diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index c8d060161b..4f97c62106 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -1430,6 +1430,18 @@ if [ -x "$DIG" ]; then grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) + + n=$((n + 1)) + echo_i "check dig's +nocrypto flag ($n)" + ret=0 + dig_with_opts +dnssec +norec +nocrypto DNSKEY . @10.53.0.1 >dig.out.dnskey.test$n || ret=1 + grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.test$n >/dev/null || ret=1 + grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.test$n >/dev/null || ret=1 + dig_with_opts +norec +nocrypto DS example \ + @10.53.0.1 >dig.out.ds.test$n || ret=1 + grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.test$n >/dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else echo_i "$DIG is needed, so skipping these dig tests" fi diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README index fcaa3b6c80..c72442c61b 100644 --- a/bin/tests/system/dnssec/README +++ b/bin/tests/system/dnssec/README @@ -19,14 +19,11 @@ ns4 is a caching-only server, configured with the correct trusted key for the root. ns5 is a caching-only server, configured with the an incorrect trusted -key for the root. It is used for testing failure cases. +key for the root, or with unsupported and disabled algorithms. It is used +for testing failure cases. -ns6 is an caching and authoritative server used for testing unusual -server behaviors such as disabled DNSSEC algorithms. - -ns7 is used for checking non-cacheable answers. - -ns8 is a caching-only server, configured with unsupported and disabled -algorithms. It is used for testing failure cases. +ns6 is a caching and authoritative server used for testing unusual +server behaviors such as disabled DNSSEC algorithms and non-cacheable +responses. It runs with -T nonearest, -T nosoa, and -T tat=3. ns9 is a forwarding-only server. diff --git a/bin/tests/system/dnssec/dnssec_update_test.pl b/bin/tests/system/dnssec/dnssec_update_test.pl deleted file mode 100644 index a06c563e3c..0000000000 --- a/bin/tests/system/dnssec/dnssec_update_test.pl +++ /dev/null @@ -1,99 +0,0 @@ -#!/usr/bin/perl - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# -# DNSSEC Dynamic update test suite. -# -# Usage: -# -# perl update_test.pl [-s server] [-p port] zone -# -# The server defaults to 127.0.0.1. -# The port defaults to 53. -# -# Installation notes: -# -# This program uses the Net::DNS::Resolver module. -# You can install it by saying -# -# perl -MCPAN -e "install Net::DNS" -# - -use Getopt::Std; -use Net::DNS; -use Net::DNS::Update; -use Net::DNS::Resolver; - -$opt_s = "127.0.0.1"; -$opt_p = 53; - -getopt('s:p:'); - -$res = new Net::DNS::Resolver; -$res->nameservers($opt_s); -$res->port($opt_p); -$res->defnames(0); # Do not append default domain. - -@ARGV == 1 or die - "usage: perl update_test.pl [-s server] [-p port] zone\n"; - -$zone = shift @ARGV; - -my $failures = 0; - -sub assert { - my ($cond, $explanation) = @_; - if (!$cond) { - print "Test Failed: $explanation ***\n"; - $failures++ - } -} - -sub test { - my ($expected, @records) = @_; - - my $update = new Net::DNS::Update("$zone"); - - foreach $rec (@records) { - $update->push(@$rec); - } - - $reply = $res->send($update); - - # Did it work? - if (defined $reply) { - my $rcode = $reply->header->rcode; - assert($rcode eq $expected, "expected $expected, got $rcode"); - } else { - print "Update failed: ", $res->errorstring, "\n"; - } -} - -sub section { - my ($msg) = @_; - print "$msg\n"; -} - -section("Add a name"); -test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]); - -section("Delete the name"); -test("NOERROR", ["update", rr_del("a.$zone")]); - -if ($failures) { - print "$failures update tests failed.\n"; -} else { - print "All update tests successful.\n"; -} - -exit $failures; diff --git a/bin/tests/system/dnssec/ns1/named.conf.in b/bin/tests/system/dnssec/ns1/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns1/named.conf.in rename to bin/tests/system/dnssec/ns1/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 90286fb3e6..02c9e18320 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -22,7 +22,6 @@ zonefile=root.db (cd ../ns2 && $SHELL sign.sh) (cd ../ns6 && $SHELL sign.sh) -(cd ../ns7 && $SHELL sign.sh) echo_i "ns1/sign.sh" @@ -45,13 +44,12 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 -# Configure the resolving server with a staitc key. +# Configure the resolving server with a static key. keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf cp trusted.conf ../ns6/trusted.conf -cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf keyfile_to_static_keys "$ksk" >trusted.keys @@ -70,4 +68,4 @@ keyfile_to_key_id "$ksk" >managed.key.id # Also generate a broken trusted-keys file for the dnssec test. # broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .) -keyfile_to_static_ds "$broken" >../ns4/broken.conf +keyfile_to_static_ds "$broken" >../ns5/broken.conf diff --git a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds.secure.db.in b/bin/tests/system/dnssec/ns2/cds.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cds.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/child.nsec3.example.db b/bin/tests/system/dnssec/ns2/child.nsec3.example.db deleted file mode 100644 index 8fc3bc837e..0000000000 --- a/bin/tests/system/dnssec/ns2/child.nsec3.example.db +++ /dev/null @@ -1,20 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2006081400 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ IN NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/child.optout.example.db b/bin/tests/system/dnssec/ns2/child.optout.example.db deleted file mode 100644 index 8fc3bc837e..0000000000 --- a/bin/tests/system/dnssec/ns2/child.optout.example.db +++ /dev/null @@ -1,20 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2006081400 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ IN NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/dst.example.db.in b/bin/tests/system/dnssec/ns2/dst.example.db.in deleted file mode 100644 index 0039484964..0000000000 --- a/bin/tests/system/dnssec/ns2/dst.example.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns2.example. -a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 1efb1755b4..47c2eb7f0e 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -12,10 +12,10 @@ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) ) NS ns2 NS ns3 @@ -30,8 +30,8 @@ d A 10.0.0.4 foo TXT "testing" foo A 10.0.1.0 -bad-cname CNAME a -bad-dname DNAME @ +bad-cname CNAME a +bad-dname DNAME @ ; Used for testing CNAME queries cname1 CNAME cname1-target @@ -52,150 +52,153 @@ secure NS ns3.secure ns3.secure A 10.53.0.3 ; An insecure subdomain -insecure NS ns.insecure -ns.insecure A 10.53.0.3 +insecure NS ns3.insecure +ns3.insecure A 10.53.0.3 -; A second insecure subdomain -insecure2 NS ns.insecure2 -ns.insecure2 A 10.53.0.3 +; A subdomain with an extra DNSKEY in the wrong place +extrakey NS ns3.extrakey +ns3.extrakey A 10.53.0.3 ; A secure subdomain we're going to inject bogus data into -bogus NS ns.bogus -ns.bogus A 10.53.0.3 +bogus NS ns3.bogus +ns3.bogus A 10.53.0.3 ; A subdomain with a corrupt DS -badds NS ns.badds -ns.badds A 10.53.0.3 +badds NS ns3.badds +ns3.badds A 10.53.0.3 ; A subdomain with a corrupt DS, but locally trusted by the forwarder -localkey NS ns.localkey -ns.localkey A 10.53.0.3 +localkey NS ns3.localkey +ns3.localkey A 10.53.0.3 ; A dynamic secure subdomain -dynamic NS dynamic -dynamic A 10.53.0.3 +dynamic NS ns3.dynamic +ns3.dynamic A 10.53.0.3 ; A subdomain with expired signatures -expired NS ns.expired -ns.expired A 10.53.0.3 +expired NS ns3.expired +ns3.expired A 10.53.0.3 ; A rfc2535 signed zone w/ CNAME rfc2535 NS ns.rfc2535 -ns.rfc2535 A 10.53.0.3 +ns.rfc2535 A 10.53.0.2 z A 10.0.0.26 -keyless NS ns.keyless -ns.keyless A 10.53.0.3 +keyless NS ns3.keyless +ns3.keyless A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 +nsec3 NS ns3.nsec3 +ns3.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 +optout NS ns3.optout +ns3.optout A 10.53.0.3 -nsec3-unknown NS ns.nsec3-unknown -ns.nsec3-unknown A 10.53.0.3 +nsec3-unknown NS ns3.nsec3-unknown +ns3.nsec3-unknown A 10.53.0.3 -optout-unknown NS ns.optout-unknown -ns.optout-unknown A 10.53.0.3 +optout-unknown NS ns3.optout-unknown +ns3.optout-unknown A 10.53.0.3 -dnskey-unknown NS ns.dnskey-unknown -ns.dnskey-unknown A 10.53.0.3 +dnskey-unknown NS ns3.dnskey-unknown +ns3.dnskey-unknown A 10.53.0.3 -dnskey-unsupported NS ns.dnskey-unsupported -ns.dnskey-unsupported A 10.53.0.3 +dnskey-unsupported NS ns3.dnskey-unsupported +ns3.dnskey-unsupported A 10.53.0.3 -ds-unsupported NS ns.ds-unsupported -ns.ds-unsupported A 10.53.0.3 +dnskey-unsupported-2 NS ns3.dnskey-unsupported +ns3.dnskey-unsupported-2 A 10.53.0.3 -digest-alg-unsupported NS ns.digest-alg-unsupported -ns.digest-alg-unsupported A 10.53.0.3 +ds-unsupported NS ns3.ds-unsupported +ns3.ds-unsupported A 10.53.0.3 -dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown -ns.dnskey-nsec3-unknown A 10.53.0.3 +digest-alg-unsupported NS ns3.digest-alg-unsupported +ns3.digest-alg-unsupported A 10.53.0.3 -multiple NS ns.multiple -ns.multiple A 10.53.0.3 +dnskey-nsec3-unknown NS ns3.dnskey-nsec3-unknown +ns3.dnskey-nsec3-unknown A 10.53.0.3 + +multiple NS ns3.multiple +ns3.multiple A 10.53.0.3 *.wild A 10.0.0.27 -rsasha256 NS ns.rsasha256 -ns.rsasha256 A 10.53.0.3 +rsasha256 NS ns3.rsasha256 +ns3.rsasha256 A 10.53.0.3 -rsasha512 NS ns.rsasha512 -ns.rsasha512 A 10.53.0.3 +rsasha512 NS ns3.rsasha512 +ns3.rsasha512 A 10.53.0.3 -kskonly NS ns.kskonly -ns.kskonly A 10.53.0.3 +kskonly NS ns3.kskonly +ns3.kskonly A 10.53.0.3 -update-nsec3 NS ns.update-nsec3 -ns.update-nsec3 A 10.53.0.3 +update-nsec3 NS ns3.update-nsec3 +ns3.update-nsec3 A 10.53.0.3 -auto-nsec NS ns.auto-nsec -ns.auto-nsec A 10.53.0.3 +auto-nsec NS ns3.auto-nsec +ns3.auto-nsec A 10.53.0.3 -auto-nsec3 NS ns.auto-nsec3 -ns.auto-nsec3 A 10.53.0.3 +auto-nsec3 NS ns3.auto-nsec3 +ns3.auto-nsec3 A 10.53.0.3 below-cname CNAME some.where.else. -insecure.below-cname NS ns.insecure.below-cname -ns.insecure.below-cname A 10.53.0.3 +insecure.below-cname NS ns3.insecure.below-cname +ns3.insecure.below-cname A 10.53.0.3 -secure.below-cname NS ns.secure.below-cname -ns.secure.below-cname A 10.53.0.3 +secure.below-cname NS ns3.secure.below-cname +ns3.secure.below-cname A 10.53.0.3 -ttlpatch NS ns.ttlpatch -ns.ttlpatch A 10.53.0.3 +ttlpatch NS ns3.ttlpatch +ns3.ttlpatch A 10.53.0.3 -split-dnssec NS ns.split-dnssec -ns.split-dnssec A 10.53.0.3 +split-dnssec NS ns3.split-dnssec +ns3.split-dnssec A 10.53.0.3 -split-smart NS ns.split-smart -ns.split-smart A 10.53.0.3 +split-smart NS ns3.split-smart +ns3.split-smart A 10.53.0.3 -upper NS ns.upper -ns.upper A 10.53.0.3 +upper NS ns3.upper +ns3.upper A 10.53.0.3 -LOWER NS NS.LOWER -NS.LOWER A 10.53.0.3 +LOWER NS NS3.LOWER +NS3.LOWER A 10.53.0.3 -expiring NS ns.expiring -ns.expiring A 10.53.0.3 +expiring NS ns3.expiring +ns3.expiring A 10.53.0.3 -future NS ns.future -ns.future A 10.53.0.3 +future NS ns3.future +ns3.future A 10.53.0.3 -managed-future NS ns.managed-future -ns.managed-future A 10.53.0.3 +managed-future NS ns3.managed-future +ns3.managed-future A 10.53.0.3 -revkey NS ns.revkey -ns.revkey A 10.53.0.3 +revkey NS ns3.revkey +ns3.revkey A 10.53.0.3 -rsasha1 NS ns.rsasha1 -ns.rsasha1 A 10.53.0.3 +rsasha1 NS ns3.rsasha1 +ns3.rsasha1 A 10.53.0.3 -rsasha1-1024 NS ns.rsasha1-1024 -ns.rsasha1-1024 A 10.53.0.3 +rsasha1-1024 NS ns3.rsasha1-1024 +ns3.rsasha1-1024 A 10.53.0.3 dname-at-apex-nsec3 NS ns3 -rsasha256oid NS ns.rsasha256oid -ns.rsasha256oid A 10.53.0.3 +rsasha256oid NS ns3.rsasha256oid +ns3.rsasha256oid A 10.53.0.3 -rsasha512oid NS ns.rsasha512oid -ns.rsasha512oid A 10.53.0.3 +rsasha512oid NS ns3.rsasha512oid +ns3.rsasha512oid A 10.53.0.3 -unknownoid NS ns.unknownoid -ns.unknownoid A 10.53.0.3 +unknownoid NS ns3.unknownoid +ns3.unknownoid A 10.53.0.3 -extradsoid NS ns.extradsoid -ns.extradsoid A 10.53.0.3 +extradsoid NS ns3.extradsoid +ns3.extradsoid A 10.53.0.3 -extradsunknownoid NS ns.extradsunknownoid -ns.extradsunknownoid A 10.53.0.3 +extradsunknownoid NS ns3.extradsunknownoid +ns3.extradsunknownoid A 10.53.0.3 -extended-ds-unknown-oid NS ns.extended-ds-unknown-oid -ns.extended-ds-unknown-oid A 10.53.0.3 +extended-ds-unknown-oid NS ns3.extended-ds-unknown-oid +ns3.extended-ds-unknown-oid A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/lazy-ksk.db.in b/bin/tests/system/dnssec/ns2/lazy-ksk.db.in deleted file mode 100644 index 1527e07c6e..0000000000 --- a/bin/tests/system/dnssec/ns2/lazy-ksk.db.in +++ /dev/null @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 30 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 30 ; minimum (1 hour) - ) - NS ns2 -ns2 A 10.53.0.2 -ns3 A 10.53.0.3 - -a A 10.0.0.1 -*.a A 10.0.0.3 -b A 10.0.0.2 -d A 10.0.0.4 diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.j2 similarity index 97% rename from bin/tests/system/dnssec/ns2/named.conf.in rename to bin/tests/system/dnssec/ns2/named.conf.j2 index 3b31574579..093aba3120 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.j2 @@ -185,16 +185,11 @@ zone "cdnskey-auto.secure" { zone "updatecheck-kskonly.secure" { type primary; - file "updatecheck-kskonly.secure.db.signed"; + file "updatecheck-kskonly.secure.db"; dnssec-policy kskonly; allow-update { any; }; }; -zone "corp" { - type primary; - file "corp.db"; -}; - zone "hours-vs-days" { type primary; file "hours-vs-days.db.signed"; diff --git a/bin/tests/system/dnssec/ns2/private.secure.example.db.in b/bin/tests/system/dnssec/ns2/private.secure.example.db.in deleted file mode 100644 index 94042ae40a..0000000000 --- a/bin/tests/system/dnssec/ns2/private.secure.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.2 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -private2secure-nxdomain CNAME r.example. -*.wild CNAME s.example. diff --git a/bin/tests/system/dnssec/ns2/rfc2335.example.db b/bin/tests/system/dnssec/ns2/rfc2335.example.db.in similarity index 100% rename from bin/tests/system/dnssec/ns2/rfc2335.example.db rename to bin/tests/system/dnssec/ns2/rfc2335.example.db.in diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 2658fd10b3..e3f18af15e 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -29,6 +29,31 @@ done cp "../ns3/dsset-target.peer-ns-spoof." . +# Set up some unsigned zones: +# insecure +zone=insecure.secure. +infile=template.db.in +zonefile=insecure.secure.example.db +cp $infile $zonefile + +# delegated child of an nsec3 zone +zone=child.nsec3.secure. +infile=template.db.in +zonefile=child.nsec3.secure.example.db +cp $infile $zonefile + +# delegated child of an optout zone +zone=child.nsec3.secure. +infile=template.db.in +zonefile=child.nsec3.secure.example.db +cp $infile $zonefile + +# zone pre-signed with RFC2335 signatures +zone=rfc2335.example. +infile=rfc2335.example.db.in +zonefile=rfc2335.example.db +cp $infile $zonefile + # Sign the "trusted." and "managed." zones. zone=managed. infile=key.db.in @@ -143,7 +168,7 @@ cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" # Sign the badparam secure file zone=badparam. -infile=badparam.db.in +infile=template.db.in zonefile=badparam.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") @@ -211,7 +236,7 @@ cat "$key1.key" "$key2.key" >>"$zonefile" "$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1 zone=cds.secure -infile=cds.secure.db.in +infile=template.db.in zonefile=cds.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -220,7 +245,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-x.secure -infile=cds.secure.db.in +infile=template.db.in zonefile=cds-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") @@ -230,7 +255,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile" "$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-update.secure -infile=cds-update.secure.db.in +infile=template.db.in zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -239,7 +264,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile" keyfile_to_key_id "$key1" >cds-update.secure.id zone=cds-auto.secure -infile=cds-auto.secure.db.in +infile=template.db.in zonefile=cds-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -247,7 +272,7 @@ $SETTIME -P sync now "$key1" >/dev/null cat "$infile" >"$zonefile.signed" zone=cdnskey.secure -infile=cdnskey.secure.db.in +infile=template.db.in zonefile=cdnskey.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -256,7 +281,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-x.secure -infile=cdnskey.secure.db.in +infile=template.db.in zonefile=cdnskey-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") @@ -266,7 +291,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile" "$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-update.secure -infile=cdnskey-update.secure.db.in +infile=template.db.in zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -275,7 +300,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile" keyfile_to_key_id "$key1" >cdnskey-update.secure.id zone=cdnskey-auto.secure -infile=cdnskey-auto.secure.db.in +infile=template.db.in zonefile=cdnskey-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -283,7 +308,7 @@ $SETTIME -P sync now "$key1" >/dev/null cat "$infile" >"$zonefile.signed" zone=updatecheck-kskonly.secure -infile=template.secure.db.in +infile=template.db.in zonefile=${zone}.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -297,7 +322,6 @@ $SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 >settime.out.$zone.zsk 2>&1 # Don't sign, let dnssec-policy maintain do it. cat "$infile" "$key1.key" "$key2.key" >"$zonefile" -mv $zonefile "$zonefile.signed" zone=hours-vs-days infile=hours-vs-days.db.in @@ -322,7 +346,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile" # A zone with a secure chain of trust of two KSKs, only one KSK is not signing. # zone=lazy-ksk -infile=lazy-ksk.db.in +infile=template.db.in zonefile=lazy-ksk.db ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") diff --git a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in b/bin/tests/system/dnssec/ns2/template.db.in similarity index 79% rename from bin/tests/system/dnssec/ns2/cds-auto.secure.db.in rename to bin/tests/system/dnssec/ns2/template.db.in index aa3aaabfaf..a84b75b618 100644 --- a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in +++ b/bin/tests/system/dnssec/ns2/template.db.in @@ -9,6 +9,13 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 3600 +$TTL 300 ; 5 minutes @ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. +@ NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +*.a A 10.0.0.3 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns2/template.secure.db.in b/bin/tests/system/dnssec/ns2/template.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/template.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in deleted file mode 100644 index a7792fd3b8..0000000000 --- a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 - -normalthenrrsig A 10.0.0.28 -rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in deleted file mode 100644 index a7792fd3b8..0000000000 --- a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 - -normalthenrrsig A 10.0.0.28 -rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in deleted file mode 100644 index 94fa465980..0000000000 --- a/bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in +++ /dev/null @@ -1,22 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 -a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in deleted file mode 100644 index 94fa465980..0000000000 --- a/bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in +++ /dev/null @@ -1,22 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 -a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bin/tests/system/dnssec/ns3/dynamic.example.db.in deleted file mode 100644 index babf54c2a5..0000000000 --- a/bin/tests/system/dnssec/ns3/dynamic.example.db.in +++ /dev/null @@ -1,25 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -; This has the NS and glue at the apex because testing RT #2399 -; requires we have only one name in the zone at a certain point -; during the test. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ NS @ -@ A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/expired.example.db.in b/bin/tests/system/dnssec/ns3/expired.example.db.in deleted file mode 100644 index b7706d3c9f..0000000000 --- a/bin/tests/system/dnssec/ns3/expired.example.db.in +++ /dev/null @@ -1,44 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns - MX 10 mx -ns A 10.53.0.3 -mx A 10.0.0.30 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 - -normalthenrrsig A 10.0.0.28 -rrsigonly A 10.0.0.29 - - diff --git a/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bin/tests/system/dnssec/ns3/expiring.example.db.in deleted file mode 100644 index 8acf7b121e..0000000000 --- a/bin/tests/system/dnssec/ns3/expiring.