704,15 +712,15 @@ mv -f "${kskname}.private" "${kskname}.private.moved"
# A zone where the signer's name has been forced to uppercase.
#
zone="upper.example."
infile="upper.example.db.in"
infile="template.db.in"
zonefile="upper.example.db"
lower="upper.example.db.lower"
signedfile="upper.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null
$CHECKZONE -D upper.example $lower 2>/dev/null \
"$SIGNER" -P -S -o "$zone" -f "$lower" "$zonefile" >/dev/null
$CHECKZONE -D upper.example "$lower" 2>/dev/null \
| sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile
#
@@ -720,18 +728,19 @@ $CHECKZONE -D upper.example $lower 2>/dev/null \
# upper case.
#
zone="LOWER.EXAMPLE."
infile="lower.example.db.in"
infile="template.db.in"
zonefile="lower.example.db"
signedfile="lower.example.db.signed"
sed -e 's/ns3/NS3/' -e 's/mname1/MNAME1/' "$infile" >"$zonefile"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null
#
# An inline signing zone
#
zone=inline.example.
cp template.db.in inline.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -739,7 +748,7 @@ zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
# A zone which will change its signatures-validity
#
zone=siginterval.example
infile=siginterval.example.db.in
infile=template.db.in
zonefile=siginterval.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -747,10 +756,9 @@ cp "$infile" "$zonefile"
#
# A zone with a bad DS in the parent
# (sourced from bogus.example.db.in)
#
zone=badds.example.
infile=bogus.example.db.in
infile=template.db.in
zonefile=badds.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -764,7 +772,7 @@ sed -e 's/bogus/badds/g' <dsset-bogus.example. >dsset-badds.example.
# Same as badds, but locally trusted by the forwarder
#
zone=localkey.example.
infile=bogus.example.db.in
infile=template.db.in
zonefile=localkey.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -779,7 +787,7 @@ keyfile_to_static_keys $keyname >../ns9/trusted-localkey.conf
# A zone with future signatures.
#
zone=future.example
infile=future.example.db.in
infile=template.db.in
zonefile=future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -791,7 +799,7 @@ cp -f "$kskname.key" trusted-future.key
# A zone with future signatures.
#
zone=managed-future.example
infile=managed-future.example.db.in
infile=template.db.in
zonefile=managed-future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
@@ -802,7 +810,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
# A zone with a revoked key
#
zone=revkey.example.
infile=generic.example.db.in
infile=template.db.in
zonefile=revkey.example.db
ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
@@ -848,12 +856,16 @@ cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
# We only need to generate the dsset.
#
zone=rsasha1.example
infile=rsasha1.example.db.in
zonefile=rsasha1.example.db
cp $infile $zonefile
awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
| $DSFROMKEY -f - "$zone" >"dsset-${zone}."
zone=rsasha1-1024.example
infile=rsasha1-1024.example.db.in
zonefile=rsasha1-1024.example.db
cp $infile $zonefile
awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
| $DSFROMKEY -f - "$zone" >"dsset-${zone}."

38
bin/tests/system/dnssec/ns3/split-dnssec.example.db.in
View File

@@ -1,38 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17

38
bin/tests/system/dnssec/ns3/split-smart.example.db.in
View File

@@ -1,38 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17

5
bin/tests/system/dnssec/ns2/insecure.secure.example.db → bin/tests/system/dnssec/ns3/template.db.in
View File

@@ -17,10 +17,11 @@ $TTL 300 ; 5 minutes
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2
NS ns3
ns3 A 10.53.0.3
a A 10.0.0.1
a.b A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

26
bin/tests/system/dnssec/ns3/ttlpatch.example.db.in
View File

@@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26

28
bin/tests/system/dnssec/ns3/unknownoid.example.db.in
View File

@@ -1,28 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a

0
bin/tests/system/dnssec/ns3/unsupported-algorithm.key → bin/tests/system/dnssec/ns3/unsupported-algorithm.key.in
View File

40
bin/tests/system/dnssec/ns3/update-nsec3.example.db.in
View File

@@ -1,40 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2
nosoa NS ns.nosoa
ns.nosoa A 10.53.0.7
normalthenrrsig A 10.0.0.28
rrsigonly A 10.0.0.29

21
bin/tests/system/dnssec/ns3/upper.example.db.in
View File

@@ -1,21 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2012042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS ns
ns A 10.53.0.3