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns - MX 10 mx -ns A 10.53.0.3 -mx A 10.0.0.30 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -child NS ns2.example. -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in b/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/extradsoid.example.db.in b/bin/tests/system/dnssec/ns3/extradsoid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/extradsoid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in b/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/insecure2.example.db b/bin/tests/system/dnssec/ns3/extrakey.example.db.in similarity index 96% rename from bin/tests/system/dnssec/ns3/insecure2.example.db rename to bin/tests/system/dnssec/ns3/extrakey.example.db.in index 76e3f47f21..c1d17da9b8 100644 --- a/bin/tests/system/dnssec/ns3/insecure2.example.db +++ b/bin/tests/system/dnssec/ns3/extrakey.example.db.in @@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns -ns A 10.53.0.3 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 diff --git a/bin/tests/system/dnssec/ns3/future.example.db.in b/bin/tests/system/dnssec/ns3/future.example.db.in deleted file mode 100644 index 20c19c5216..0000000000 --- a/bin/tests/system/dnssec/ns3/future.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -child NS ns2.example. -insecure.empty NS ns.insecure.empty -ns.insecure.empty A 10.53.0.3 -foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/inline.example.db b/bin/tests/system/dnssec/ns3/inline.example.db deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/inline.example.db +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db deleted file mode 100644 index 76e3f47f21..0000000000 --- a/bin/tests/system/dnssec/ns3/insecure.example.db +++ /dev/null @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x DNSKEY 258 3 5 Cg== -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.optout.example.db b/bin/tests/system/dnssec/ns3/insecure.optout.example.db deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/insecure.optout.example.db +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bin/tests/system/dnssec/ns3/kskonly.example.db.in deleted file mode 100644 index 0b11a00b00..0000000000 --- a/bin/tests/system/dnssec/ns3/kskonly.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/lower.example.db.in b/bin/tests/system/dnssec/ns3/lower.example.db.in deleted file mode 100644 index a04793e312..0000000000 --- a/bin/tests/system/dnssec/ns3/lower.example.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA MNAME1. . ( - 2012042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ NS NS -NS A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/managed-future.example.db.in b/bin/tests/system/dnssec/ns3/managed-future.example.db.in deleted file mode 100644 index 20c19c5216..0000000000 --- a/bin/tests/system/dnssec/ns3/managed-future.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -child NS ns2.example. -insecure.empty NS ns.insecure.empty -ns.insecure.empty A 10.53.0.3 -foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/multiple.example.db.in b/bin/tests/system/dnssec/ns3/multiple.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/multiple.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.j2 similarity index 95% rename from bin/tests/system/dnssec/ns3/named.conf.in rename to bin/tests/system/dnssec/ns3/named.conf.j2 index a9a1b207bf..6c9e18976c 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -13,6 +13,8 @@ // NS3 +{% set long_sigs = long_sigs | default(False) %} + options { query-source address 10.53.0.3; notify-source 10.53.0.3; @@ -121,9 +123,9 @@ zone "insecure.example" { allow-update { any; }; }; -zone "insecure2.example" { +zone "extrakey.example" { type primary; - file "insecure2.example.db"; + file "extrakey.example.db"; allow-update { any; }; }; @@ -464,28 +466,27 @@ zone "extended-ds-unknown-oid.example" { file "extended-ds-unknown-oid.example.db.signed"; }; -dnssec-policy "siginterval1" { +dnssec-policy "siginterval" { keys { ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; }; - signatures-validity 1d; - signatures-refresh 21h; + {% if long_sigs %} + signatures-validity 35d; + signatures-refresh 28d; + {% else %} + signatures-validity 1d; + signatures-refresh 21h; + {% endif %} signatures-validity-dnskey 90d; }; -dnssec-policy "siginterval2" { - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - }; - - signatures-validity 35d; - signatures-refresh 28d; - signatures-validity-dnskey 90d; +zone "siginterval.example" { + type primary; + allow-update { any; }; + dnssec-policy siginterval; + file "siginterval.example.db"; }; -include "siginterval.conf"; - include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/nosign.example.db.in b/bin/tests/system/dnssec/ns3/nosign.example.db.in deleted file mode 100644 index 2be8a2833a..0000000000 --- a/bin/tests/system/dnssec/ns3/nosign.example.db.in +++ /dev/null @@ -1,23 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.example.db.in index 55b38776da..f326e0b15a 100644 --- a/bin/tests/system/dnssec/ns3/nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/nsec3.example.db.in @@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns -ns A 10.53.0.3 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 @@ -31,8 +31,8 @@ insecure NS ns.insecure ns.insecure A 10.53.0.3 secure NS ns.secure ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 +nsec3 NS ns3.nsec3 +ns3.nsec3 A 10.53.0.3 optout NS ns.optout ns.optout A 10.53.0.3 02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.example.db.in index 20c19c5216..b1bcefa65f 100644 --- a/bin/tests/system/dnssec/ns3/optout.example.db.in +++ b/bin/tests/system/dnssec/ns3/optout.example.db.in @@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns -ns A 10.53.0.3 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 @@ -26,14 +26,14 @@ d A 10.0.0.4 z A 10.0.0.26 a.a.a.a A 10.0.0.3 *.wild A 10.0.0.6 -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 +insecure NS ns3.insecure +ns3.insecure A 10.53.0.3 +secure NS ns3.secure +ns3.secure A 10.53.0.3 +nsec3 NS ns3.nsec3 +ns3.nsec3 A 10.53.0.3 +optout NS ns3.optout +ns3.optout A 10.53.0.3 child NS ns2.example. insecure.empty NS ns.insecure.empty ns.insecure.empty A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db deleted file mode 100644 index d51672c03c..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db +++ /dev/null @@ -1,63 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -; File written on Tue Jan 11 18:07:57 2022 -; dnssec_signzone version 9.17.21 -rsasha1-1024.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 -rsasha1-1024.example. 300 IN RRSIG SOA 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. kM6ztqAaLkxcRxYWrw2oe3qofzoIRjDv/tLD/A5edreqzzwj7H6Ihm0s JHfzqVOWBTwYzX0XgD0PXCqMdkXP7QlcWGYK7uCWnisayZIwNCdkywPC sS2ky1d0eK1A7kJ9nEH/eOgLba5uFZcAo8+9dD/6o6Rt1jTeTQkL4RHI UC8= -; resign=20900129082204 -rsasha1-1024.example. 300 IN NS ns.rsasha1-1024.example. -rsasha1-1024.example. 300 IN RRSIG NS 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. jxbsZlgK4B6IkCrZuNDVv/EIqgCU8pTOyWEt2DqvzRI8AeL3I+U9Nbcz 9gmQRaNEtffLVR/sfht6v1ms4AFJKd0xLSZj9ywsZKCmG12UxfNIoZ49 4d1ono8hGYU8xr1Qh1BU2HwgGY1JF4OyO28cgrkT2F9dAvG8MSMEW5Sg 9A8= -; resign=20900129082204 -rsasha1-1024.example. 300 IN NSEC a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY -rsasha1-1024.example. 300 IN RRSIG NSEC 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. AfEX9beXrft4d1moQD1VP3Em9cMgJmx2EYBKMlW5e5XFNk2Z5Wj1N//3 sBuUPNppxUilUEydqH5psVw7IMhrz8Q1+bhABNV7cPm1EOuq0NuQJ2LN JNlTnjfaRT6IAtY7d+NOCO2eKlDzMC/q8t2oaB+iHhgO7yc5+fxMGyQ/ PVc= -; resign=20900129082204 -rsasha1-1024.example. 300 IN DNSKEY 256 3 5 AwEAAaYD3SqsLtFHSfDhA8HhNKQJOToRptRmFhsYbqre+lq/BLpLQNkA 7Kq+chsUhOe+8OHMfkNXfr3XFyuUA3rBg15kq57NZ5gLzkHyeGqB9Ths M5pdwDCqPjJKP43W2+EXXHWsg5P94yldWcvMx1v80vrxGvUimfiQSznE hok/6oqR -rsasha1-1024.example. 300 IN DNSKEY 257 3 5 AwEAAeEe/ohrvXtDqYgrz5Q1WAKRstnnH0xi/4Mne49PLO56TcVPf6sg xpv/SaHSlQGJnVbQBLebPemKDAC1vVOUqdTDxHJbLuO28brIWMzf0pc1 5G2RNtrQf44E4yaibSROhyBmWoerUHTPGJw6BGDI4fb/CVWujFQ1ieBy WC0p1NWH -rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. nBLPJfoZe4G3wOe17bBSMooRZHe523pjdaTAK2PmXEa8exXH+OWCHh7f Jnh/SI89Hp9a2ru1Skze3FcUcTj/SlwtEuWpxOs9B1R29P1xVPCwkAfb xsmtmE6u5+oeLGrt88zA/kpjx6t0sFbU7A8/qxlpuoH+hdAu1jI2tlP4 d30= -rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 1151 rsasha1-1024.example. 0oNrcBsFySVjBT60SX3m7cKIPmuCOUH0ZFucrmEVXJLGpNOXe37aXbnC Iz+NHcaaeZQP/w4aYSTyQvZs6Vl5Tufeic3SWalzTGv0f01mIIk24v1a h4ePUB8w0b0+/qq89zl6Ccr2/PgTaLvjuSGYcgX15cigqPRcKQNYCwO1 Vsk= -; resign=20900129082204 -z.rsasha1-1024.example. 300 IN A 10.0.0.26 -z.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Zf/ynA7APXpNjcMPusIjRan0/ITLmeeY7GJfhCLeD3lEjnAd7dWRl7sC N5sBzUG78Mtgm39Ov/Kj2EwQjFcwcMUmppan3NzS+1YtYuZqlN9iAW+b UUfv8UQUHvM3x/hW4kNCPd2PHIzV2uedIp7VG3Lz72FvjHxECbI7g79V 18c= -; resign=20900129082204 -z.rsasha1-1024.example. 300 IN NSEC rsasha1-1024.example. A RRSIG NSEC -z.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. FPlYMJ41r79tkhIkDTX9/uVtcKXfHa+5oXb8fdo7/2CugjBfp5uihn57 3gMmY7Mi2aVsW64hRkehPJr+sTUOk5+ILhO2Qhjdrm2DpHgeSK29BTQr Okn9ruvpLhRFHwI/DllnKvBOyCmKSzJZE7PDOrqouGclNue07IXz+K2R bME= -; resign=20900129082204 -b.rsasha1-1024.example. 300 IN A 10.0.0.2 -b.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. gQmhCIwai57iscF2s5CJ5DbSy0Z9TiOWYGeFeZITxQ/koFOOjyuZXAZn 6f7mTUcFPhNm4AT/PJAs/L/tzcE16pcVwwDnHszdY28XwEU6OqaXUB3E T/Qu4Sh0BWet9U6JcSSqLG5317qJxqSGfnIJOXMucYi3MH3W8uSpapr+ 4Qk= -; resign=20900129082204 -b.rsasha1-1024.example. 300 IN NSEC d.rsasha1-1024.example. A RRSIG NSEC -b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Do6VghMEcHk35Q7fI2VrrQBYhChT4pnw791qUFhHZeol5fIKtEnrlviA RN2fbEY+7OrQQXo7Ywxo7nTD9sYsFgOwGKqKJ+yLNPcr++0csbkgt5rU ch1Lv+t7jOUuUX8IzgjOoCH5j9eoU5QtGkEBxf6z0nvlsLJaTWwTqvbr 7aU= -; resign=20900129082204 -a.rsasha1-1024.example. 300 IN A 10.0.0.1 -a.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. CaPXSTPLNeQ4MyRylYP/Ztb6kRT9/QdgpTnZxUHCjSdWEBXsrkEr55/z dBSQ8zGGOfCxlOkmgH/UrR7JmHTQrIqsb/iVq+6D0mfvNJDyNpT92bo8 r+C62/9NXLlkS5zcpyNG8Ls66EQ7dcFa6SxwdxF1qaoeBjJvkrGUMnzP UFo= -; resign=20900129082204 -a.rsasha1-1024.example. 300 IN NSEC b.rsasha1-1024.example. A RRSIG NSEC -a.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. DJlfCVMSPZ6KUIUhWUBt7LOCB8vBbxOFaR4PoHs/fLpGBWrQj46sjLKO W/TImquBg3ygYTOIyWEzVb177HryRmx65AKnfGLbzaTdTgHzcELwg88t EYFT4ODalqTn68o2RfWtNl95FNqJR/kguxxzFVgpN4zfGKXdhTWAA4JW zG0= -; resign=20900129082204 -a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN A 10.0.0.27 -a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG A 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. PVFCHIXgDCZOHsTsr3G9wMnPPmiY4CfOXC3b1ZF2qEDqloIT+YX5oKKE uiT6fCBteS6Cq8XTXdezXjqTqxrdY4qMMOBDnIZhf8eOxjFzMEUKKZuH 9c5rt8u35TihuIdKv9OPXdWuTJ4dVSEZjNNxvh3VoMW6XFagYmu3f8Gr 0rg= -; resign=20900129082204 -a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN NSEC ns.rsasha1-1024.example. A RRSIG NSEC -a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG NSEC 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. VOOEksRwMWNO2ESMrcMyPFAHuXyYgeLVODy46DwDx8PTli3/UwOH1e3l qd3Poh2K/OFP2v8TuzkXXnPW48Lg90haHtG9yLr5UUNoKntmBC9PFeqt P/qdOBiHszvcyyjJ4gabEX2gn+o/sL/klQV4m3mB4Vf5sg2dfX8Qyuw6 nDQ= -; resign=20900129082204 -d.rsasha1-1024.example. 300 IN A 10.0.0.4 -d.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. XcxbM4wA+yTOAwPePwRIg6E58HuMr5qIkdghNn/R5ck1JdirLbMB/Wpp Si+5a4q9F02Bs8uZv2YXtXRIa32i1/L6OPeU3RFQfvkpHbQNTvPtsuAL bmFGB/zdR6XQpqC6G+ip9qY+mk2hXwCZZ24NW90O9qYlE8Rp145/dIVM DPo= -; resign=20900129082204 -d.rsasha1-1024.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. A RRSIG NSEC -d.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. fmBjPGTNWOXAs51XO1fIRCKAbf9TLTV04TmlgLm50oOouEXsXpwKo6tb MbCGI2f+u986mtzLW4gWY+rcAPrMCndu5BPIYPk/Ngd6zqylWJzAfKyg PIqO0lf6jg0J3FfP39fw9bf+xB+AI1PWBrVZ55LotBYgIBZYhQ1LKPZ2 iyU= -; resign=20900129082204 -ns.rsasha1-1024.example. 300 IN A 10.53.0.3 -ns.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. beHl0WxLgPYkzKs/tdQnphXDzHx6FqdQRlVtJIYHGoWmWe4X6JWg4ENB a0xPeOGFQPBMgNuKbwyjAVmX0B3Su4LiBM7GcmfJbd4YRNCa4hQvhDpG o5A54Pxo2Qdo9Cffhzva5z4iO+DNnmBsfKGPna4sO2lRNfIxXlxCTbnE zps= -; resign=20900129082204 -ns.rsasha1-1024.example. 300 IN NSEC z.rsasha1-1024.example. A RRSIG NSEC -ns.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. aZTImJ5QFufIQEIuX+5ZYVW2Yq4ctxeX9zm9yrQaUODvVRm3X3WjncrU hkgDaW3a/j8RRG0cdAnzSWCzIMz0Yv4kWxrxCEJyIgmVUQ3fzxzpGwMF ZwCtNb9aWmImcAugTnjocn5+iCiyTEVipZmTASEyN0Bgp5Q4oFChnzIj kjk= -; resign=20900129082204 diff --git a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in index b2e7e21e20..d4009dc97e 100644 --- a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in +++ b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in @@ -9,19 +9,55 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +; File written on Sat Jul 5 14:07:41 2025 +; dnssec-signzone version 9.21.10-dev +rsasha1-1024.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 +rsasha1-1024.example. 300 IN RRSIG SOA 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. PJOZW7DeXBMB3VJ3RGFHbq5sWGc8zas7y8BKaEz4rWmScEfJrmt5ZGtm XPuQ08roCQjirb6ltLGMBorOZ5PrKkF998FhihCzUjJm9FSAVu3VW0FH 0AHGRuoErR7goE8kp3mQtqDjQfKN3RYisffzXC8K8WDb9AXNo6tdPl6d efA= +; resign=20930723222148 +rsasha1-1024.example. 300 IN NS ns3.rsasha1-1024.example. +rsasha1-1024.example. 300 IN RRSIG NS 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 7bxj7Z1i+Yfn9GzJg7eYbx46KPQOybj/aqhJUDp4ajlYKHrHHtlhHiez DfDj5RlgLGdAzRQPBs51L9KWWl+S6+MPujeVOIT+8SLWbkAWiaY2xLl4 YvZOFFelI1msoBPsXHt28OZz395Iun0VRTnOYAVR/M8lFAwhwYKxnK6S pD8= +; resign=20930723222148 +rsasha1-1024.example. 300 IN NSEC a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY +rsasha1-1024.example. 300 IN RRSIG NSEC 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. ranydIBWyrsp6gvreVGLy8jlHnQh6fL36grp1Rqp6OBNsSn+WegQP5uQ alksR/mDvSAFAeCEX6jJ+GbZan9SUYpkrqbyZtrX1+xKnbbu12ogx/lc Egph/QTXsD6iFBXRB7psiqV1mJx2PjmSHEsDN6zxbOvCrSBSoUQZOkeJ ePc= +; resign=20930723222148 +rsasha1-1024.example. 300 IN DNSKEY 256 3 5 AwEAAfrnP/8ng5St8Ok9VOJ4QWrOIfAp1pzT0quT8+Else7jAOI55qAB qcWOOMfkgF3AGfmD/OkTo17fq4HeoULrnOw8mTPjbQFowrnPRWpClj3N lRUVfYpVaKOzy3WnUSiqtegktKMaZgvBz5BgAeJOkG6IpHCqYab5135K JplSUlBz +rsasha1-1024.example. 300 IN DNSKEY 257 3 5 AwEAAfF0adqZOjSh1ADpmABpTwEAD/cWy/+9R42G+DqZK/8pkxfvC6N9 b9zWsa9LhyBge97aq7LyzlKO4HJvYK7su16y3ZeEQUplrwIwD6OPoffu X7vjNA+O7vikjdSN6sXI/x7eKwU+ZQbLyCao4COGy+Xl8VowWmIGJ3DZ wEhwOd+t +rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222148 20250705200741 29488 rsasha1-1024.example. qGZmNE1DZMvZ/OwZXuRtebtpIIE3pzYUQngQD9VUHyA9D1cLuElyevgl /pjOh5Vpt0nid1Y0HrLrXYe6xRsT8a+hhp+5ybUqjOpusBDkj/LYnlev y27Nor/GcHNy03R+B/Piu+1T3UA+dxvYc+YJrmmx7XU5tMpqFyV4C4if IyU= +rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. eMnV0gdwLW5SY+gL5CsTilyz3qN9YJBnD/EgaK4xXxnV8hoTXB/QgtAP +/jylOSIMqCT+VA9UlV2q2WyQd3n2ycdAaXIrZhMJDo/ErXcNrfi4h2G aKLVr/NiX6VlNhyNgbYgz0dM6CjcMbFQSr43hFJ4oWbOrEAS5a708/6t uUU= +; resign=20930723222148 +a.rsasha1-1024.example. 300 IN A 10.0.0.1 +a.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 41BzMHFHRo79n2jipZYetBEeJ2tb/HD2wj28I++yPLmVbn2IUnA0qOQV ypYQmAjhIKgDD+KHq0SB+WbPnVj6buV7WZ8mlknFDNxmMc6erdStBwsO shtL5kNUv33QTsyRGtreCnEjjWSSMzC63sdBXyjN5+ZWVqxKIFKGwMJZ uwg= +; resign=20930723222148 +a.rsasha1-1024.example. 300 IN NSEC b.rsasha1-1024.example. A RRSIG NSEC +a.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. KXNm/3ISKA9TJqFUAgrFVVwrRqIMZ9IhaLALTD8nZl5guNfq1NUnjKQW kbM24C2b9Wb3ID+lIlz8NygSdVyGpUsxvyn3s72wxRHyAQjWSgXMsxHH K7OlPMWKOKEaa27uGjbXkcITPstqveaZNdCdNba7hrjiBuETsLBRQoyi pO8= +; resign=20930723222148 +b.rsasha1-1024.example. 300 IN A 10.0.0.2 +b.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. sFXNp9u1KLmGALRtBygUQa4jNug25BWHJlBjKiaIQHal4YN2wpNMBfP5 8pwAfTJHpMZmnIfTQKpYHFYI+AZ0VUh8KRjkUfZYtgviu6BqPshuhNVa hKYpSzpUDCjjg29oYPC36sIZSnZDbhbRYLzERXMVB/tLujDgjoGD4z3b dzM= +; resign=20930723222148 +b.rsasha1-1024.example. 300 IN NSEC a.b.rsasha1-1024.example. A RRSIG NSEC +b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. mz7zYeNU967NoqNLTbi9ggh+jG8c4AQK8nfkP6f09EuH76BcU9T/BzKI lLPws1PYmBeT+WXmcwuFyDxPlSntO/xlU/t5wMGOjMwHWRPaFiaAx3H9 PZj9JC4UDfEKOB/2icS9HQrBqzsPlzYVWrdqkAgm4ErVl4DNU0zUhv6y Xpk= +; resign=20930723222148 +a.b.rsasha1-1024.example. 300 IN A 10.0.0.1 +a.b.rsasha1-1024.example. 300 IN RRSIG A 5 4 300 20930723222148 20250705200741 58758 rsasha1-1024.example. e4R1G9oEo5I2kPqVsbUYBgP0Bv5Eyp9BTesgKqAJ0q9NfZGtjh/03kCr A8CPw7mwL3qLEVo/oupkzpLj/gt5Zszdlmu7Bw81cJfV+x5cPyLjXJty Z9+T9KZIFa/tqW8FFF3/owEecTjcPjJs/mrlNy7lbp1kLXBIk6S7yt+c dpo= +; resign=20930723222148 +a.b.rsasha1-1024.example. 300 IN NSEC d.rsasha1-1024.example. A RRSIG NSEC +a.b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 4 300 20930723222148 20250705200741 58758 rsasha1-1024.example. Y3N3uY1kIyY9WlgWF8ZQ9gmo3Xi74G+UF195ljexwkjlU7LOX7TuaJpJ PyaqASJBGNF6aLbcwR89rItxJknSdNk4oqvQiwykZ0e02MXb/zPeqqkG +y9jS9M+ygKjMcyY+qHVgjy5UaldUqOV/bjg7cq2Z2FsCjkD+lCmGzfl pd4= +; resign=20930723222148 +d.rsasha1-1024.example. 300 IN A 10.0.0.4 +d.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 1jqKrIB7M9la2A8cRVdy92TV19elq3pGvu19DGz77sbn3HYrb3lF+zSl O2g+75RxuwzN8yoGe5P6/EfaZviOPNBV5s5e+xKHQwAxE0RCdnLUcuE9 8PAuNBogBvhrDzZJQh0p1ap4vyuxCEH3jDYua9Ul7VMy8UmGcBO0BuaS f+A= +; resign=20930723222148 +d.rsasha1-1024.example. 300 IN NSEC ns3.rsasha1-1024.example. A RRSIG NSEC +d.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. JA2sayAAdp9pCtOSsv66hD6LlgA8IFC2gzVSIjYVnz5vevoXHcok7HTi UbaaWoE0UaCI5DrMTSc9x6IOMe0OTC4PLPl3dntnaiOZJfe1Fr97zyme jaMzqd61Tla/dGM58KUKKSL30hj/5o5DwW7ppdHKIW0sq3YXufnDOCgx TT8= +; resign=20930723222148 +ns3.rsasha1-1024.example. 300 IN A 10.53.0.3 +ns3.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. NTFkNDGrOnrz1BvHEgqq3I02y+unDlUmkd2RM5pFz4wMWlZm7b2sPFsi kGH8AwE7U5RBR4Pi6YLS7im+GKXRKEChYbHy7QU2XyvGueQ0AK8jLN3+ daSr0vK5RGSDihl3lWELQPGF4/qrYYVQI8itrewvYWA2EKmPjgJAtjKV DO4= +; resign=20930723222148 +ns3.rsasha1-1024.example. 300 IN NSEC z.rsasha1-1024.example. A RRSIG NSEC +ns3.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. Dx7nC3ZCVV+BTR06WOG6vh9mt81aQijpKH7N03GopNejfbEN3dtGR2n4 cEnc/rofcy0HaDiRGKptrxYNDez6g9awh73p9FDQgE/gnnOJ1WAOIyVi XE4OHSwxfRRdYNV5oDY5Dsl9/ZNuewwc22hfEHTALKDv5ncOeGlk4r/U cds= +; resign=20930723222148 +z.rsasha1-1024.example. 300 IN A 10.0.0.26 +z.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. RO5OYSdypaZuuB+cYQLfj9nZ6PgCpd3iSOZETdY0/RYcH31dX/mDWa/s ODefiUOcyZNJYbJmcZXbOboBQOsHSB2+SsYwc6hfkKiACvB564/6u/5v hujJJQqEpJfuGEaGfJtQHjPgXQoa33juX7k+4zOQJFAs0z4loIb5s9d2 Gyw= +; resign=20930723222148 +z.rsasha1-1024.example. 300 IN NSEC rsasha1-1024.example. A RRSIG NSEC +z.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. hLdkoNjYFvJ0xYYOp2D0mqoZntJ8M0crDboQ5CGQ5fZD3eIFWG/uWqky 9tt6udqkqrVv7cniTlyoD1GQqBpx4FR9P5qgMXDQ5EvZ7WncjfVg2IFV PYZAqV1iFiQXackDd3jipKGFgx8NKvfl/jr1tdNR+5LqxHFM51zb7Hak J08= +; resign=20930723222148 diff --git a/bin/tests/system/dnssec/ns3/rsasha1.example.db b/bin/tests/system/dnssec/ns3/rsasha1.example.db deleted file mode 100644 index 2d16e503d4..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha1.example.db +++ /dev/null @@ -1,63 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -; File written on Tue Jan 4 17:29:34 2022 -; dnssec_signzone version 9.17.20 -rsasha1.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 -rsasha1.example. 300 IN RRSIG SOA 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. wg8k4y/Cs/+u2QfUnBURhD4isSFTzCofpdhMzVJEUfBqu1DBVO+FECQ4 U80NCg9iksxm7xsWAZiQx6Rzvh1rUqEA7OhCy7XiPuz+jR1TYHXJhRMu t9gu7aCdTkcXYCMtppd49/2vT+WPKB98QIKD6wgl4LFFhwbUCoXavin4 babUiJrJeAnuxmIeD5HtM5a+++p0F8QemdP5FkX3WCRBHNFGnoVYJjc7 PZ+L8ZpKElah47XzJwAYWDr34TwqU9llCOcXlXYKBqDKO9fEtJJ1hyk9 Sf4fGOdzZD9Pj4Zz83UlHumeZPfIC1N0xVBYvGPu8LU41WZ4BgZfKSoS UIpbPQ== -; resign=20900122074341 -rsasha1.example. 300 IN NS ns.rsasha1.example. -rsasha1.example. 300 IN RRSIG NS 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. VqOKkNo7CRH2uquL/46cIVoIPvFYT2WrpwpG6ienlJoLF/mZn0ReoMaK G29R8Q0tklalk14CGShiD409lXDRynyHgmLGIFjkXMd6aNRQOdD1O+7C wEhAj4/FEz+qpk/xRGMslxCCF1P7DxpX5ZPI9DuPVVvTRk4131CALaFQ EPblDzEgd7JeoO0tKnPjpzXLdr86NDeDVZXonimjEhQNrvrrurQ5/u2F x7jVmovN47Z06+XCbleC2ag8ZazNkYfU8GlFvkozZMGZtnpja1/SllNJ ZdURisd3JFMw/xsZd1v2MspKYcZePTfzyk/keXSJ0AlO7TA1X2sjiFOo 1fhSnQ== -; resign=20900122074341 -rsasha1.example. 300 IN NSEC a.rsasha1.example. NS SOA RRSIG NSEC DNSKEY -rsasha1.example. 300 IN RRSIG NSEC 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. U7SEGuJ95CKk6+sWNCNHfPuvjJ2KChhutImWmSTc9lgb3uSfptzwbYnP UZ3xG0IqkayRJhBSizLb5kntvBZbcz4pEWZ+o7ZJdiBHcCARj82OJaLF d147VB3XJa6rIi+o/Zm8SIbxU7gugqRds7KfSTxAIjHzLpCcu12hlgfc Qso1LYiVeU5GVnmfuNJQL7QvS3BQuTylTI1+HQpiY6W8Bzev/TcbhoDJ Ywp4hvgF4VGCvrO2glSO4VycLjluawKSlrNaLbAtWIYYUSPbvtktM8tQ GBqOij4l7eMCTGRCoExWEnr+CzWAauoemhLDh27Bq6VNjD5iIvjzt3Ym uGDQUg== -; resign=20900122074341 -rsasha1.example. 300 IN DNSKEY 256 3 5 AwEAAe31msH3kL5cIQ6C1vTnB8GvbFDm0t/j5XWnLonaKDSUoHtKLlRq pBPuwlORRUZxRSs7VDAaKE0YGky/YklSCqvo8gBD4dkNjWD/6XGkmtEq DOL8XCz1KO+djs7WLCuCyGIkG282+sntuZJj4IMd+ZDW1urCwaP94t3u W9N+PgrSacK9Ff1bwLR9KIgkRFpJ+JxPeaFYnVEyB4ZaZ8DgPWYNJ+aC awL0nATybC8asPeCGvft3lSS99z55IMfkpjF1rwHIVybqhiukRighazQ ljjVQdlXj3YxFgD0fpscJ6yN0QXdseagxiT4PahnwaHYHUhgGm+HB1zA pA49L9dg2RE= -rsasha1.example. 300 IN DNSKEY 257 3 5 AwEAAcQdnpcda8XlNxllEGbWy9EGkD5TtHEbxThaB9c6ZNQPTf3gJw0A LpIZ787sepWND7vPcq6Qb/xZEmC6ER5OfaYbDznUh8q5NaaTbSwv0tng gE8KPwtvlgH+4eUmOcEkGrfR9G6J9S8JTT5bUWKTUbprxE65/8xcY33S cEeOpi34DLR9GLNvPLTSLuWQcYrq1YZFHbivQ45oFD9PvWPJWOoAN68N T28e0ZV8QHuXqW0IEheeW+AEemywupdaxun6Cvvolfz2EMYFnYX8YycE 0qUoDC4W9w3xB4nOllWQfJzgQkSTr/I4XCgepFunBeuAHZhCoQHPt9fK IfPUYxQzaa8= -rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. tODh3LiRuG/ao3ZtJSLBPCy74pkfHXMPRUgFP7MhNR3X6gq75daTVHLi ApTesgAXPAbHI404ps/8M2Z84dkMKBhRDdp1e9OwR8IB4Iw0IOGp2rV7 oZSYNzgnlwRfQ2G75G3xbCjiQhY0H+7IlSiys3sAaI67plvI3nDC3C/r zyDKiY90pK31e+q72SSK+1t/MlsRm0nAYHyUZGLuBMoXYHwonLImeH9Q jwy+cXLwhzOfPfm97ailNifEk38+P+H+Yq35Cp1ezpMzxAi67AcY83sR XB7RVRCf/4uUErh5rYcl6EcnHFh1xA9oSHsaPQbd39PO2fNanyvdPH+p b0ey0A== -rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20900122074341 20220104052934 9662 rsasha1.example. Ksyrf1lseBMSQGyPWrSve/X09Nb1CWB//Yvjw9HAEBwna9wseI6cH6mi B1G2JyFmTFzxGgVmf0wB+oec2w7nt5/uUJbyVfLQvCs9RXBGEpKAwhVf GKIwcSF1VTyVfx+PYPHvCpeN01Qm3C/5pJ28dkT65Hry2a7f39kk/8YZ 4zVM1nYaTsBUQdQWvR5UlSm0S3SUMBc2MIEUGUFBhtBJ10W8VkIfNzma ONjMHthu8vLAfwuBYX8zzJIVB31XvnxZDa4LSM4PesyPZ+KVR27o5dlL gQS62u3PWJDgEhUNFIa8A+5kDENC24p7DSfG+Aipe3upefBpBAW3VEdN A/nwQQ== -; resign=20900122074341 -b.rsasha1.example. 300 IN A 10.0.0.2 -b.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. ivXu+xAyZThIsY2T1c1wczdeeIG/37z+nO9sbUOzcUyf4+T9lX+6rU0D gxQTxHVdcsw3ge/C+dU2qcrs3EHHW4JcpT1yZMbXcyo+w5ocj5oHGYD2 L3iKLCEZrzdkIwmY4GXNyTznk0X5GKuaP7P6PeNrwWEBficB6xLSiLm7 tsswVcc4XyHa+zKBbxevIt2bKvRUfruyztgENZXJ5125Kx1Ee70Hwvgw bNc2J7lqpJw5c5O8yUaXq5gsxcaLBuONbQ4ANL5PtFQJJY7B5GhqlRTy gVrThJsoZj66pfa8gK92yn8uRG6sFpAbtPrTMQaReiExOhCUdBZRBmA+ RWUTKQ== -; resign=20900122074341 -b.rsasha1.example. 300 IN NSEC d.rsasha1.example. A RRSIG NSEC -b.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. hHtS5Bev1RkOJhsz4QnWJzzn/BBRLJil1l1RCbX+nbVbPE93l/2aDi12 jgctWKIfAiVfdFn93uno11+7Lq+bJaiMvaozJ+f7XWMAPsITOlKGNtiw l9kqZJExugH3q0RC1W0xxnb6HlIbwYGn6refUexaZKjgBsUg302pY7bh 6z4WuPakuxAqsaI6KLxLAlm7CWmdXvpFMCc1dnIVDplxOAvEINTrEesY sffjfmRbP3YAXC6/xvu0WVlikgklJjjiRqdeiSqPLGlnb79OAF5whHSL nYvWscX00/f+SOiniFoAFH2KeSb7VdJ2jvpTaqWjrYxxvwuZMsKNzwRI 4pnH/w== -; resign=20900122074341 -a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN A 10.0.0.27 -a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN RRSIG A 5 13 300 20900122074341 20220104052934 30286 rsasha1.example. BQT+sZ6SJUbGDJ0eG6WBM19+UoBGZEie96E7EXaeS4It3M+EaMkIWIGD hp0MwiC0yW8u0zWjlA57t3yRpVhvCic8kl4SPs5tOmDXyy5RRJ7YOHNx 3PCuAbkoTfoLt5ReVtGcs5LTz+lmPUKZw/dwols5x8v1PIC2O/Ud6Yep TE9Qeymj1/C3GxxLVPLxXQhirkhT6LfMmFH6fNwec6U7bVRyMo3twcvK TDxkEZu5qA0+6bSrLC/xdyZYE38RQOlicmmGfYAIkDWKDdDXYbfBeJq6 zP8aFvdqOckDBvXQcnP9Cq+IvQX1noO90ePYf5AzNxAEQFJ4S1LUm/0q mQqNLA== -; resign=20900122074341 -a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN NSEC ns.rsasha1.example. A RRSIG NSEC -a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN RRSIG NSEC 5 13 300 20900122074341 20220104052934 30286 rsasha1.example. jvJup/Pg4BpAjh+eLMKEYFkpK/iOVt3QggGL7CRMxzxkYYMJNPwXqdAt 5MovIAFjFKBQm0RDe8/tqav/zdOZrDTyRZ2Zsh9qOp7hlOhy4oqQF+4n Wqg3x8v9gSgrzSAsiJAhb3fbbfdAb3Esc1R0Ec/RcLYEUXiD1eLTG0cB qtVmX3McwXTmu0OGpn0Dsg8CTSuQnrvo24bvsah5SEL1/NVkPtEE7KDT Q8orR7LNM0EeIL1CHxT5dqCAo5MvUm9L8GL/YIOZgtifD/uL23T0ej4j 0JYN7EYoDyFT0fyGeBoS2jkCZTsQZivfnkE5J4Ch1nAU5bUmSeX1eZHK nvce9Q== -; resign=20900122074341 -d.rsasha1.example. 300 IN A 10.0.0.4 -d.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. 1mZnG0HsIygSfEue9vMlqWpIQ59EmrktvFrGBzNUEDQDjsoGHv+syMFi A8BtRPkrHZzGaYTqy4L8ZL6V5vZPN1icETNVebx7teBTNFIwlvubdKoQ Zg/37W8gW6U1PN4khQlfX7W5XMFifF4qfCfI3XhkPgKacVaucHQhvGth ZzgCbhCQBVMooRb+v+nzknin0qpIWm7pVPh94BaajxQJ0mNwVQ8hjdJP jy16PH4z/aQ6oPjPKMbnMwTQOdWVUKsZtEkBGcAjJWLFmUJYpR5PPdRB /VsEtjexNKZtDwn0/QUIqUi4GcSp0ISTDBTNDjImJhWVJUoFh6S6zuRW tPYZGA== -; resign=20900122074341 -d.rsasha1.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. A RRSIG NSEC -d.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. oWJRAhXbXUA84Nc56NyMocBq93bn3k4uGeqv+XL2L5l6yjxQYxKzjqq1 O5m72K6GiIjoIeun5TxJlEI7/o1EivTxdGYVP4Fsb//Wrv422QcHwS27 xNsFhLMFQglBCOaZzj1v3G2nXRRjP8x81ysg048THlhH5Jm7cW3aUmuS P6kXebWVwIc2nywLHVr/U4dCT2sHOk2gkUuaj8p6rMLVYwj/5dBRijVl Wm131ZeimetxrrRVxXtOfof7W4pqx3bpYRqb/Exdh035Hen+QesxRYTA zcxY7CywJY59afc9/abQBWGkPLfF7rgfJjPIc3MpJlP4SPf0SV4bTNUU nptZ/A== -; resign=20900122074341 -ns.rsasha1.example. 300 IN A 10.53.0.3 -ns.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. ONQph6nkFWSS6dqe/agbVnbjwTtA8ZZATpTCqoRJp2QoEgIjZ/0Yh7Fl Axz4PnpMYsEoie0IZ0/g+xTH7nXYphZzzzgedK8WK0vdTW3Pspyoiek/ tWjiGshqq1atHgi+jjRiuhnEvkaX0UDipMCQvI7oFHMOJxmnwZBCNWMc kBu9vbqtr/+HM4y+jGywg5l2XVkmHC5RZv1CoYc5PhfvV4zMI2RCb/Km i5eNCrUZefRfAq4fK9M67Jh/WnfRWfnHZKZN3O0yiRdnKOh2tOQP3X46 fIuNldCeg1PPnkbs4R+ekqJYhpEydNuWKEoKw2ZgeIrmbcRqepD6y3SZ UP/TAw== -; resign=20900122074341 -ns.rsasha1.example. 300 IN NSEC z.rsasha1.example. A RRSIG NSEC -ns.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. s7P7k9FDJrO1JhUVjgVUDQXNXfNOJrYVt44OoD45e7w4Q7QkyeZe+6z1 Arj9tW1bI9nIVNo63DT51bsJmj4vPf4SuJgHO05ElkLFSvHn17qMdw8Q Kpx8MQa7plAISqzl9hJip0exMuV+1IHujO9VGE42CxKl0q6l2b/x3+Il afx47bcEePkdhHXyhOSdrtxFTayzjMd/7uSy6p1jFSEVrheejQ/r44t3 9uxEc4EYfiP+HVfnjJ178j2Xa4dZyi3ljhJjaH5oleiy5c2Y5kXRIuXH OcIQ2axO7LT/yupRcBPlo7ulwI9iEVd2Q2gueMqaJ9YEWlcoOSFu1H75 7IRAbA== -; resign=20900122074341 -z.rsasha1.example. 300 IN A 10.0.0.26 -z.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. nuqG+ILECKKCQockETu4yLRKZzv9qjXJpfD0/yw5Cw7nSrZFvAjpkQR2 f+xmzbcxP4xiYqs1I+nz8cnHs6NNkJA8vcmk9dnzRu78X0x8MFFV0Yha jQKK/cSzhEhys7GMYv3Jz6lKfmFOAoq1et9PaQT6w8zQD8Q5vBzKrvZm pg+QzZvvgToZfj4e5J7nrhnyOVo7Jec5l/aBCGJbgRMDxjyyC0ufOjnm POvsTZk+wM3+wuN6zYwDpproPiH/6vC/yPlDHeh6kDt971dMsdvRv+kS KAzPyN8rweptJ/HRprb9x6zcAJOrK0T1sJ+EhMbYMgC/py6aAn+T7G5D FGY1tg== -; resign=20900122074341 -z.rsasha1.example. 300 IN NSEC rsasha1.example. A RRSIG NSEC -z.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. Wj5DkrGppeMFn8bWLUMfFPCzDAO2HeabbEIMaAHBH/g0hdn+2PPkQc8D D6WCSc4q5gyGNRSXj2Kik2TojD9n/5WuwDAA3W2AOso+4d616lSy9pyj x+e4WZ6y6tAYRRIGIVTdDEOxrZ8KspclWk7H6OAAPIYvgZeYjox21qXN BknpIifVoaYUoxi3e81k25erm/Xww4uU2SMQgvq3sBrs0YGANembfxas BRVmSmBykpugHgS1/Fl19Hp40y/JTBzqOLrHgPgHO4aH89dgta0WlMhb 8uCUOjHNjcR+KO3KUpKDZkH8IuJHWWFd0TabdV0KBhpInQh6Yorhpjg7 qNBbgA== -; resign=20900122074341 -a.rsasha1.example. 300 IN A 10.0.0.1 -a.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. eJyAqMArSagK54kSFvJxE5qYXFSDYxj6Vt8l4gi58BQigO7p5v0BUWcS icToRx3a9+rSdhnBuGbOWGNlrKFfCKrLmqYrlI9GFSAFLAFj7DETSKDJ X5dQ0KnpyGL3SneQsDWAvAof0y9B17dnBHQMSjeVqqQLjYEnq3ZIdT3c b6emCGMhcbfIAOYWt7t9nk/J2tsTsdoKtTCHP1SHjn5sE++BPXOce49X gFnNMD+pOcoLH8Z07RcTQ8IeNIa9hO8UaypyicaHQ2F0JtsiL1pqREXf QsBeLC12Gbi0rxJX3gdj0LXsmSerVl6BgaNjPTp3840WKrW3nTG/8Lre bxgkow== -; resign=20900122074341 -a.rsasha1.example. 300 IN NSEC b.rsasha1.example. A RRSIG NSEC -a.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. 6fZ5/GXrFAc9lEspMNlPa40F8O/tGq1oaSZXVstwLH124TNWxRK+i8eT H77Kq80vZkDus8rkLr4fiLP3ApXVBffCRHZWecGrYaPGDbQXALQEktld NhmLr9Nf30Jq7KvVV9Qf4daPC7ZwkB8EsikJxjpQ/paHlU/Pua7ZonnH /x9HHRJBLWb/PPQWEc++8SSjA79+HZVbB8rBwXyxHO1tFBCbBpK/JNwu KpRqNp/mwxPpSaJGZIuhHlzfbLsS4WoXjdG+fob4RqsPPwrf/uAAzKM2 dHVuqZ1erH3ryb4JdRo+MhqD0+vC/7+eNccEXraBsE5xGw4M62Se37WC kyQDQA== -; resign=20900122074341 diff --git a/bin/tests/system/dnssec/ns3/rsasha1.example.db.in b/bin/tests/system/dnssec/ns3/rsasha1.example.db.in index b2e7e21e20..f358bf1248 100644 --- a/bin/tests/system/dnssec/ns3/rsasha1.example.db.in +++ b/bin/tests/system/dnssec/ns3/rsasha1.example.db.in @@ -9,19 +9,55 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +; File written on Sat Jul 5 14:07:24 2025 +; dnssec-signzone version 9.21.10-dev +rsasha1.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 +rsasha1.example. 300 IN RRSIG SOA 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. HD26wOumxWQ/epo0958sjThZr0yfTMHnIn5hC2ZdOia9uuBBnHR0kPyS ++zd/Q9lFb6MRzkfLEHGexv2fXIHnWcCLp93gYvMm/HWf0/MhUzhabzO YJfcDKRT3PUEgDvuE0tiHEGWHYAb0iXQi1cjpZhvw6yikAQ2o3UUn3e2 QTQ0JO7EnG4wNxPnr92VPcTLTqajczCz63cvCvJpkaUCjAFyTKvCpgyl /eRKagX0UA8lv+DmOwFCTG0p1JeIQMQoW7xZELEWb9mAR/o1VmcJnYT3 Awi35hTj9XhM+bPCK4qqOkq6JNMSnOA4Xxg1baTEqjrFJZmEG+iyImoL 5d1DLQ== +; resign=20930723222131 +rsasha1.example. 300 IN NS ns3.rsasha1.example. +rsasha1.example. 300 IN RRSIG NS 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. KAZovbd0Urp3LIrLsCV7UldT5ze4fYG8iaXWpyrw7/JmZIZOWA3X4rgF hlhxes8xD73qrV96dWuNZmTMs+mp665bAbX78sjfZZdmWGWrpPzse6G3 YEm6EGSOWjrsb/kOmKPiRTaVUhTanAjJC17rhixEYRBrvekpnDx/3PjX HnJRR8a75DXVrhm47u4/hHD7cS2hOfZj4xqNyWOlpNIaH7ZWPzO34SR9 iuPReF4Q06NG741TdAfsl3h9YeCfZWBH1DQ7jwrq5hRGPTtZmq7OTyMm dH0ovRF6ntYYbU0aOanS4l7sjEVwr+AkrFG8Pu9Ipey5Tlgn3bx40cAn 5TDkfg== +; resign=20930723222131 +rsasha1.example. 300 IN NSEC a.rsasha1.example. NS SOA RRSIG NSEC DNSKEY +rsasha1.example. 300 IN RRSIG NSEC 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. DIhZ8/JkklG9nAC0CB98mmOVnXy7KS+CbG4vC8OrnOSi8nyyHuNC2Zt7 p2taM2KshEJ3piXUsICLbQDpHwrbbRx5RbctaLQz5S3lhx+0j3TNZWaT 2kWP5jMyhNDxaNn35xh7yTamDEKC20Bk5YyN76YClEkwqAr9ksj/FUNY RYIG9+4jjOt962Vj/5e0pgK+1ZbM3lF8WvJAh44YgWD9U4D1nBmyrkTq gBwJUbCvEmyoCxOQfSQhTwaAqKQ3IalnC2hfHfYQsEwpbVwfvt4LGEy+ b0vNnBGHKriM2T/p59vtblWirsxDc8QNpYmtOvjVket4nvzBuA7eqUFt /QijRQ== +; resign=20930723222131 +rsasha1.example. 300 IN DNSKEY 256 3 5 AwEAAYnqt4hwxo/oi63pCLz4EQaUyQU1viMhQ6EVnIXKdPdymJ51tKuh qJ+uT1MxcMwH97b/2CtqTtbI4MP7ksxDWh7JE4R2kzdKrtb1darcvSiy Ewh73TG+1wvt1f7ZC8Hw2TdiU+mLL3vFBfmnUN1Q0xSULKckdlOwH9I/ 20xeS6mz8tYxOC/N9N3AH8gPF4pxoEHkX2XpzdmBSKlgD4Sp1Iqqnebg U/JK2JK2SUZr2ZmCeSMmAmPCt5rT6B6hN8XQkhqPLG3vygqsoLbGngVV nBXFpziMi3VyQ48yvjnNTpzrkfNo/3vrRyrLpBw9I8ZtZNOrypwayBdu fgbfk7veeqk= +rsasha1.example. 300 IN DNSKEY 257 3 5 AwEAAcWJul/er9Gsevi3PxbuJV2iGlbCC1WF1PZ9dluBKZFFCRbl45Mt D32nMBjpr0TkwVRVoTa2tNYdPIo/GrS6EZfUzM6coA3IEK68j0tgqz9b S8fJAaBYMTWlcvho/o9aEZjcnVW3c6IwjxAqUq+4wdokgjV64s+RBPZF 1zRbJz8ONINHmxvKHBzZzVa2Cq7FaHoQpF0NVrHhEuic8IXrW5F9Djah 0svAdethvpfpwVIsthfkv8/E4CfLDFymSe93g4mwMgcIBCZs1ikk1tbG 2oTrUjFui+iXJWIAoKZ8PqfBAWnxckTt1FJCg2cNrxtWAo1WncJdX3py hK7TjQ+DIKc= +rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222131 20250705200724 55127 rsasha1.example. qrWtbMhGFKeRoXgphkmpTQJxI04Cl/hmtE81YuB9Em7F/cNAu7yFi0O4 ZDmm8qRyV4a7itK0Ce/WzFBrCp3CuyJ9MG3hyvJDtIoLTHtCL0QeMwDA j9V68ajgTBNYC1ZwhbDTiD53EJDjplU2U6lCB0zxzJkEE4wPdkotddjG Q6LOy0qSej4raIoOwptaTIkRXa0fAYXz696A2S8bDq74Z9Bw6qcYoj0X EwqFnngFS2Wf4scpeoplR/psRP6n345inw8duF+XieGdt8XSaBw3Qf/E h0eReXQcA/GFpRj4Rvevj+vN1LSBnuwZMd5aC3+xHYf99jAzPYdglScc Rv19qw== +rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. hvncQdiu+zpcYQRPG19nmbpPPCCGFAT5s4dITGslA5/V764XGvuowX24 CuZMMTefS1KkR79GzRYuTOw/T+vbinMZcU1KvSWaSNsKwYUIsP6cYZXG DX8ug0X+eijggV2bm+43yGjjNKe00e+Aoj8xHNDJhyy+qbKOHUp87Fbc mAKwpq35gEeuBt13PaJxkuQZVxAe88F9TXwhmaUOrlGrj+5XASJR6Cz0 DmlW4p26X//Uvs44bbyDN/hxF1rGOu/D470Q4Lkhsu9B3wtG3vPoNwSv BaMoFU717YJ3a2li7mean6IXIvyCmS1YQk+EvNfcpiW9yPWHjB/0kycH 37HSDw== +; resign=20930723222131 +a.rsasha1.example. 300 IN A 10.0.0.1 +a.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. V0TqYXv83i25Ir50MPgxnWrdhhE1nIMCpAca7e7FKUrLkGlsypFzbTX+ 5hBHaYENXYr+Risr7B4ZdV0LQk4aXfmKqvPLqU0nYfsh/g86bq9wklaU R3QywkOEJqOfirpTWz/wybAE1ELasFncx/VaPrYQ8Zqw6H/Vb1yVSJWs ZqnfDFbZ7mYfEF4wgfc4St3UzjpuoDwfAhbwWg91t85UbYs0SvgYpgbS QLNL+/ltG0hLKNsIzp/aYQQ3IOeeiofDCDOZSl9k3KAezJofJUy3YRBb YVpbe89h6Gb6m4/kO17rLrwQLg7I90ctPgdqQSCKk8x0WzK3N1gfhxxM fcFnsw== +; resign=20930723222131 +a.rsasha1.example. 300 IN NSEC b.rsasha1.example. A RRSIG NSEC +a.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. MxKko8nlw+QysAsrOjR7UtXgHsEsvsDMji/riMT0PbSEDMPJv22hQHbs hDhBD7xNygGZ6bSIX6gXd2uBVfUePzmXCk5tBraXywZ173SvFy/cMJu/ Q9FAFkPKvyEAhswiYUnrXWnujyNmDUK8JFrjI7TSLzQ6mXh4+PO+7b4E GpRCyhArL0Ov1iDipA1CpxCGfLJNaY+kvA+8VPcxob78Ly7cv81kwafY oV635DUp6D4tqSYgPMgwJyOuiek9D7bZJIHPiH/59jWZ0Ik9TNC4EVNF 1Fy4VjdMAFGnW9KIAUWMfSIxImzbh7V17H3H4C96LMNZIWJJG9zxOtMf r6fS2Q== +; resign=20930723222131 +b.rsasha1.example. 300 IN A 10.0.0.2 +b.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. dM6MhQGCqyBNdEbr0YMS/+sUjNDrdkkBcKhrtZ271WDx07838oY9XbpZ v+cKtLuhk69Gm0xErN32k+Qaa+LhqP1YPdqmnyAEycUJXUE7HsH6E9Fz 8AKp/BDQshb209++d3JQxlbch9sqodpIRkxYIkTVJfBt6vsAstYwZHCF I8+PbjTn2zNkBZz0rmj5+AxDDNfnRmcPOoXVJXKNkasQgagSWr1bieb8 15CMDnk/PJhFpHdJ5NiQck8Y9bUMaz8mPBJpFeJwwssY3jCe2qb96IaJ e+XLRpJntHpZvBy3DpO0jA2WHf9WkS1/4toVh4ePHc+FgJBEUXJyPqXc OzjGog== +; resign=20930723222131 +b.rsasha1.example. 300 IN NSEC a.b.rsasha1.example. A RRSIG NSEC +b.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. VV6Z1mhegfATU+mN9gEqrL9oJNpPeZY+Ld7p9kp4oBL+omWo5c/DQ1LR xFUUA6mp1fm81vQwxkxqSwfixABF40lX82ooKQZkgOMKEDvsfkZR4dE5 bN5Dp0JUQTH9fuEX4mo9jrto0gPVKuI0PihHzNfgo8aBFIiXZA86D3/w phVgC+x/o/kZ5Keau01kY8DRxK8Fb1dU3FMjJB8gQFpPwv2wde8yxYgn HUql7sSkmFpQO9heh9+lPqQTwThaiM+PnYY7D96O/28Y4FTfS3D/RCnS Xb4gGM//gkbTmXPlFsaYqYeBdFJbkh0cI4YZxk4ynVXsWL1D0Nb2FqqS XnjBAQ== +; resign=20930723222131 +a.b.rsasha1.example. 300 IN A 10.0.0.1 +a.b.rsasha1.example. 300 IN RRSIG A 5 4 300 20930723222131 20250705200724 56181 rsasha1.example. Ctc9dyCVDi7ptbp/g2H5NmCmPSGhYTKcES2bCXz6xnByyISpjyrJjG9X 71RVB1ZfF9FIiaHu97K96zmYB0GsvhHiYx+WV0En3gYhzWEze3IoCrYf wxYkYwhYeaqRksl4utpDlzURUsxlqGbKw0XFT8vV8lm9nAg7E0hI10Bj VAVvc2Wuf3niV+GE0t2wXa17ccPeL78B7ab59extwCKG/gYLm8gJ547u 9kAdnw2Hi7FWBSXSoM02PESZLcN+GEWJ9Jc6O/m2aGSryer6W4UV8HLF TtN72HJvog1ky3RArlkUwvuwD2w8eiVHARN85t0hnykVT25K0q1dwIR+ d3B2Mw== +; resign=20930723222131 +a.b.rsasha1.example. 300 IN NSEC d.rsasha1.example. A RRSIG NSEC +a.b.rsasha1.example. 300 IN RRSIG NSEC 5 4 300 20930723222131 20250705200724 56181 rsasha1.example. U48IEvy4W8MhJaTxZvemh31MxAU6Xwn5K2MCJhu9MenDRWQqrmPSBKfo nIMSp+a1Wcjsu9UQgBDzoOTuNWKCSI5H2YwhGQsIpCYpIiK/j8X4DCqm cIS0ipTipTbLGPBHfgvwA1KFJhtMi0FOaqe9OXODZFJ3vCz5J/uvmG4H O8PADlUX1clFR4iipLhCa4bvfojUGMM401oDIIxaQLpsrbm1iOqjTvrm glnDQFvFvO3+3J4wLRuVDtV5Z21AhzLIgIXwhh1P4zI4B5aELHB8rrec W6CWkbb6WdZ/rHIiMspe03dby7aW5qbP5pwXwhiycqCqkIvlQAGaxphj 1Hcd3g== +; resign=20930723222131 +d.rsasha1.example. 300 IN A 10.0.0.4 +d.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. fMn2pTXdK3X+l5cwvP/Lk+luqWhC12mxkvK2GNScLGWG6xq9PZzzLUPU mAiEvzUnFPswZzKDgN99OORpPRJXNN7c0S3qqejBhEpz1kkDM1zTaFdY yGwzuNn9I5O6O+//adYkFZu/qCD90ggVA71KSUQVkHfdWt0WiqUdZExY sRbxDf36moVaJ+PtWnnvbXPcdlALouSv3msyf3FwIrfQcr9PpV9bE+rZ jKN+sab4n1/YkSBdFyTht2MSUzxKyfn+TgxCzBdGeSk00JNzyKBlDau8 ebmR7oYLQcAhj43v4u+wPbuilDw4tyhxcgrRMr5ZnjG7XzaivcoLpZMA umrQLw== +; resign=20930723222131 +d.rsasha1.example. 300 IN NSEC ns3.rsasha1.example. A RRSIG NSEC +d.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. G+FZFvRZm4GXf/zfkLH7gWKuTxIhZ3rO/iP9e4Xg2Dcz9Jt/yCIXVkr4 I7bbBOnE8NGS43E55NILYS3aA7llzJtutENqBw9TRW3EcqFlYsFUBUeK T/FCV3zEYlEPeiO82jK7l+1CpiVeVvbX3pLYDrME/lbYeu8KUYsj/fBa Iq5S8mnWD7ZzR7KiSBQU97bn0YAi9pyhA4t3YqrR1MClf3/lpzLq5Rv9 YSzW+7O/jpvCGUotr3bgOpZWtZ0v5QxKdf8Anx6KHgH9n6ZdbareopeO y8mKVk0FmtuYZefMm/0n8uU0aYrwf38bpLMQMcqrT9gVaAPullFC9D/R Z670cw== +; resign=20930723222131 +ns3.rsasha1.example. 300 IN A 10.53.0.3 +ns3.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. V/B0gi6v54YeufttfGwEVEy8+UivueXqqb2BOj+U4wMpFcunT71Y5Sqf iTs5uH42EkyKbBrz+wXyx4ar4VNSp0ONA3oPx0rZTFA6FV18L7BkYPtW Mh2Fs2qxc4XdGUgHqt4K3LT4ond7a2hek0aBA7EWc0hggs2YflE60766 zmjK/OWaUinG/bZqM1KaaMMlporXaGp9yDyvs6ikgI0YKaQd5GtOK5XC xEJPsIovvyvChXPP/OFPnqOjcXS7zZtxey4krqFUe3Ttbb7sQGrAqv2f 59cB7TO5O/uMZ+iy4Q4sih1FPuDYoBCVT/9LzyOp7glyHyvq4Emp9QkA zlYGKg== +; resign=20930723222131 +ns3.rsasha1.example. 300 IN NSEC z.rsasha1.example. A RRSIG NSEC +ns3.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. NpqZAR5fkDzDzqBYzeKD+FbAtMWHj0rcKsJloAsO4bNqAH5575v07oAz CtqIU8QD55zSya6glTWXOImUtPZia7KQAq84k85UmEnI7idDezpO5g5a gwDb8p6/L8a5YFL0i7QmjVjxGxWha7E2dDma3fDIICaF/sMqixE6Qi06 NBXvVwbPYsI27tXEDugigEEoO6mmwUxih8O0ifOjy9rVh8zA7UTT0NtI ZavRYz5grUZ6Otrqf6q1d27PaGxRvBjltmXBZTSmQvHVexkjPlrLcIIN LygvWnYIZfY8csF+5gOlYN6jR6eTnMgjy0Xf4kitUjXAI4apeBe1/nRO P3HlQw== +; resign=20930723222131 +z.rsasha1.example. 300 IN A 10.0.0.26 +z.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. K8Cz5MTHdD6loMbfXOSCuwTwsuwGUmqmI7BlKhRULTk5RZRDrXPfiBQa Hr2umtzrnclgm+LSpuFrRPoQOWaJ1cAXzpM8bF+WvL8UKasIxBD5rxzW en/QvmfpgQQH/LwUW+MnsIMuDxs8P5GQ4267crMPfZ7kwaA69FIz/TCJ B0mt5bw/6I7MABqxD3YfZ69uxh04WtjhHFGTBV9CUhsvB1IXgSU7udKg 2+ZTJJqRf4+6hy3ztJFy28HRcBHPkdcJ1AR++pPb8PTFTIUdBqzZQ8h7 kFYQP6jOP34rw8HuvNB6El5scCr7emhMt0yuEdA4+hbQc8UUU7qo1z4C l/gj+A== +; resign=20930723222131 +z.rsasha1.example. 300 IN NSEC rsasha1.example. A RRSIG NSEC +z.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. eJ35f6tSE8yUMR+z+vnJwdg8eAS/VM2e0oVaGLD5JBwboocJW45IaRv0 DIbq62NBt+BHSv2LZlKXaZwA+rNGmcDXqhlscTMYoqIu2AItNBRJaQwj 3aF3AySSOADG1obymVM+HLVO12kifQTJBSPHUcpuvtBtnz1o4POaBFAa icCJf33cNirEDIYWGTmc2MejhrvfU/uuy3YIHUFYkAiX6WISva9pmNiJ pPq+5zRUZpsFISHc0W6coUuwgyQlVLmziTVesfgxSER0rp0BJ/B7M14+ xvWPSoHHhSU0fR8DkzUWJA6hbEpgB7sLNDL4NPnaUDiZGdTXCGzXbnum Ttcm8Q== +; resign=20930723222131 diff --git a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 9aebd98007..decb1eb3f0 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -38,8 +38,8 @@ ns.private A 10.53.0.2 insecure NS ns2.insecure ns2.insecure A 10.53.0.2 -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 +nosoa NS ns6.nosoa +ns6.nosoa A 10.53.0.6 normalthenrrsig A 10.0.0.28 rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bin/tests/system/dnssec/ns3/siginterval.example.db.in deleted file mode 100644 index ec6603a91f..0000000000 --- a/bin/tests/system/dnssec/ns3/siginterval.example.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2012042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ NS ns -ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf deleted file mode 100644 index 1d82f680d1..0000000000 --- a/bin/tests/system/dnssec/ns3/siginterval1.conf +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -zone "siginterval.example" { - type primary; - allow-update { any; }; - dnssec-policy siginterval1; - file "siginterval.example.db"; -}; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf deleted file mode 100644 index fa9c6267fe..0000000000 --- a/bin/tests/system/dnssec/ns3/siginterval2.conf +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -zone "siginterval.example" { - type primary; - allow-update { any; }; - dnssec-policy siginterval2; - file "siginterval.example.db"; -}; diff --git a/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh b/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh index 20e4bc52dd..981d4af52b 100644 --- a/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh +++ b/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh @@ -20,8 +20,8 @@ zone=rsasha1-1024.example k1=$("$KEYGEN" -a rsasha1 -b 1024 $zone) k2=$("$KEYGEN" -a rsasha1 -b 1024 -f KSK $zone) -cat $zone.db.in $k1.key $k2.key >$zone.tmp -# use maximum expirey period (-e 2^31-1-3600) +cat template.db.in $k1.key $k2.key >$zone.tmp +# use maximum expiry period (-e 2^31-1-3600) # use output format full for easy extraction of KSK (-O full) "$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp diff --git a/bin/tests/system/dnssec/ns3/sign-rsasha1.sh b/bin/tests/system/dnssec/ns3/sign-rsasha1.sh index c62f3fe660..ce2afa254f 100644 --- a/bin/tests/system/dnssec/ns3/sign-rsasha1.sh +++ b/bin/tests/system/dnssec/ns3/sign-rsasha1.sh @@ -20,8 +20,8 @@ zone=rsasha1.example k1=$("$KEYGEN" -a rsasha1 $zone) k2=$("$KEYGEN" -a rsasha1 -f KSK $zone) -cat $zone.db.in $k1.key $k2.key >$zone.tmp -# use maximum expirey period (-e 2^31-1-3600) +cat template.db.in $k1.key $k2.key >$zone.tmp +# use maximum expiry period (-e 2^31-1-3600) # use output format full for easy extraction of KSK (-O full) -"$SIGNER" +2147480047 -o $zone -f $zone.db -O full $zone.tmp +"$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 8cf46a2f06..b7ec530e3c 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -53,7 +53,7 @@ for tld in managed trusted; do "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed - # Make trusted-keys and managed keys conf sections for ns8. + # Make trusted-keys and managed keys conf sections for ns5/many_anchors. mv ${keyname4}.key ${keyname4}.tmp awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key @@ -67,16 +67,24 @@ for tld in managed trusted; do case $tld in "managed") - keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf + keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns5/many-managed.conf ;; "trusted") - keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf + keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns5/many-trusted.conf ;; esac done echo_i "ns3/sign.sh: example zones" +# first set up some insecure zones: +cp template.db.in insecure.example.db +cp template.db.in insecure.below-cname.example.db +cp template.db.in insecure.nsec3.example.db +cp template.db.in insecure.optout.example.db +cp extrakey.example.db.in extrakey.example.db + +# now the signed zones: zone=secure.example. infile=secure.example.db.in zonefile=secure.example.db @@ -92,7 +100,7 @@ cat "$zonefile" "$zonefile".signed >"$zonefile".tmp mv "$zonefile".tmp "$zonefile".signed zone=bogus.example. -infile=bogus.example.db.in +infile=template.db.in zonefile=bogus.