119
bin/tests/system/dnssec/ns4/named.conf.j2 Normal file
View File

@@ -0,0 +1,119 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS11
{% set managed_key = managed_key | default(False) %}
{% set accept_expired = accept_expired | default(False) %}
{% set multi_view = multi_view | default(False) %}
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
minimal-responses no;
{% if accept_expired %}
dnssec-accept-expired yes;
{% endif %}
{% if managed_key %}
dnssec-validation auto;
bindkeys-file "managed.conf";
{% else %}
# Note: We only reference the bind.keys file here to
# confirm that it is *not* being used. It contains the
# real root key, and we're using a local toy root zone for
# the tests, so it wouldn't work. But dnssec-validation
# is set to "yes" not "auto", so that won't matter.
dnssec-validation yes;
bindkeys-file "../../../../../bind.keys";
{% endif %}
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
};
{% if not managed_key %}
include "trusted.conf";
{% endif %}
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
{% if multi_view %}
view rec {
match-recursive-only yes;
recursion yes;
dnssec-accept-expired yes;
minimal-responses no;
dnssec-validation yes;
include "trusted.conf";
zone "." {
type hint;
file "../../_common/root.hint";
};
zone secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
zone insecure.secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
};
view auth {
recursion no;
allow-recursion { none; };
dnssec-validation no;
zone "." {
type hint;
file "../../_common/root.hint";
};
zone secure.example {
type secondary;
primaries { 10.53.0.3; };
};
zone insecure.secure.example {
type secondary;
primaries { 10.53.0.2; };
};
};
{% else %}
zone "." {
type hint;
file "../../_common/root.hint";
};
{% endif %}

64
bin/tests/system/dnssec/ns4/named1.conf.in
View File

@@ -1,64 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation yes;
minimal-responses no;
nta-lifetime 12s;
nta-recheck 9s;
validate-except { corp; };
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
# Note: We only reference the bind.keys file here to confirm that it
# is *not* being used. It contains the real root key, and we're
# using a local toy root zone for the tests, so it wouldn't work.
# But since dnssec-validation is set to "yes" not "auto", that
# won't matter.
bindkeys-file "../../../../../bind.keys";
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint";
};
zone "corp" {
type static-stub;
server-addresses { 10.53.0.2; };
};
include "trusted.conf";

46
bin/tests/system/dnssec/ns4/named2.conf.in
View File

@@ -1,46 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
minimal-responses no;
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint";
};

49
bin/tests/system/dnssec/ns4/named3.conf.in
View File

@@ -1,49 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
dnssec-accept-expired yes;
minimal-responses no;
servfail-ttl 0;
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";};
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint";
};

87
bin/tests/system/dnssec/ns4/named4.conf.in
View File

@@ -1,87 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
key auth {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
include "trusted.conf";
view rec {
match-recursive-only yes;
recursion yes;
dnssec-validation yes;
dnssec-accept-expired yes;
minimal-responses no;
zone "." {
type hint;
file "../../_common/root.hint";
};
zone secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
zone insecure.secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
};
view auth {
recursion no;
allow-recursion { none; };
zone "." {
type hint;
file "../../_common/root.hint";
};
zone secure.example {
type secondary;
primaries { 10.53.0.3; };
};
zone insecure.secure.example {
type secondary;
primaries { 10.53.0.2; };
};
};

89
bin/tests/system/dnssec/ns5/named.conf.j2 Normal file
View File

@@ -0,0 +1,89 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS5
{% set revoked_key = revoked_key | default(False) %}
{% set broken_key = broken_key | default(False) %}
{% set many_anchors = many_anchors | default(False) %}
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; 127.0.0.1; };
listen-on-v6 { none; };
recursion yes;
minimal-responses no;
servfail-ttl 0;
{% if many_anchors %}
dnssec-validation yes;
disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; };
disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; };
{% endif %}
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
{% if revoked_key %}
view root {
match-destinations { 127.0.0.1; };
dnssec-validation no;
zone "." {
type primary;
file "root.db.signed";
};
};
view other {
dnssec-validation yes;
include "revoked.conf";
zone "." {
type static-stub;
server-addresses { 127.0.0.1; };
};
};
{% elif broken_key %}
zone "." {
type hint;
file "../../_common/root.hint";
};
include "broken.conf";
{% elif many_anchors %}
zone "." {
type hint;
file "../../_common/root.hint";
};
include "many-managed.conf";
include "many-trusted.conf";
{% else %}
zone "." {
type hint;
file "../../_common/root.hint";
};
include "trusted.conf";
{% endif %}

1
bin/tests/system/dnssec/ns6/named.args
View File

@@ -1 +0,0 @@
-m record -c named.conf -d 99 -D dnssec-ns6 -g -T maxcachesize=2097152 -T nonearest -T tat=1

11
bin/tests/system/dnssec/ns6/named.conf.in → bin/tests/system/dnssec/ns6/named.conf.j2
View File

@@ -37,4 +37,15 @@ zone "optout-tld" {
file "optout-tld.db.signed";
};
zone "nosoa.secure.example" {
type primary;
file "nosoa.secure.example.db";
};
zone "split-rrsig" {
type primary;
file "split-rrsig.db.signed";
allow-update { any; };
};
include "trusted.conf";

12
bin/tests/system/dnssec/ns6/named.nonearest Normal file
View File

@@ -0,0 +1,12 @@
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Add -T nonearest.