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -102,7 +110,7 @@ cat "$infile" "$keyname.key" >"$zonefile" "$SIGNER" -z -o "$zone" "$zonefile" >/dev/null zone=dynamic.example. -infile=dynamic.example.db.in +infile=template.db.in zonefile=dynamic.example.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -113,7 +121,7 @@ cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" "$SIGNER" -o "$zone" "$zonefile" >/dev/null zone=keyless.example. -infile=generic.example.db.in +infile=template.db.in zonefile=keyless.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -134,7 +142,7 @@ rm -f "$zonefiletmp" # NSEC3/NSEC test zone # zone=secure.nsec3.example. -infile=secure.nsec3.example.db.in +infile=template.db.in zonefile=secure.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -147,7 +155,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # NSEC3/NSEC3 test zone # zone=nsec3.nsec3.example. -infile=nsec3.nsec3.example.db.in +infile=template.db.in zonefile=nsec3.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -160,7 +168,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # OPTOUT/NSEC3 test zone # zone=optout.nsec3.example. -infile=optout.nsec3.example.db.in +infile=template.db.in zonefile=optout.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -186,7 +194,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # OPTOUT/NSEC test zone # zone=secure.optout.example. -infile=secure.optout.example.db.in +infile=template.db.in zonefile=secure.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -199,7 +207,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # OPTOUT/NSEC3 test zone # zone=nsec3.optout.example. -infile=nsec3.optout.example.db.in +infile=template.db.in zonefile=nsec3.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -212,7 +220,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # OPTOUT/OPTOUT test zone # zone=optout.optout.example. -infile=optout.optout.example.db.in +infile=template.db.in zonefile=optout.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -238,7 +246,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). # zone=nsec3-unknown.example. -infile=nsec3-unknown.example.db.in +infile=template.db.in zonefile=nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -251,7 +259,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). # zone=optout-unknown.example. -infile=optout-unknown.example.db.in +infile=template.db.in zonefile=optout-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -265,7 +273,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # Algorithm 7 is replaced by 100 in the zone and dsset. # zone=dnskey-unknown.example -infile=dnskey-unknown.example.db.in +infile=template.db.in zonefile=dnskey-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -284,7 +292,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # Algorithm 7 is replaced by 255 in the zone and dsset. # zone=dnskey-unsupported.example -infile=dnskey-unsupported.example.db.in +infile=template.db.in zonefile=dnskey-unsupported.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -303,7 +311,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # digest for another DNSKEY # zone=digest-alg-unsupported.example. -infile=digest-alg-unsupported.example.db.in +infile=template.db.in zonefile=digest-alg-unsupported.example.db cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone") @@ -324,10 +332,10 @@ $DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE" # # A zone which is fine by itself (supported algorithm) but that is used -# to mimic unsupported DS digest (see ns8). +# to mimic unsupported DS digest (see ns5/many_anchors). # zone=ds-unsupported.example. -infile=ds-unsupported.example.db.in +infile=template.db.in zonefile=ds-unsupported.example.db cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone") @@ -345,13 +353,13 @@ mv "$zonefile".tmp "$zonefile".signed # Different from above because this key is not intended for signing. # zone=dnskey-unsupported-2.example -infile=dnskey-unsupported-2.example.db.in +infile=template.db.in zonefile=dnskey-unsupported-2.example.db ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key.in >"$zonefile" "$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null @@ -360,7 +368,7 @@ cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile" # Algorithm 7 is replaced by 100 in the zone and dsset. # zone=dnskey-nsec3-unknown.example -infile=dnskey-nsec3-unknown.example.db.in +infile=template.db.in zonefile=dnskey-nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -378,7 +386,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # A multiple parameter nsec3 zone. # zone=multiple.example. -infile=multiple.example.db.in +infile=template.db.in zonefile=multiple.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -386,23 +394,23 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$keyname.key" >"$zonefile" "$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC +awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC.db "$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3 +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3.db "$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db "$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db "$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db "$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null -cat NSEC NSEC3 >>"$zonefile".signed +cat NSEC.db NSEC3.db >>"$zonefile".signed # # A RSASHA256 zone. # zone=rsasha256.example. -infile=rsasha256.example.db.in +infile=template.db.in zonefile=rsasha256.example.db keyname=$("$KEYGEN" -q -a RSASHA256 "$zone") @@ -415,7 +423,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A RSASHA512 zone. # zone=rsasha512.example. -infile=rsasha512.example.db.in +infile=template.db.in zonefile=rsasha512.example.db keyname=$("$KEYGEN" -q -a RSASHA512 "$zone") @@ -428,7 +436,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A RSASHA256OID zone. # zone=rsasha256oid.example. -infile=rsasha256oid.example.db.in +infile=template.db.in zonefile=rsasha256oid.example.db keyname=$("$KEYGEN" -q -a RSASHA256OID "$zone") @@ -441,7 +449,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A RSASHA512OID zone. # zone=rsasha512oid.example. -infile=rsasha512oid.example.db.in +infile=template.db.in zonefile=rsasha512oid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -456,7 +464,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # 1.2.840.113549.1.1.14 # zone=unknownoid.example -infile=unknownoid.example.db.in +infile=template.db.in zonefile=unknownoid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -481,7 +489,7 @@ sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* unknownoid.example./\1 ${tag} unknownoid. # A PRIVATEOID zone with a extra DS record for a non-existent DNSKEY. # zone=extradsoid.example. -infile=extradsoid.example.db.in +infile=template.db.in zonefile=extradsoid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -502,7 +510,7 @@ keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") # the DNSKEY RRset with using this unknown OID. # zone=extradsunknownoid.example -infile=extradsunknownoid.example.db.in +infile=template.db.in zonefile=extradsunknownoid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -536,7 +544,7 @@ sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zon # match the DNSKEY RRset with using this unknown OID. # zone=extended-ds-unknown-oid.example -infile=extended-ds-unknown-oid.example.db.in +infile=template.db.in zonefile=extended-ds-unknown-oid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -568,7 +576,7 @@ fi # A zone with the DNSKEY set only signed by the KSK # zone=kskonly.example. -infile=kskonly.example.db.in +infile=template.db.in zonefile=kskonly.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") @@ -580,7 +588,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # A zone with the expired signatures # zone=expired.example. -infile=expired.example.db.in +infile=template.db.in zonefile=expired.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") @@ -593,7 +601,7 @@ rm -f "$kskname.*" "$zskname.*" # A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE. # zone=update-nsec3.example. -infile=update-nsec3.example.db.in +infile=template.db.in zonefile=update-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") @@ -606,7 +614,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # extra keys not in the initial signed zone. # zone=auto-nsec.example. -infile=auto-nsec.example.db.in +infile=template.db.in zonefile=auto-nsec.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") @@ -621,7 +629,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # extra keys not in the initial signed zone. # zone=auto-nsec3.example. -infile=auto-nsec3.example.db.in +infile=template.db.in zonefile=auto-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") @@ -635,7 +643,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # Secure below cname test zone. # zone=secure.below-cname.example. -infile=secure.below-cname.example.db.in +infile=template.db.in zonefile=secure.below-cname.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$keyname.key" >"$zonefile" @@ -645,7 +653,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # Patched TTL test zone. # zone=ttlpatch.example. -infile=ttlpatch.example.db.in +infile=template.db.in zonefile=ttlpatch.example.db signedfile=ttlpatch.example.db.signed patchedfile=ttlpatch.example.db.patched @@ -661,7 +669,7 @@ $CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \ # Separate DNSSEC records. # zone=split-dnssec.example. -infile=split-dnssec.example.db.in +infile=template.db.in zonefile=split-dnssec.example.db signedfile=split-dnssec.example.db.signed @@ -675,7 +683,7 @@ echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" # Separate DNSSEC records smart signing. # zone=split-smart.example. -infile=split-smart.example.db.in +infile=template.db.in zonefile=split-smart.example.db signedfile=split-smart.example.db.signed @@ -690,7 +698,7 @@ echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" # Zone with signatures about to expire, but no private key to replace them # zone="expiring.example." -infile="expiring.example.db.in" +infile="template.db.in" zonefile="expiring.example.db" signedfile="expiring.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -704,15 +712,15 @@ mv -f "${kskname}.private" "${kskname}.private.moved" # A zone where the signer's name has been forced to uppercase. # zone="upper.example." -infile="upper.example.db.in" +infile="template.db.in" zonefile="upper.example.db" lower="upper.example.db.lower" signedfile="upper.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null -$CHECKZONE -D upper.example $lower 2>/dev/null \ +"$SIGNER" -P -S -o "$zone" -f "$lower" "$zonefile" >/dev/null +$CHECKZONE -D upper.example "$lower" 2>/dev/null \ | sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile # @@ -720,18 +728,19 @@ $CHECKZONE -D upper.example $lower 2>/dev/null \ # upper case. # zone="LOWER.EXAMPLE." -infile="lower.example.db.in" +infile="template.db.in" zonefile="lower.example.db" signedfile="lower.example.db.signed" +sed -e 's/ns3/NS3/' -e 's/mname1/MNAME1/' "$infile" >"$zonefile" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -cp "$infile" "$zonefile" "$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null # # An inline signing zone # zone=inline.example. +cp template.db.in inline.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -739,7 +748,7 @@ zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # A zone which will change its signatures-validity # zone=siginterval.example -infile=siginterval.example.db.in +infile=template.db.in zonefile=siginterval.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -747,10 +756,9 @@ cp "$infile" "$zonefile" # # A zone with a bad DS in the parent -# (sourced from bogus.example.db.in) # zone=badds.example. -infile=bogus.example.db.in +infile=template.db.in zonefile=badds.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -764,7 +772,7 @@ sed -e 's/bogus/badds/g' dsset-badds.example. # Same as badds, but locally trusted by the forwarder # zone=localkey.example. -infile=bogus.example.db.in +infile=template.db.in zonefile=localkey.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -779,7 +787,7 @@ keyfile_to_static_keys $keyname >../ns9/trusted-localkey.conf # A zone with future signatures. # zone=future.example -infile=future.example.db.in +infile=template.db.in zonefile=future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -791,7 +799,7 @@ cp -f "$kskname.key" trusted-future.key # A zone with future signatures. # zone=managed-future.example -infile=managed-future.example.db.in +infile=template.db.in zonefile=managed-future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -802,7 +810,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # A zone with a revoked key # zone=revkey.example. -infile=generic.example.db.in +infile=template.db.in zonefile=revkey.example.db ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") @@ -848,12 +856,16 @@ cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ # We only need to generate the dsset. # zone=rsasha1.example +infile=rsasha1.example.db.in zonefile=rsasha1.example.db +cp $infile $zonefile awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \ | $DSFROMKEY -f - "$zone" >"dsset-${zone}." zone=rsasha1-1024.example +infile=rsasha1-1024.example.db.in zonefile=rsasha1-1024.example.db +cp $infile $zonefile awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \ | $DSFROMKEY -f - "$zone" >"dsset-${zone}." diff --git a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in deleted file mode 100644 index 55b38776da..0000000000 --- a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in +++ /dev/null @@ -1,38 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -child NS ns2.example. -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/split-smart.example.db.in b/bin/tests/system/dnssec/ns3/split-smart.example.db.in deleted file mode 100644 index 55b38776da..0000000000 --- a/bin/tests/system/dnssec/ns3/split-smart.example.db.in +++ /dev/null @@ -1,38 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -child NS ns2.example. -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns2/insecure.secure.example.db b/bin/tests/system/dnssec/ns3/template.db.in similarity index 93% rename from bin/tests/system/dnssec/ns2/insecure.secure.example.db rename to bin/tests/system/dnssec/ns3/template.db.in index 62862f5305..f603e448ff 100644 --- a/bin/tests/system/dnssec/ns2/insecure.secure.example.db +++ b/bin/tests/system/dnssec/ns3/template.db.in @@ -17,10 +17,11 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns2 -ns2 A 10.53.0.2 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 +a.b A 10.0.0.1 b A 10.0.0.2 d A 10.0.0.4 z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/unknownoid.example.db.in b/bin/tests/system/dnssec/ns3/unknownoid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/unknownoid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key.in similarity index 100% rename from bin/tests/system/dnssec/ns3/unsupported-algorithm.key rename to bin/tests/system/dnssec/ns3/unsupported-algorithm.key.in diff --git a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in deleted file mode 100644 index a7792fd3b8..0000000000 --- a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 - -normalthenrrsig A 10.0.0.28 -rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/upper.example.db.in b/bin/tests/system/dnssec/ns3/upper.example.db.in deleted file mode 100644 index ec6603a91f..0000000000 --- a/bin/tests/system/dnssec/ns3/upper.example.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2012042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ NS ns -ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 new file mode 100644 index 0000000000..9a67908bde --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -0,0 +1,119 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS11 + + +{% set managed_key = managed_key | default(False) %} +{% set accept_expired = accept_expired | default(False) %} +{% set multi_view = multi_view | default(False) %} + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + minimal-responses no; + + {% if accept_expired %} + dnssec-accept-expired yes; + {% endif %} + + {% if managed_key %} + dnssec-validation auto; + bindkeys-file "managed.conf"; + {% else %} + # Note: We only reference the bind.keys file here to + # confirm that it is *not* being used. It contains the + # real root key, and we're using a local toy root zone for + # the tests, so it wouldn't work. But dnssec-validation + # is set to "yes" not "auto", so that won't matter. + dnssec-validation yes; + bindkeys-file "../../../../../bind.keys"; + {% endif %} + + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; + disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; + disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; + disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; +}; + +{% if not managed_key %} +include "trusted.conf"; +{% endif %} + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +{% if multi_view %} + view rec { + match-recursive-only yes; + recursion yes; + dnssec-accept-expired yes; + minimal-responses no; + dnssec-validation yes; + + include "trusted.conf"; + + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + zone secure.example { + type static-stub; + server-addresses { 10.53.0.4; }; + }; + + zone insecure.secure.example { + type static-stub; + server-addresses { 10.53.0.4; }; + }; + }; + + view auth { + recursion no; + allow-recursion { none; }; + dnssec-validation no; + + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + zone secure.example { + type secondary; + primaries { 10.53.0.3; }; + }; + + zone insecure.secure.example { + type secondary; + primaries { 10.53.0.2; }; + }; + }; +{% else %} + zone "." { + type hint; + file "../../_common/root.hint"; + }; +{% endif %} diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in deleted file mode 100644 index e9264c169f..0000000000 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation yes; - minimal-responses no; - - nta-lifetime 12s; - nta-recheck 9s; - validate-except { corp; }; - - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; - disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; - - # Note: We only reference the bind.keys file here to confirm that it - # is *not* being used. It contains the real root key, and we're - # using a local toy root zone for the tests, so it wouldn't work. - # But since dnssec-validation is set to "yes" not "auto", that - # won't matter. - bindkeys-file "../../../../../bind.keys"; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -zone "corp" { - type static-stub; - server-addresses { 10.53.0.2; }; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in deleted file mode 100644 index bf82385f71..0000000000 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation auto; - bindkeys-file "managed.conf"; - minimal-responses no; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; - disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in deleted file mode 100644 index d6a44c799d..0000000000 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation auto; - bindkeys-file "managed.conf"; - dnssec-accept-expired yes; - minimal-responses no; - servfail-ttl 0; - - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";}; - disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in deleted file mode 100644 index 34f59b498a..0000000000 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; - disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -key auth { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -include "trusted.conf"; - -view rec { - match-recursive-only yes; - recursion yes; - dnssec-validation yes; - dnssec-accept-expired yes; - minimal-responses no; - - zone "." { - type hint; - file "../../_common/root.hint"; - }; - - zone secure.example { - type static-stub; - server-addresses { 10.53.0.4; }; - }; - - zone insecure.secure.example { - type static-stub; - server-addresses { 10.53.0.4; }; - }; -}; - -view auth { - recursion no; - allow-recursion { none; }; - - zone "." { - type hint; - file "../../_common/root.hint"; - }; - - zone secure.example { - type secondary; - primaries { 10.53.0.3; }; - }; - - zone insecure.secure.example { - type secondary; - primaries { 10.53.0.2; }; - }; -}; diff --git a/bin/tests/system/dnssec/ns5/named.conf.j2 b/bin/tests/system/dnssec/ns5/named.conf.j2 new file mode 100644 index 0000000000..a0332d9d6f --- /dev/null +++ b/bin/tests/system/dnssec/ns5/named.conf.j2 @@ -0,0 +1,89 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +{% set revoked_key = revoked_key | default(False) %} +{% set broken_key = broken_key | default(False) %} +{% set many_anchors = many_anchors | default(False) %} +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; 127.0.0.1; }; + listen-on-v6 { none; }; + recursion yes; + minimal-responses no; + servfail-ttl 0; + +{% if many_anchors %} + dnssec-validation yes; + disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; }; + disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; }; +{% endif %} +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +{% if revoked_key %} + view root { + match-destinations { 127.0.0.1; }; + dnssec-validation no; + + zone "." { + type primary; + file "root.db.signed"; + }; + }; + + view other { + dnssec-validation yes; + include "revoked.conf"; + + zone "." { + type static-stub; + server-addresses { 127.0.0.1; }; + }; + }; +{% elif broken_key %} + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + include "broken.conf"; +{% elif many_anchors %} + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + include "many-managed.conf"; + include "many-trusted.conf"; +{% else %} + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + include "trusted.conf"; +{% endif %} diff --git a/bin/tests/system/dnssec/ns6/named.args b/bin/tests/system/dnssec/ns6/named.args deleted file mode 100644 index 04d5d1b50e..0000000000 --- a/bin/tests/system/dnssec/ns6/named.args +++ /dev/null @@ -1 +0,0 @@ --m record -c named.conf -d 99 -D dnssec-ns6 -g -T maxcachesize=2097152 -T nonearest -T tat=1 diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.j2 similarity index 83% rename from bin/tests/system/dnssec/ns6/named.conf.in rename to bin/tests/system/dnssec/ns6/named.conf.j2 index 2818b7958c..c3c0da6e44 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.in +++ b/bin/tests/system/dnssec/ns6/named.conf.j2 @@ -37,4 +37,15 @@ zone "optout-tld" { file "optout-tld.db.signed"; }; +zone "nosoa.secure.example" { + type primary; + file "nosoa.secure.example.db"; +}; + +zone "split-rrsig" { + type primary; + file "split-rrsig.db.signed"; + allow-update { any; }; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns6/named.nonearest b/bin/tests/system/dnssec/ns6/named.nonearest new file mode 100644 index 0000000000..ba4c4eb3ab --- /dev/null +++ b/bin/tests/system/dnssec/ns6/named.nonearest @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Add -T nonearest. diff --git a/bin/tests/system/dnssec/ns7/named.nosoa b/bin/tests/system/dnssec/ns6/named.nosoa similarity index 100% rename from bin/tests/system/dnssec/ns7/named.nosoa rename to bin/tests/system/dnssec/ns6/named.nosoa diff --git a/bin/tests/system/dnssec/ns6/named.tat=1 b/bin/tests/system/dnssec/ns6/named.tat=1 new file mode 100644 index 0000000000..c5c93e9991 --- /dev/null +++ b/bin/tests/system/dnssec/ns6/named.tat=1 @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Add -T tat=1. diff --git a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bin/tests/system/dnssec/ns6/nosoa.secure.example.db.in similarity index 93% rename from bin/tests/system/dnssec/ns7/nosoa.secure.example.db rename to bin/tests/system/dnssec/ns6/nosoa.secure.example.db.in index d3c98783ea..85044d4168 100644 --- a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db +++ b/bin/tests/system/dnssec/ns6/nosoa.secure.example.db.in @@ -17,6 +17,6 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) -@ IN NS ns -ns IN A 10.53.0.7 +@ IN NS ns6 +ns6 IN A 10.53.0.6 a IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 103baf257e..f2e231f235 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -18,6 +18,13 @@ set -e echo_i "ns6/sign.sh" +# set up unsigned zone first +zone=nosoa.secure.example. +infile=nosoa.secure.example.db.in +zonefile=nosoa.secure.example.db +cp "$infile" "$zonefile" + +# now sign the others zone=optout-tld infile=optout-tld.db.in zonefile=optout-tld.db @@ -27,3 +34,28 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$keyname.key" >"$zonefile" "$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1 + +zone=split-rrsig +infile=split-rrsig.db.in +zonefile=split-rrsig.db + +k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$k1.key" "$k2.key" >"$zonefile" + +# The awk script below achieves two goals: +# +# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so +# that these two records (forming a single RRset) are not placed immediately +# next to each other; the test then checks if RRSIG RRsets split this way are +# correctly added to resigning heaps, +# +# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the +# zone apex; the test then checks whether such signatures are automatically +# removed from the zone after it is loaded. +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 +awk 'BEGIN { r = ""; } + $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } + { print } + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns7/split-rrsig.db.in b/bin/tests/system/dnssec/ns6/split-rrsig.db.in similarity index 100% rename from bin/tests/system/dnssec/ns7/split-rrsig.db.in rename to bin/tests/system/dnssec/ns6/split-rrsig.db.in diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in deleted file mode 100644 index b35284664b..0000000000 --- a/bin/tests/system/dnssec/ns7/named.conf.in +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS3 - -options { - query-source address 10.53.0.7; - notify-source 10.53.0.7; - transfer-source 10.53.0.7; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.7; }; - listen-on-v6 { none; }; - recursion no; - notify yes; - dnssec-validation yes; - minimal-responses yes; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -zone "nsec3.example" { - type secondary; - primaries { 10.53.0.3; }; - file "nsec3.example.bk"; -}; - -zone "optout.example" { - type secondary; - primaries { 10.53.0.3; }; - file "optout.example.bk"; -}; - -zone "nsec3-unknown.example" { - type secondary; - primaries { 10.53.0.3; }; - file "nsec3-unknown.example.bk"; -}; - -zone "optout-unknown.example" { - type secondary; - primaries { 10.53.0.3; }; - file "optout-unknown.example.bk"; -}; - -zone "multiple.example" { - type secondary; - primaries { 10.53.0.3; }; - file "multiple.example.bk"; -}; - -zone "nosoa.secure.example" { - type primary; - file "nosoa.secure.example.db"; -}; - -zone "split-rrsig" { - type primary; - file "split-rrsig.db.signed"; - allow-update { any; }; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh deleted file mode 100644 index 7aaceadbb9..0000000000 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh -e - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# shellcheck source=conf.sh -. ../../conf.sh - -set -e - -echo_i "ns7/sign.sh" - -zone=split-rrsig -infile=split-rrsig.db.in -zonefile=split-rrsig.db - -k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") - -cat "$infile" "$k1.key" "$k2.key" >"$zonefile" - -# The awk script below achieves two goals: -# -# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so -# that these two records (forming a single RRset) are not placed immediately -# next to each other; the test then checks if RRSIG RRsets split this way are -# correctly added to resigning heaps, -# -# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the -# zone apex; the test then checks whether such signatures are automatically -# removed from the zone after it is loaded. -"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 -awk 'BEGIN { r = ""; } - $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } - { print } - END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns9/named.conf.j2 similarity index 60% rename from bin/tests/system/dnssec/ns8/named.conf.in rename to bin/tests/system/dnssec/ns9/named.conf.j2 index 2590de1890..2a335b5a9f 100644 --- a/bin/tests/system/dnssec/ns8/named.conf.in +++ b/bin/tests/system/dnssec/ns9/named.conf.j2 @@ -11,21 +11,27 @@ * information regarding copyright ownership. */ -// NS8 +// NS9 + +{% set forward_badkey = forward_badkey | default(False) %} options { - query-source address 10.53.0.8; - notify-source 10.53.0.8; - transfer-source 10.53.0.8; + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; port @PORT@; pid-file "named.pid"; - listen-on { 10.53.0.8; }; + listen-on { 10.53.0.9; }; listen-on-v6 { none; }; recursion yes; dnssec-validation yes; - minimal-responses no; - disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; }; - disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; }; + forward only; +{% if forward_badkey %} + forwarders { 10.53.0.5; }; +{% else %} + forwarders { 10.53.0.4; }; +{% endif %} + servfail-ttl 0; }; key rndc_key { @@ -34,14 +40,8 @@ key rndc_key { }; controls { - inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -include "managed.conf"; include "trusted.conf"; - +include "trusted-localkey.conf"; diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index dc53ea83e2..7c895667fc 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -16,19 +16,6 @@ set -e -copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf -copy_setports ns3/named.conf.in ns3/named.conf - -copy_setports ns4/named1.conf.in ns4/named.conf -copy_setports ns5/named1.conf.in ns5/named.conf - -copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf -copy_setports ns8/named.conf.in ns8/named.conf - -copy_setports ns9/named.conf.in ns9/named.conf - ( cd ns1 $SHELL sign.sh @@ -39,11 +26,6 @@ copy_setports ns9/named.conf.in ns9/named.conf } >>../ns3/bogus.example.db.signed ) -( - cd ns3 - cp -f siginterval1.conf siginterval.conf -) - ( cd ns5 $SHELL sign.sh diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh deleted file mode 100644 index 60a3959ab2..0000000000 --- a/bin/tests/system/dnssec/tests.sh +++ /dev/null @@ -1,4885 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -# shellcheck source=conf.sh -. ../conf.sh - -status=0 -n=1 - -rm -f dig.out.* - -dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" -} - -dig_with_additionalopts() { - "$DIG" +noall +additional +dnssec -p "$PORT" "$@" -} - -dig_with_answeropts() { - "$DIG" +noall +answer +dnssec -p "$PORT" "$@" -} - -delv_with_opts() { - "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" -} - -rndccmd() { - "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" -} - -# TODO: Move loadkeys_on to conf.sh.common -dnssec_loadkeys_on() { - nsidx=$1 - zone=$2 - nextpart ns${nsidx}/named.run >/dev/null - rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 -} - -# convert private-type records to readable form -showprivate() { - echo "-- $* --" - dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" >dig.out.$1.test$n - cut -f3 -d' ' dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -# Check the example. domain - -echo_i "checking that zone transfer worked ($n)" -for i in 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 - dig_with_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 -done -digcomp dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# test AD bit: -# - dig +adflag asks for authentication (ad in response) -echo_i "checking AD bit asking for validation ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# test AD bit: -# - dig +noadflag -echo_i "checking that AD is not set without +adflag or +dnssec ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking for AD in authoritative answer ($n)" -ret=0 -dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation NSEC ($n)" -ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking recovery from spoofed server addresses ($n)" -ret=0 -# prime cache with spoofed address records -dig_with_opts +cd target.peer-ns-spoof @10.53.0.4 a >dig.out.prime.ns4.test$n || ret=1 -grep "status: SERVFAIL" dig.out.prime.ns4.test$n >/dev/null || ret=1 -rndccmd 10.53.0.4 dumpdb | sed 's/^/ns4 /' | cat_i -mv ns4/named_dump.db ns4/named_dump.db.test$n >/dev/null || ret=1 -grep "10.53.0.100" ns4/named_dump.db.test$n || ret=1 -# reload server with properly signed zone -cp ns2/peer.peer-ns-spoof.db.next ns2/peer.peer-ns-spoof.db.signed -nextpart ns2/named.run >/dev/null -rndccmd 10.53.0.2 reload peer.peer-ns-spoof | sed 's/^/ns2 /' | cat_i -wait_for_log 5 "zone peer.peer-ns-spoof/IN: loaded serial 2000042408" ns2/named.run || ret=1 -dig_with_opts +noauth test.target.peer-ns-spoof @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags: qr rd ra ad;" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking recovery from stripped DNSKEY RRSIG ($n)" -ret=0 -# prime cache with DNSKEY without RRSIGs -dig_with_opts +noauth +cd dnskey-rrsigs-stripped. @10.53.0.4 dnskey >dig.out.prime.ns4.test$n || ret=1 -grep ";; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "RRSIG.DNSKEY" dig.out.prime.ns4.test$n >/dev/null && ret=1 -# reload server with properly signed zone -cp ns2/dnskey-rrsigs-stripped.db.next ns2/dnskey-rrsigs-stripped.db.signed -nextpart ns2/named.run >/dev/null -rndccmd 10.53.0.2 reload dnskey-rrsigs-stripped | sed 's/^/ns2 /' | cat_i -wait_for_log 5 "zone dnskey-rrsigs-stripped/IN: loaded serial 2000042408" ns2/named.run || ret=1 -dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking recovery from stripped DS RRSIG ($n)" -ret=0 -# prime cache with DS without RRSIGs -dig_with_opts +noauth +cd child.ds-rrsigs-stripped. @10.53.0.4 ds >dig.out.prime.ns4.test$n || ret=1 -grep ";; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "RRSIG.DS" dig.out.prime.ns4.test$n >/dev/null && ret=1 -# reload server with properly signed zone -cp ns2/ds-rrsigs-stripped.db.next ns2/ds-rrsigs-stripped.db.signed -nextpart ns2/named.run >/dev/null -rndccmd 10.53.0.2 reload ds-rrsigs-stripped | sed 's/^/ns2 /' | cat_i -wait_for_log 5 "zone ds-rrsigs-stripped/IN: loaded serial 2000042408" ns2/named.run || ret=1 -dig_with_opts +noauth b.child.ds-rrsigs-stripped. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth b.child.ds-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" -ret=0 -grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1 -grep "fetch: example/DS" ns4/named.run >/dev/null && ret=1 -grep "validating example/DS: starting" ns4/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.example >delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" - "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example >delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking positive validation NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 - grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking positive validation OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -SP="[[:space:]]+" - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.optout.example >delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking positive wildcard validation NSEC ($n)" -ret=0 -dig_with_opts a.wild.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n -digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n >/dev/null || ret=1 -grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.example >delv.out$n || ret=1 - grep "a.wild.example..*10.0.0.27" delv.out$n >/dev/null || ret=1 - grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking positive wildcard answer NSEC3 ($n)" -ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive wildcard answer NSEC3 ($n)" -ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive wildcard validation NSEC3 ($n)" -ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n -digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.nsec3.example >delv.out$n || ret=1 - grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 - grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking positive wildcard validation OPTOUT ($n)" -ret=0 -dig_with_opts a.wild.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n -digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.optout.example >delv.out$n || ret=1 - grep "a.wild.optout.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 - grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking negative validation NXDOMAIN NSEC ($n)" -ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking RRSIG covered type in negative cache entry ($n)" -ret=0 -rndc_dumpdb ns4 -grep -F '; example. RRSIG NSEC ...' ns4/named_dump.db.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" -ret=0 -dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" -ret=0 -dig_with_opts +noauth q.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth q.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.optout.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking negative validation NODATA NSEC ($n)" -ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking negative validation NODATA NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking negative validation NODATA OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.optout.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking negative wildcard validation NSEC ($n)" -ret=0 -dig_with_opts b.wild.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 -dig_with_opts b.wild.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking negative wildcard validation NSEC3 ($n)" -ret=0 -dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 -dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking negative wildcard validation OPTOUT ($n)" -ret=0 -dig_with_opts b.wild.optout.example. \ - @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 -dig_with_opts b.wild.optout.example. \ - @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.optout.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -# Check the insecure.example domain - -echo_i "checking 1-server insecurity proof NSEC ($n)" -ret=0 -dig_with_opts +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.example >delv.out$n || ret=1 - grep "a.insecure.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking 1-server insecurity proof NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.nsec3.example >delv.out$n || ret=1 - grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking 1-server insecurity proof OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.optout.example >delv.out$n || ret=1 - grep "a.insecure.optout.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking 1-server negative insecurity proof NSEC ($n)" -ret=0 -dig_with_opts q.insecure.example. a @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts q.insecure.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" -ret=0 -dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" -ret=0 -dig_with_opts q.insecure.optout.example. a @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts q.insecure.optout.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.optout.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" -ret=0 -dig_with_opts r.insecure.example. soa @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts r.insecure.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" -ret=0 -dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" -ret=0 -dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check the secure.example domain - -echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" -ret=0 -dig_with_opts +noauth a.secure.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.secure.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking mixed-case positive validation ($n)" -ret=0 -for type in a txt aaaa loc; do - dig_with_opts +noauth mixedcase.secure.example. \ - @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1 - dig_with_opts +noauth mixedcase.secure.example. \ - @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1 - digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1 - grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1 - grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" -ret=0 -dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" -ret=0 -dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking empty NODATA OPTOUT ($n)" -ret=0 -dig_with_opts +noauth empty.