0
bin/tests/system/dnssec/ns7/named.nosoa → bin/tests/system/dnssec/ns6/named.nosoa
View File

12
bin/tests/system/dnssec/ns6/named.tat=1 Normal file
View File

@@ -0,0 +1,12 @@
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Add -T tat=1.

4
bin/tests/system/dnssec/ns7/nosoa.secure.example.db → bin/tests/system/dnssec/ns6/nosoa.secure.example.db.in
View File

@@ -17,6 +17,6 @@ $TTL 300 ; 5 minutes
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ IN NS ns
ns IN A 10.53.0.7
@ IN NS ns6
ns6 IN A 10.53.0.6
a IN A 1.2.3.4

32
bin/tests/system/dnssec/ns6/sign.sh
View File

@@ -18,6 +18,13 @@ set -e
echo_i "ns6/sign.sh"
# set up unsigned zone first
zone=nosoa.secure.example.
infile=nosoa.secure.example.db.in
zonefile=nosoa.secure.example.db
cp "$infile" "$zonefile"
# now sign the others
zone=optout-tld
infile=optout-tld.db.in
zonefile=optout-tld.db
@@ -27,3 +34,28 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1
zone=split-rrsig
infile=split-rrsig.db.in
zonefile=split-rrsig.db
k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$k1.key" "$k2.key" >"$zonefile"
# The awk script below achieves two goals:
#
# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so
# that these two records (forming a single RRset) are not placed immediately
# next to each other; the test then checks if RRSIG RRsets split this way are
# correctly added to resigning heaps,
#
# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the
# zone apex; the test then checks whether such signatures are automatically
# removed from the zone after it is loaded.
"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1
awk 'BEGIN { r = ""; }
$4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
{ print }
END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed"

0
bin/tests/system/dnssec/ns7/split-rrsig.db.in → bin/tests/system/dnssec/ns6/split-rrsig.db.in
View File

76
bin/tests/system/dnssec/ns7/named.conf.in
View File

@@ -1,76 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS3
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-validation yes;
minimal-responses yes;
};
zone "." {
type hint;
file "../../_common/root.hint";
};
zone "nsec3.example" {
type secondary;
primaries { 10.53.0.3; };
file "nsec3.example.bk";
};
zone "optout.example" {
type secondary;
primaries { 10.53.0.3; };
file "optout.example.bk";
};
zone "nsec3-unknown.example" {
type secondary;
primaries { 10.53.0.3; };
file "nsec3-unknown.example.bk";
};
zone "optout-unknown.example" {
type secondary;
primaries { 10.53.0.3; };
file "optout-unknown.example.bk";
};
zone "multiple.example" {
type secondary;
primaries { 10.53.0.3; };
file "multiple.example.bk";
};
zone "nosoa.secure.example" {
type primary;
file "nosoa.secure.example.db";
};
zone "split-rrsig" {
type primary;
file "split-rrsig.db.signed";
allow-update { any; };
};
include "trusted.conf";

44
bin/tests/system/dnssec/ns7/sign.sh
View File

@@ -1,44 +0,0 @@
#!/bin/sh -e
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../../conf.sh
set -e
echo_i "ns7/sign.sh"
zone=split-rrsig
infile=split-rrsig.db.in
zonefile=split-rrsig.db
k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$k1.key" "$k2.key" >"$zonefile"
# The awk script below achieves two goals:
#
# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so
# that these two records (forming a single RRset) are not placed immediately
# next to each other; the test then checks if RRSIG RRsets split this way are
# correctly added to resigning heaps,
#
# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the
# zone apex; the test then checks whether such signatures are automatically
# removed from the zone after it is loaded.
"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1
awk 'BEGIN { r = ""; }
$4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
{ print }
END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed"

32
bin/tests/system/dnssec/ns8/named.conf.in → bin/tests/system/dnssec/ns9/named.conf.j2
View File