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth empty.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation with private algorithm works ($n)" -ret=0 -dig_with_opts +noauth a.rsasha256oid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha256oid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 - grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking positive validation with unknown private algorithm works ($n)" -ret=0 -dig_with_opts +noauth a.unknownoid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.unknownoid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation with extra ds for private algorithm ($n)" -ret=0 -dig_with_opts +noauth a.extradsoid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.extradsoid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation with extra ds for unknown private algorithm fails ($n)" -ret=0 -dig_with_opts +noauth a.extradsunknownoid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.extradsunknownoid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -grep 'No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID algorithm, tag [1-9][0-9]*$' ns4/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if $FEATURETEST --extended-ds-digest; then - echo_i "checking positive validation with extra ds using extended digest type for unknown private algorithm succeeds ($n)" - ret=0 - dig_with_opts +noauth a.extended-ds-unknown-oid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 - dig_with_opts +noauth a.extended-ds-unknown-oid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 - digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -# Check the bogus domain - -echo_i "checking failed validation ($n)" -ret=0 -dig_with_opts a.bogus.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking failed validation using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.bogus.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: RRSIG failed to verify" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -# Try validating with a bad trusted key. -# This should fail. - -echo_i "checking that validation fails with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation fails when key record is missing ($n)" -ret=0 -dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking that validation fails when key record is missing using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.b.keyless.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: insecurity proof failed" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking that validation succeeds when a revoked key is encountered ($n)" -ret=0 -dig_with_opts revkey.example soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags: .* ad" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 soa revkey.example >delv.out$n 2>&1 || ret=1 - grep "fully validated" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" -ret=0 -#prime -dig_with_opts +cd bad-cname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 -#check: requery with +CD. pending data should be returned even if it's bogus -expect="a.example. -10.0.0.1" -ans=$(dig_with_opts +cd +nodnssec +short bad-cname.example. @10.53.0.4) || ret=1 -test "$ans" = "$expect" || ret=1 -test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" -#check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" -ret=0 -#prime -dig_with_opts +cd a.bad-dname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 -#check: requery with +CD. pending data should be returned even if it's bogus -expect="example. -a.example. -10.0.0.1" -ans=$(dig_with_opts +cd +nodnssec +short a.bad-dname.example. @10.53.0.4) || ret=1 -test "$ans" = "$expect" || ret=1 -test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" -#check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check the insecure.secure.example domain (insecurity proof) - -echo_i "checking 2-server insecurity proof ($n)" -ret=0 -dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check a negative response in insecure.secure.example - -echo_i "checking 2-server insecurity proof with a negative answer ($n)" -ret=0 -dig_with_opts q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ - || ret=1 -dig_with_opts q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ - || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" -ret=0 -dig_with_opts r.insecure.secure.example. @10.53.0.2 soa >dig.out.ns2.test$n \ - || ret=1 -dig_with_opts r.insecure.secure.example. @10.53.0.4 soa >dig.out.ns4.test$n \ - || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that the query for a security root is successful and has ad set - -echo_i "checking security root query ($n)" -ret=0 -dig_with_opts . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that the setting the cd bit works - -echo_i "checking cd bit on a positive answer ($n)" -ret=0 -dig_with_opts +noauth example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on a negative answer ($n)" -ret=0 -dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking insecurity proof works using negative cache ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_opts +cd @10.53.0.4 insecure.example. ds >dig.out.ns4.test$n.1 || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do - dig_with_opts @10.53.0.4 nonexistent.insecure.example. >dig.out.ns4.test$n.2 || ret=1 - if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then - break - fi - sleep 1 -done -grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Should work with FIPS mode as we are only validating -echo_i "checking positive validation RSASHA1 NSEC ($n)" -ret=0 -if $FEATURETEST --rsasha1; then - dig_with_opts +noauth a.rsasha1.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 - dig_with_opts +noauth a.rsasha1.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 - digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -else - echo_i "skip: RSASHA1 not supported by OS" -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Should work with FIPS mode as we are only validating -echo_i "checking positive validation RSASHA1 (1024 bits) NSEC ($n)" -ret=0 -if $FEATURETEST --rsasha1; then - dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 - dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 - digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -else - echo_i "skip: RSASHA1 not supported by OS" -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation RSASHA256 NSEC ($n)" -ret=0 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation RSASHA512 NSEC ($n)" -ret=0 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" -ret=0 -dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on a query that should fail ($n)" -ret=0 -dig_with_opts a.bogus.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on an insecurity proof ($n)" -ret=0 -dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on a negative insecurity proof ($n)" -ret=0 -dig_with_opts q.insecure.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of an ANY query works ($n)" -ret=0 -dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.example. any @10.53.0.4 >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# 2 records in the zone, 1 NXT, 3 SIGs -grep "ANSWER: 6" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of a query returning a CNAME works ($n)" -ret=0 -dig_with_opts +noauth cname1.example. txt @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth cname1.example. txt @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# the CNAME & its sig, the TXT and its SIG -grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of a query returning a DNAME works ($n)" -ret=0 -dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. -# It would be nice to test that the CNAME is being synthesized by the -# recursive server and not cached, but I don't know how. -grep "ANSWER: 5" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of an ANY query returning a CNAME works ($n)" -ret=0 -dig_with_opts +noauth cname2.example. any @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth cname2.example. any @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# The CNAME, NXT, and their SIGs -grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of an ANY query returning a DNAME works ($n)" -ret=0 -dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that lookups succeed after disabling an algorithm ($n)" -ret=0 -dig_with_opts +noauth example. SOA @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth example. SOA @10.53.0.6 \ - >dig.out.ns6.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns6.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking a non-cachable NODATA works ($n)" -ret=0 -dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ - >dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 -dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking a non-cachable NXDOMAIN works ($n)" -ret=0 -dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \ - >dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 -dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can load a rfc2535 signed zone ($n)" -ret=0 -dig_with_opts rfc2535.example. SOA @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can transfer a rfc2535 signed zone ($n)" -ret=0 -dig_with_opts rfc2535.example. SOA @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "basic dnssec-signzone checks:" -echo_ic "two DNSKEYs ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)" -ret=0 -( - cd signer/general || exit 1 - cp signed.zone signed.expect - grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1 - mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline - $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n - mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private - grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1 -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "one non-KSK DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "one KSK DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "three DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "three DNSKEY, one private key missing ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "four DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEY, both private keys missing ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEY, one private key missing ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)" -ret=0 -if $FEATURETEST --fips-provider; then - ( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -F -f signed.zone -o example.com. test1.zone >signer.out.$n - test -f signed.zone - ) || ret=1 -else - echo_i "skipped no FIPS provider available" -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)" -ret=0 -if ! $FEATURETEST --fips-provider; then - echo_i "skipped no FIPS provider available" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - ( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -F -f signed.zone -o example.com. test11.zone >signer.out.$n 2>&1 && exit 1 - grep -F -e "fatal: No signing keys specified or found" \ - -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n >/dev/null - ) || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "revoked KSK ID collides with ZSK ($n)" -ret=0 -# signing should fail, but should not coredump -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -S -f signed.zone -o . test12.zone >signer.out.$n -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone -J loads journal files ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl - $SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone >signer.out.$n - grep -q extra signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -get_default_algorithm_key_ids_from_sigs() { - zone=$1 - - awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' - NF < 8 { next } - $(NF-5) != "RRSIG" { next } - $(NF-3) != alg { next } - $NF != "(" { next } - { - getline; - print $3; - } - ' signer/$zone.db.signed | sort -u -} - -# Test dnssec-signzone ZSK prepublish smooth rollover. -echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)" -ret=0 -zone=prepub -# Generate keys. -ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone") -zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") -zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") -zskid1=$(keyfile_to_key_id "$zsk1") -zskid2=$(keyfile_to_key_id "$zsk2") -( - cd signer || exit 1 - # Set times such that the current set of keys are introduced 60 days ago and - # start signing now. The successor key is prepublished now and will be active - # next day. - $SETTIME -P now-60d -A now $ksk >/dev/null - $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null - $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null - $SETTIME -P now -A now+1d $zsk2.key >/dev/null - # Sign the zone with initial keys and prepublish successor. The zone signatures - # are valid for 30 days and the DNSKEY signature is valid for 60 days. - cp -f $zone.db.in $zone.db - $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null - echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" -status=$((status + ret)) - -echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" -ret=0 -zone=prepub -( - cd signer || exit 1 - # Roll the ZSK. The predecessor is inactive from now on and the successor is - # activated. The zone signatures are valid for 30 days and the DNSKEY - # signature is valid for 60 days. Because of the predecessor/successor - # relationship, the signatures of the predecessor are retained and no new - # signatures with the successor should be generated. - $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null - $SETTIME -A now $zsk2 >/dev/null - $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" -ret=0 -zone=prepub -( - cd signer || exit 1 - # After some time the signatures should be replaced. When signing, set the - # interval to 30 days plus one second, meaning all predecessor signatures - # are within the refresh interval and should be replaced with successor - # signatures. - $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null - $SETTIME -A now-20d $zsk2 >/dev/null - $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" -ret=0 -zone=example -# If dnssec-keygen fails, the test script will exit immediately. Prevent that -# from happening, and also trigger a test failure if dnssec-keygen unexpectedly -# succeeds, by using "&& ret=1". -$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" -ret=0 -zone=example -# Fake an unsupported algorithm key -unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp -mv ${unsupportedkey}.tmp ${unsupportedkey}.key -# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent -# that from happening, and also trigger a test failure if dnssec-dsfromkey -# unexpectedly succeeds, by using "&& ret=1". -$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" -ret=0 -ret=0 -cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db -# If dnssec-signzone fails, the test script will exit immediately. Prevent that -# from happening, and also trigger a test failure if dnssec-signzone -# unexpectedly succeeds, by using "&& ret=1". -$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can sign a zone with out-of-zone records ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -o example -f example.db example.db >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null - awk '/^IQF9LQTLK/ { - printf("%s", $0); - while (!index($0, ")")) { - if (getline <= 0) - break; - printf (" %s", $0); - } - printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out - - grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example3.db - echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db - $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null - awk '/^IQF9LQTLK/ { - printf("%s", $0); - while (!index($0, ")")) { - if (getline <= 0) - break; - printf (" %s", $0); - } - printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out - - grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -o example -f example.db.before example.db >/dev/null - sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed - $SIGNER -o example -f example.db.after example.db.changed >/dev/null -) -grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -keyid2=$(keyfile_to_key_id "$key2") -key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -keyid3=$(keyfile_to_key_id "$key3") -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -D -o example example.db >/dev/null - - # now switch out key2 for key3 and resign the zone - cat example.db.in "$key1.key" "$key3.key" >example.db - echo "\$INCLUDE \"example.db.signed\"" >>example.db - $SIGNER -D -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -RD -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" -ret=0 -zone=example -( - cd signer || exit 1 - cp -f example.db.in example.db - $SIGNER -SD -o example example.db >/dev/null - echo "\$INCLUDE \"example.db.signed\"" >>example.db - # now retire key2 and resign the zone - $SETTIME -I now "$key2" >/dev/null 2>&1 - $SIGNER -SD -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -SDQ -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone retains unexpired signatures ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -Sxt -o example example.db >signer.out.1 - $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 -) || ret=1 -gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) -retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) -gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) -retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) -drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) -[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 -[ "$gen2" -eq 0 ] || ret=1 -[ "$drop2" -eq 0 ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" -ret=0 -( - cd signer || exit 1 - # remove NSEC-only keys - rm -f Kexample.+005* - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN A 10.53.0.1 -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - touch example2.db.signed - $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -( - cd signer || exit 1 - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN NS sub1.example. -sub1.example. IN A 10.53.0.1 -sub2.example. IN NS ns.sub2.example. -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" -ret=0 -( - cd signer || exit 1 - rm -f example2.db.signed - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN A 10.53.0.1 -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - touch example2.db.signed - $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -( - cd signer || exit 1 - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN NS sub1.example. -sub1.example. IN A 10.53.0.1 -sub2.example. IN NS ns.sub2.example. -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone output format ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null - $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null - $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null - $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null - $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null -) || ret=1 -awk 'BEGIN { found = 0; } - $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } - END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 -awk 'BEGIN { found = 0; } - $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } - END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 -israw1 signer/signer.out.5 || ret=1 -israw0 signer/signer.out.6 || ret=1 -israw1 signer/signer.out.7 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null -) || ret=1 -awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -N date ($n)" -ret=0 -( - cd signer || exit 1 - TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null -) || ret=1 -# shellcheck disable=SC2016 -now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') -serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) -[ "$now" -eq "$serial" ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G ($n)" -ret=0 -( - cd signer || exit 1 - $SETTIME -P ds now -P sync now "$key1" >/dev/null - $SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (default) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (empty) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (no CDS) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad argument) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "digest must specify cds:algorithm ('foobar')" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad digest - name) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "bad digest 'cds:foobar'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad digest - number) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "bad digest 'cds:256': out of range" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "unsupported digest 'cds:gost'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "unsupported digest 'cds:200'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking validated data are not cached longer than originalttl ($n)" -ret=0 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "3600.IN" dig.out.ns3.test$n >/dev/null || ret=1 -grep "300.IN" dig.out.ns3.test$n >/dev/null && ret=1 -grep "300.IN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "3600.IN" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Test that "rndc secroots" is able to dump trusted keys -echo_i "checking rndc secroots ($n)" -ret=0 -keyid=$(cat ns1/managed.key.id) -rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i -cp ns4/named.secroots named.secroots.test$n -check_secroots_layout named.secroots.test$n || ret=1 -linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) -[ "$linecount" -eq 1 ] || ret=1 -linecount=$(wc /dev/null || ret=1 -ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1 -expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep -E '^(A|NSEC)') || ret=1 -test "$ans" = "$expect" || ret=1 -# also check that RA is set -dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check direct query for RRSIG: If it's not cached with other records, -# it should result in an empty response. -echo_i "checking RRSIG query not in cache ($n)" -ret=0 -ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1 -test -z "$ans" || ret=1 -# also check that RA is cleared -dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# -# RT21868 regression test. -# -echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" -ret=0 -dig_with_opts non-exist.badparam. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# -# RT22007 regression test. -# -echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" -ret=0 -dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" -ret=0 -dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" - -status=$((status + ret)) -echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" -ret=0 -dig_with_opts +norec single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)" -ret=0 -dig_with_opts ns algroll. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking validate-except in an insecure local domain ($n)" -ret=0 -dig_with_opts ns www.corp @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive and negative validation with negative trust anchors ($n)" -ret=0 - -# -# check correct initial behavior -# -dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 - -if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi -status=$((status + ret)) -ret=0 - -# -# add negative trust anchors -# -rndccmd 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -# reconfig should maintain NTAs -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 -lines=$(wc -l &1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i -# reload should maintain NTAs -rndc_reload ns4 10.53.0.4 -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 -lines=$(wc -l dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 -dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 >/dev/null && ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.6 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.6 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 >/dev/null && ret=1 -dig_with_opts a.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.7 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 >/dev/null && ret=1 -echo_i "dumping secroots" -rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i -cp ns4/named.secroots named.secroots.test$n -check_secroots_layout named.secroots.test$n || ret=1 -grep "bogus.example: expiry" named.secroots.test$n >/dev/null || ret=1 -grep "badds.example: expiry" named.secroots.test$n >/dev/null || ret=1 -grep "secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 -grep "fakenode.secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 - -if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi -status=$((status + ret)) -ret=0 - -echo_i "waiting for NTA rechecks/expirations" - -# -# secure.example and badds.example used default nta-duration -# (configured as 12s in ns4/named1.conf), but nta recheck interval -# is configured to 9s, so at t=10 the NTAs for secure.example and -# fakenode.secure.example should both be lifted, but badds.example -# should still be going. -# -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -dig_with_opts b.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.8 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.8 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 >/dev/null || ret=1 -dig_with_opts b.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.9 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n.9 >/dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.10 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.10 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 >/dev/null && ret=1 - -if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi -status=$((status + ret)) -ret=0 - -# -# bogus.example was set to expire in 20s, so at t=13 -# it should still be NTA'd, but badds.example used the default -# lifetime of 12s, so it should revert to SERVFAIL now. -# -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -# check nta table -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n._11 -lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true) -[ "$lines" -le 2 ] || ret=1 -grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null || ret=1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null && ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.11 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.11 >/dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.12 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.12 >/dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 >/dev/null && ret=1 -dig_with_opts c.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.13 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.13 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 >/dev/null || ret=1 - -if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi -status=$((status + ret)) -ret=0 - -# -# at t=21, all the NTAs should have expired. -# -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -# check correct behavior after bogus.example expiry -dig_with_opts d.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.14 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.14 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 >/dev/null || ret=1 -dig_with_opts c.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.15 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.15 >/dev/null || ret=1 -# check nta table has been cleaned up now -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 -lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true) -[ "$lines" -eq 0 ] || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi -status=$((status + ret)) -ret=0 - -echo_i "testing NTA removals ($n)" -rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 >/dev/null || ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null && ret=1 -grep "^a.badds.example." dig.out.ns4.test$n.1 >/dev/null || ret=1 -rndccmd 10.53.0.4 nta -remove badds.example >rndc.out.ns4.test$n.2 -grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 >/dev/null || ret=1 -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -echo_i "remove non-existent NTA three times" -rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.4 2>&1 -rndccmd 10.53.0.4 nta -remove foo >rndc.out.ns4.test$n.5 2>&1 -rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.6 2>&1 -grep "not found" rndc.out.ns4.test$n.6 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -n=$((n + 1)) -echo_i "testing NTA with bogus lifetimes ($n)" -echo_i "check with no nta lifetime specified" -rndccmd 10.53.0.4 nta -l "" foo >rndc.out.ns4.test$n.1 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -echo_i "check with bad nta lifetime" -rndccmd 10.53.0.4 nta -l garbage foo >rndc.out.ns4.test$n.2 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -echo_i "check with too long nta lifetime" -rndccmd 10.53.0.4 nta -l 7d1h foo >rndc.out.ns4.test$n.3 2>&1 || true -grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -# -# check NTA persistence across restarts -# -n=$((n + 1)) -echo_i "testing NTA persistence across restarts ($n)" -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 -lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true) -[ "$lines" -eq 0 ] || ret=1 -rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 -lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true) -[ "$lines" -eq 2 ] || ret=1 -# shellcheck disable=SC2016 -start=$($PERL -e 'print time()."\n";') - -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi -status=$((status + ret)) -ret=0 - -echo_i "killing ns4 with SIGTERM" -kill -TERM "$(cat ns4/named.pid)" -rm -f ns4/named.pid - -# -# ns4 has now shutdown. wait until t=14 when badds.example's NTA -# (lifetime=10s) would have expired, and then restart ns4. -# -echo_i "waiting till 14s have passed since NTAs were added before restarting ns4" -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' - -if - start_server --noclean --restart --port "$PORT" ns4 -then - echo_i "restarted server ns4" -else - echo_i "could not restart server ns4" - exit 1 -fi - -echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" -sleep 4 - -# -# ns4 should be back up now. The NTA for bogus.example should still be -# valid, whereas badds.example should not have been added during named -# startup (as it had already expired), the fact that it's ignored should -# be logged. -# -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 -lines=$(wc -l /dev/null || ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null || ret=1 -grep "ignoring expired NTA at badds.example" ns4/named.run >/dev/null || ret=1 - -# cleanup -rndccmd 10.53.0.4 nta -remove bogus.example >rndc.out.ns4.test$n.6 - -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi -status=$((status + ret)) -ret=0 - -# -# check "regular" attribute in NTA file works as expected at named -# startup. -# -n=$((n + 1)) -echo_i "testing loading regular attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 - -echo_i "killing ns4 with SIGTERM" -kill -TERM "$(cat ns4/named.pid)" -rm -f ns4/named.pid - -echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" -sleep 4 - -# -# ns4 has now shutdown. add NTA for secure.example. directly into the -# _default.nta file with the regular attribute and some future timestamp. -# -future="$(($(date +%Y) + 20))0101010000" -echo "secure.example. regular $future" >ns4/_default.nta -# shellcheck disable=SC2016 -start=$($PERL -e 'print time()."\n";') - -if - start_server --noclean --restart --port "$PORT" ns4 -then - echo_i "restarted server ns4" -else - echo_i "could not restart server ns4" - exit 1 -fi - -# nta-recheck is configured as 9s, so at t=12 the NTAs for -# secure.example. should be lifted as it is not a forced NTA. -echo_i "waiting till 12s have passed after ns4 was restarted" -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' - -# secure.example. should now return an AD=1 answer (still validates) as -# the NTA has been lifted. -dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 - -# cleanup -rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null - -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi -status=$((status + ret)) -ret=0 - -# -# check "forced" attribute in NTA file works as expected at named -# startup. -# -n=$((n + 1)) -echo_i "testing loading forced attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 - -echo_i "killing ns4 with SIGTERM" -kill -TERM "$(cat ns4/named.pid)" -rm -f named.pid - -echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" -sleep 4 - -# -# ns4 has now shutdown. add NTA for secure.example. directly into the -# _default.nta file with the forced attribute and some future timestamp. -# -echo "secure.example. forced $future" >ns4/_default.nta -start=$($PERL -e 'print time()."\n";') - -if - start_server --noclean --restart --port "$PORT" ns4 -then - echo_i "restarted server ns4" -else - echo_i "could not restart server ns4" - exit 1 -fi - -# nta-recheck is configured as 9s, but even at t=12 the NTAs for -# secure.example. should not be lifted as it is a forced NTA. -echo_i "waiting till 12s have passed after ns4 was restarted" -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' - -# secure.example. should now return an AD=0 answer (non-authenticated) -# as the NTA is still there. -dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null && ret=1 - -# cleanup -rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null - -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi -status=$((status + ret)) -ret=0 - -# -# check that NTA lifetime read from file is clamped to 1 week. -# -n=$((n + 1)) -echo_i "testing loading out of bounds lifetime from NTA file ($n)" - -echo_i "killing ns4 with SIGTERM" -kill -TERM "$(cat ns4/named.pid)" -rm -f ns4/named.pid - -echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" -sleep 4 - -# -# ns4 has now shutdown. add NTA for secure.example. directly into the -# _default.nta file with a lifetime well into the future. -# -echo "secure.example. forced $future" >ns4/_default.nta -added=$($PERL -e 'print time()."\n";') - -if - start_server --noclean --restart --port "$PORT" ns4 -then - echo_i "restarted server ns4" -else - echo_i "could not restart server ns4" - exit 1 -fi - -echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" -sleep 4 - -# dump the NTA to a file (omit validate-except entries) -echo_i "testing 'rndc nta -d' with NTA" -rndccmd 10.53.0.4 nta -d | grep -v ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null -# "corp" is configured as a validate-except domain and thus should be -# removed by the grep -v above. only "secure.example" should appear in -# the dump. -lines=$(wc -l /dev/null || ret=1 -ts=$(awk '{print $3" "$4}' rndc.out.ns4.test$n.2 -echo "ts_with_zone=$ts_with_zone" >>rndc.out.ns4.test$n.2 -echo "added=$added" >>rndc.out.ns4.test$n.2 -if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null; then - # ntadiff.pl computes $ts_with_zone - ($added + 1week) - d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") - echo "d=$d" >>rndc.out.ns4.test$n.2 - # diff from $added(now) + 1week to the clamped NTA lifetime should be - # less than a few seconds (handle daylight saving changes by adding 3600). - [ "$d" -lt 3610 ] || ret=1 -else - echo_i "skipped ntadiff test; install PERL module Time::Piece" -fi - -echo_i "testing 'rndc nta' lifetime clamping" -rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null -# "corp" is configured as a validate-except domain and thus should be -# the only entry in the dump. -lines=$(wc -l /dev/null || ret=1 - -# cleanup -rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.3 2>/dev/null - -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "testing 'rndc nta -d' displays validate-except entries" -rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l /dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" -ret=0 -# Sanity check behavior without an NTA in place. -dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.1 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.1 >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.1 >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 >/dev/null && ret=1 -# Add an NTA, expecting that to cause resolution to succeed. -rndccmd 10.53.0.9 nta badds.example >rndc.out.ns9.test$n.1 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.2 || ret=1 -grep "NOERROR" dig.out.ns9.test$n.2 >/dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns9.test$n.2 >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 >/dev/null && ret=1 -# Remove the NTA, expecting that to cause resolution to fail again. -rndccmd 10.53.0.9 nta -remove badds.example >rndc.out.ns9.test$n.2 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.3 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.3 >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.3 >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 >/dev/null && ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "completed NTA tests" - -# Run a minimal update test if possible. This is really just -# a regression test for RT #2399; more tests should be added. - -if $PERL -e 'use Net::DNS;' 2>/dev/null; then - echo_i "running DNSSEC update test" - ret=0 - { - output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) - rc=$? - } || true - test "$rc" -eq 0 || ret=1 - echo "$output" | cat_i - [ $ret -eq 1 ] && status=1 -else - echo_i "The DNSSEC update test requires the Net::DNS library." >&2 -fi - -n=$((n + 1)) -echo_i "checking managed key maintenance has not started yet ($n)" -ret=0 -[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Reconfigure caching server to use "dnssec-validation auto", and repeat -# some of the DNSSEC validation tests to ensure that it works correctly. -# Also setup a placeholder managed-keys zone to check if named can process it -# correctly. -echo_i "switching to automatic root key configuration" -cp ns4/managed-keys.bind.in ns4/managed-keys.bind -copy_setports ns4/named2.conf.in ns4/named.conf -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 5 - -echo_i "checking managed key maintenance timer has now started ($n)" -ret=0 -[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation NSEC ($n)" -ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking negative validation ($n)" -ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that root DS queries validate ($n)" -ret=0 -dig_with_opts +noauth . @10.53.0.1 ds >dig.out.ns1.test$n || ret=1 -dig_with_opts +noauth . @10.53.0.4 ds >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" -ret=0 -dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 -grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" -ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 -grep "RRSIG.SOA" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" - -status=$((status + ret)) -echo_i "checking expired signatures do not validate ($n)" -ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1 -grep "; EDE: 7 (Signature Expired): (expired.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -status=$((status + ret)) -echo_i "checking signatures in the future do not validate ($n)" -ret=0 -dig_with_opts +noauth future.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "future.example/.*: RRSIG validity period has not begun" ns4/named.run >/dev/null || ret=1 -grep "; EDE: 8 (Signature Not Yet Valid): (future.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" -ret=0 -( - kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) - ( - echo zone update-nsec3.example - echo server 10.53.0.3 "$PORT" - grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' - echo send - ) | $NSUPDATE -) -dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -grep "NSEC3 1 0 0 - .*" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that the NSEC record is properly generated when DNSKEY are added by dnssec-policy ($n)" -ret=0 -dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added by dnssec-policy ($n)" -ret=0 -dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that signing records have been marked as complete ($n)" -ret=0 -checkprivate dynamic.example 10.53.0.3 || ret=1 -checkprivate auto-nsec3.example 10.53.0.3 || ret=1 -checkprivate expiring.example 10.53.0.3 || ret=1 -checkprivate auto-nsec.example 10.53.0.3 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'rndc signing' without arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing >/dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'rndc signing -list' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -list >/dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -clear >/dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -clear all >/dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check rndc signing -list output ($n)" -ret=0 -{ rndccmd 10.53.0.3 signing -list dynamic.example >signing.out.dynamic.example; } 2>&1 -grep -q "No signing records found" signing.out.dynamic.example || { - ret=1 - sed 's/^/ns3 /' signing.out.dynamic.example | cat_i -} -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a insecure zone beneath a cname resolves ($n)" -ret=0 -dig_with_opts soa insecure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a secure zone beneath a cname resolves ($n)" -ret=0 -dig_with_opts soa secure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -my_dig() { - "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" -} - -echo_i "checking DNSKEY query with no data still gets put in cache ($n)" -ret=0 -firstVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') -sleep 1 -secondVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') -if [ "${firstVal:-0}" -eq "${secondVal:-0}" ]; then - sleep 1 - thirdVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') - if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ]; then - echo_i "cannot confirm query answer still in cache" - ret=1 - fi -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a split dnssec dnssec-signzone work ($n)" -ret=0 -dig_with_opts soa split-dnssec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a smart split dnssec dnssec-signzone work ($n)" -ret=0 -dig_with_opts soa split-smart.