@@ -11,21 +11,27 @@
* information regarding copyright ownership.
*/
// NS8
// NS9
{% set forward_badkey = forward_badkey | default(False) %}
options {
query-source address 10.53.0.8;
notify-source 10.53.0.8;
transfer-source 10.53.0.8;
query-source address 10.53.0.9;
notify-source 10.53.0.9;
transfer-source 10.53.0.9;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.8; };
listen-on { 10.53.0.9; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation yes;
minimal-responses no;
disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; };
disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; };
forward only;
{% if forward_badkey %}
forwarders { 10.53.0.5; };
{% else %}
forwarders { 10.53.0.4; };
{% endif %}
servfail-ttl 0;
};
key rndc_key {
@@ -34,14 +40,8 @@ key rndc_key {
};
controls {
inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint";
};
include "managed.conf";
include "trusted.conf";
include "trusted-localkey.conf";

18
bin/tests/system/dnssec/setup.sh
View File

@@ -16,19 +16,6 @@
set -e
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named1.conf.in ns4/named.conf
copy_setports ns5/named1.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
(
cd ns1
$SHELL sign.sh
@@ -39,11 +26,6 @@ copy_setports ns9/named.conf.in ns9/named.conf
} >>../ns3/bogus.example.db.signed
)
(
cd ns3
cp -f siginterval1.conf siginterval.conf
)
(
cd ns5
$SHELL sign.sh

4885
bin/tests/system/dnssec/tests.sh
View File

File diff suppressed because it is too large Load Diff

89
bin/tests/system/dnssec/tests_badkey.py Normal file
View File

@@ -0,0 +1,89 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
from dns import flags
import pytest
import isctest
from isctest.util import param
pytestmark = pytest.mark.extra_artifacts(
[
"*/K*",
"*/dsset-*",
"*/*.bk",
"*/*.conf",
"*/*.db",
"*/*.id",
"*/*.jnl",
"*/*.jbk",
"*/*.key",
"*/*.signed",
"*/settime.out.*",
"ans*/ans.run",
"*/trusted.keys",
"*/*.bad",
"*/*.next",
"*/*.stripped",
"*/*.tmp",
"*/*.stage?",
"*/*.patched",
"*/*.lower",
"*/*.upper",
"*/*.unsplit",
]
)
@pytest.mark.parametrize(
"check, qname, qtype",
[
param("validation", "example.", "SOA"),
param("negative-validation", "example.", "PTR"),
param("insecurity-proof", "a.insecure.example.", "A"),
],
)
def test_misconfigured_ta_servfail(check, qname, qtype):
isctest.log.info(f"check that {check} fails")
msg = isctest.query.create(qname, qtype)
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.servfail(res)
@pytest.mark.parametrize(
"check, qname, qtype, rcode_func",
[
param("positive-answer", "example.", "SOA", isctest.check.noerror),
param("negative-answer", "q.example.", "SOA", isctest.check.nxdomain),
param("bogus-answer", "a.bogus.example.", "SOA", isctest.check.noerror),
param("insecurity-proof", "a.insecure.example.", "SOA", isctest.check.noerror),
param(
"negative-insecurity-proof",
"q.insecure.example.",
"SOA",
isctest.check.nxdomain,
),
],
)
def test_misconfigured_ta_with_cd(check, qname, qtype, rcode_func):
isctest.log.info(f"check {check} with CD=1")
msg = isctest.query.create(qname, qtype)
msg.flags |= flags.CD
res = isctest.query.tcp(msg, "10.53.0.5")
rcode_func(res)
isctest.check.noadflag(res)
isctest.log.debug("compare the response from a correctly configured server")
res2 = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.noadflag(res2)
isctest.check.same_answer(res, res2)

42
bin/tests/system/dnssec/tests_badkey_broken.py Normal file
View File

@@ -0,0 +1,42 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
from dns import flags
import pytest
import isctest
@pytest.fixture(scope="module", autouse=True)
def reconfigure(ns5, ns9, templates):
templates.render("ns5/named.conf", {"broken_key": True})
ns5.reconfigure(log=False)
templates.render("ns9/named.conf", {"forward_badkey": True})
ns9.reconfigure(log=False)
def test_broken_forwarding(ns9):
# check forwarder CD behavior (forward server with bad trust anchor)
# confirm invalid trust anchor produces SERVFAIL in resolver
msg = isctest.query.create("a.secure.example.", "A")
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.servfail(res)
# check that lookup involving forwarder succeeds and SERVFAIL was received
with ns9.watch_log_from_here() as watcher:
msg = isctest.query.create("a.secure.example.", "SOA")
res = isctest.query.tcp(msg, "10.53.0.9")
isctest.check.noerror(res)
assert (res.flags & flags.AD) != 0
watcher.wait_for_line("status: SERVFAIL")

Some files were not shown because too many files have changed in this diff Show More