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check dnssec-dsfromkey from stdin ($n)" -ret=0 -dig_with_opts dnskey algroll. @10.53.0.2 \ - | $DSFROMKEY -f - algroll. >dig.out.ns2.test$n || ret=1 -NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) -[ "${NF}" = 7 ] || ret=1 -# make canonical -awk '{ - for (i=1;i<7;i++) printf("%s ", $i); - for (i=7;i<=NF;i++) printf("%s", $i); - printf("\n"); -}' canonical1.$n || ret=1 -awk '{ - for (i=1;i<7;i++) printf("%s ", $i); - for (i=7;i<=NF;i++) printf("%s", $i); - printf("\n"); -}' canonical2.$n || ret=1 -diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Intentionally strip ".key" from keyfile name to ensure the error message -# includes it anyway to avoid confusion (RT #21731) -echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" -ret=0 -key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1 -mv "$key.key" "$key" -$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 -grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check dnssec-dsfromkey with revoked key ($n)" -ret=0 -dig_with_opts revkey.example dnskey @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "DNSKEY.256 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # ZSK -grep "DNSKEY.385 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # revoked KSK -grep "DNSKEY.257 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # KSK -test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 -$DSFROMKEY -f dig.out.ns4.test$n revkey.example. >dsfromkey.out.test$n || ret=1 -test $(wc -l dig.out.ns3.test$n 2>&1 -# there must be a signature here -[ -s dig.out.ns3.test$n ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing legacy upper case signer name validation ($n)" -ret=0 -$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ - >dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing that we lower case signer name ($n)" -ret=0 -$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ - >dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL is capped at RRSIG expiry time ($n)" -ret=0 -rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i -( - cd ns3 || exit 1 - for file in K*.moved; do - mv "$file" "$(basename "$file" .moved)" - done - $SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db >/dev/null -) || ret=1 -rndc_reload ns3 10.53.0.3 expiring.example - -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-0}; do - [ "${ttl}" -eq 300 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "${ttl}" -le 60 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 1 -dig_with_additionalopts +cd expiring.example ns @10.53.0.4 >dig.out.ns4.1.$n -dig_with_additionalopts expiring.example ns @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 1 -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -copy_setports ns4/named3.conf.in ns4/named.conf -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 3 - -echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" -ret=0 -dig_with_answeropts +cd expired.example soa @10.53.0.4 >dig.out.ns4.1.$n -dig_with_answeropts expired.example soa @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing DNSKEY lookup via CNAME ($n)" -ret=0 -dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing KEY lookup at CNAME (present) ($n)" -ret=0 -dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 key >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 key >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing KEY lookup at CNAME (not present) ($n)" -ret=0 -dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.3 key >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.4 key >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing DNSKEY lookup via DNAME ($n)" -ret=0 -dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 -dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing KEY lookup via DNAME ($n)" -ret=0 -dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.3 key >dig.out.ns3.test$n || ret=1 -dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.4 key >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that named doesn't loop when all private keys are not available ($n)" -ret=0 -lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true) -test "${lines:-1000}" -lt 15 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check against against missing nearest provable proof ($n)" -dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 ds >dig.out.ds.ns6.test$n || ret=1 -nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true) -[ "$nsec3" -eq 2 ] || ret=1 -dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 A >dig.out.ns6.test$n || ret=1 -nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true) -[ "$nsec3" -eq 1 ] || ret=1 -dig_with_opts optout-tld. \ - @10.53.0.4 SOA >dig.out.soa.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n >/dev/null || ret=1 -dig_with_opts b.c.d.optout-tld. \ - @10.53.0.4 A >dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that key id are logged when dumping the cache ($n)" -ret=0 -rndc_dumpdb ns4 -grep "; key id = " ns4/named_dump.db.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" -# force the managed-keys zone to be written out -rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9; do - ret=0 - if test -f ns4/managed-keys.bind; then - grep KEYDATA ns4/managed-keys.bind >/dev/null \ - && grep "next refresh:" ns4/managed-keys.bind >/dev/null \ - && break - fi - ret=1 - sleep 1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check dig's +nocrypto flag ($n)" -ret=0 -dig_with_opts +norec +nocrypto DNSKEY . \ - @10.53.0.1 >dig.out.dnskey.ns1.test$n || ret=1 -grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 -grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 -dig_with_opts +norec +nocrypto DS example \ - @10.53.0.1 >dig.out.ds.ns1.test$n || ret=1 -grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)" -ret=0 -before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) -cp ns3/siginterval2.conf ns3/siginterval.conf -rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -i=10 -while [ "$i" -ge 0 ]; do - after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) - test "$before" != "$after" && break - sleep 1 - i=$((i - 1)) -done -n=$((n + 1)) -if test "$before" = "$after"; then - echo_i "failed" - ret=1 -fi -status=$((status + ret)) - -if [ -x "$PYTHON" ]; then - echo_i "check signatures-validity-dnskey sets longer expiry for DNSKEY ($n)" - ret=0 - rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i - # convert expiry date to a comma-separated list of integers python can - # use as input to date(). strip leading 0s in months and days so - # python3 will recognize them as integers. - $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example >dig.out.soa.test$n || ret=1 - soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n \ - | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ - | sed 's/ 0/ /g') - $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example >dig.out.dnskey.test$n || ret=1 - dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n \ - | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ - | sed 's/ 0/ /g') - $PYTHON >python.out.$n <&1 | sed 's/^/ns4 /' | cat_i -sleep 3 - -echo_i "check insecure delegation between static-stub zones ($n)" -ret=0 -dig_with_opts ns insecure.secure.example \ - @10.53.0.4 >dig.out.ns4.1.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.1.test$n >/dev/null && ret=1 -dig_with_opts ns secure.example \ - @10.53.0.4 >dig.out.ns4.2.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.2.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check the acceptance of seconds as inception and expiration times ($n)" -ret=0 -in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo=" - -exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo=" - -out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') -[ "$out" = "$exp" ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check the correct resigning time is reported in zonestatus ($n)" -ret=0 -rndccmd 10.53.0.3 \ - zonestatus secure.example >rndc.out.ns3.test$n -# next resign node: secure.example/DNSKEY -qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,') -qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,') -# next resign time: Thu, 24 Apr 2014 10:38:16 GMT -time=$(awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; - m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06"; - m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; - m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} - /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g') -dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 >dig.out.test$n -expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n) -inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n) -$PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that split rrsigs are handled ($n)" -ret=0 -dig_with_opts split-rrsig soa @10.53.0.7 >dig.out.test$n || ret=1 -awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)" -ret=0 -dig_with_opts split-rrsig AXFR @10.53.0.7 >dig.out.test$n || ret=1 -grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" -ret=0 -alg=1 -until test $alg -eq 258; do - zone="keygen-$alg." - case $alg in - 2) # Diffie Helman - alg=$((alg + 1)) - continue - ;; - 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard - alg=$((alg + 1)) - continue - ;; - 1 | 5 | 7 | 8 | 10) # RSA algorithms - key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true) - ;; - 15 | 16) - key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) - ;; - 256) - key1=$($KEYGEN -a "RSASHA256OID" "$zone" 2>"keygen-$alg.err" || true) - ;; - 257) - key1=$($KEYGEN -a "RSASHA512OID" "$zone" 2>"keygen-$alg.err" || true) - ;; - *) - key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) - ;; - esac - if grep "unknown algorithm" "keygen-$alg.err" >/dev/null; then - alg=$((alg + 1)) - continue - fi - if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then - alg=$((alg + 1)) - continue - fi - if test -z "$key1"; then - echo_i "'$KEYGEN -a $alg': failed" - cat "keygen-$alg.err" - ret=1 - alg=$((alg + 1)) - continue - fi - $SETTIME -I now+4d "$key1.private" >/dev/null - key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) - test -f "$key2.key" -a -f "$key2.private" || { - ret=1 - echo_i "'dnssec-keygen -S' failed for algorithm: $alg" - } - alg=$((alg + 1)) -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)" -ret=0 -if $FEATURETEST --have-fips-mode; then - echo_i "skipped: already in FIPS mode" -elif ! $FEATURETEST --fips-provider; then - echo_i "skipped no FIPS provider available" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - $KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true - grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" >/dev/null || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)" -ret=0 -if $FEATURETEST --have-fips-mode; then - echo_i "skipped: already in FIPS mode" -elif ! $FEATURETEST --fips-provider; then - echo_i "skipped: cannot switch to FIPS mode" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - $KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true - grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" >/dev/null || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS records are signed using KSK by with dnssec-policy ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a CDS deletion record is accepted ($n)" -ret=0 -( - echo zone cds-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cds-update.secure CDS - echo update add cds-update.secure 0 CDS 0 0 0 00 - echo send -) | $NSUPDATE >nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS records are signed only using KSK when added by nsupdate ($n)" -ret=0 -keyid=$(cat ns2/cds-update.secure.id) -( - echo zone cds-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cds-update.secure CDS - echo send - dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ - | grep "DNSKEY.257" \ - | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ - | sed "s/^/update add /" - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS deletion records are signed only using KSK when added by nsupdate ($n)" -ret=0 -keyid=$(cat ns2/cds-update.secure.id) -( - echo zone cds-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cds-update.secure CDS - echo update add cds-update.secure 0 CDS 0 0 0 00 - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" -ret=0 -( - echo zone cds-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cds-update.secure CDS - echo send - dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ - | grep "DNSKEY.257" \ - | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ - | sed "s/^/update add /" - dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ - | grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' \ - | $DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure \ - | sed "s/^/update add /" - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 4 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 dnskey-unsupported.example/SOA)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking EDE code 2 for unsupported DS digest ($n)" -ret=0 -dig_with_opts @10.53.0.4 a.ds-unsupported.example >dig.out.ns4.test$n || ret=1 -grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-256 ds-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking EDE code 1 for bad alg mnemonic ($n)" -ret=0 -dig_with_opts @10.53.0.4 badalg.secure.example >dig.out.ns4.test$n || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP256SHA256 badalg.secure.example/NSEC)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking both EDE code 1 and 2 for unsupported digest on one DNSKEY and alg on the other ($n)" -ret=0 -dig_with_opts @10.53.0.4 a.digest-alg-unsupported.example >dig.out.ns4.test$n || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP384SHA384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY >dig.out.test$n -grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 -grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that a query for a domain that has a KSK that is not actively signing -# the DNSKEY RRset. This should not result in a broken trust chain if there is -# another KSK that is signing the DNSKEY RRset. -echo_i "checking that a secure chain with one active and one inactive KSK validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.4 a.lazy-ksk A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# TODO: test case for GL #1689. -# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) -# we could write a test that signs a zone with supported and unsupported -# algorithm, apply a fixed rrset order such that the unsupported algorithm -# precedes the supported one in the DNSKEY RRset, and verify the result still -# validates succesfully. - -echo_i "check that a CDNSKEY deletion record is accepted ($n)" -ret=0 -( - echo zone cdnskey-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cdnskey-update.secure CDNSKEY - echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== - echo send -) | $NSUPDATE >nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDNSKEY records are signed using KSK only when added by nsupdate ($n)" -ret=0 -keyid=$(cat ns2/cdnskey-update.secure.id) -( - echo zone cdnskey-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cdnskey-update.secure CDNSKEY - dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ - | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking initialization with a revoked managed key ($n)" -ret=0 -copy_setports ns5/named2.conf.in ns5/named.conf -rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i -sleep 3 -dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n -grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" -ret=0 -( - echo zone cdnskey-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cdnskey-update.secure CDNSKEY - dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ - | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' - dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ - | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" -ret=0 -# generate signed zone with MX and AAAA records at apex. -( - cd signer || exit 1 - $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null - $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null - echo >remove.db.signed - $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null || { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.pre$n -} -# re-generate signed zone without MX and AAAA records at apex. -( - cd signer || exit 1 - $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null && { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.post$n -} -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" -ret=0 -# generate signed zone with MX and AAAA records at apex. -( - cd signer || exit 1 - echo >remove.db.signed - $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null || { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.pre$n -} -# re-generate signed zone without MX and AAAA records at apex. -( - cd signer || exit 1 - $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null && { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.post$n -} -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" -ret=0 -dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that trust-anchor-telemetry queries are logged ($n)" -ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" -ret=0 -grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" -ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" -ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 >dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" -ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 >dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run >/dev/null || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run >/dev/null && ret=1 -stop_server ns1 || ret=1 -nextpart ns1/named.run >/dev/null -start_server --noclean --restart --port ${PORT} ns1 || ret=1 -n=$(($n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "waiting for root server to finish reloading ($n)" -ret=0 -wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -n=$(($n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that the view is logged in messages from the validator when using views ($n)" -ret=0 -grep "view rec: *validat" ns4/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" -ret=0 -dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 -grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)" -ret=0 -dig_with_opts axfr occluded.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 -grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n >/dev/null || ret=1 -grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n >/dev/null || ret=1 -grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)" -ret=0 -dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1 -dig_with_opts any z.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1 -# A+RRSIG, NSEC+RRSIG -grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# -# DNSSEC tests related to unsupported, disabled and revoked trust anchors. -# - -# This nameserver (ns8) is loaded with a bunch of trust anchors. Some of -# them are good (enabled.managed, enabled.trusted, secure.managed, -# secure.trusted), and some of them are bad (disabled.managed, -# revoked.managed, unsupported.managed, disabled.trusted, revoked.trusted, -# unsupported.trusted). Make sure that the bad trust anchors are ignored. -# This is tested by looking for the corresponding lines in the logfile. -echo_i "checking that keys with unsupported algorithms and disabled algorithms are ignored ($n)" -ret=0 -grep -q "ignoring static-key for 'disabled\.trusted\.': algorithm is disabled" ns8/named.run || ret=1 -grep -q "ignoring static-key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run || ret=1 -grep -q "ignoring static-key for 'revoked\.trusted\.': bad key type" ns8/named.run || ret=1 -grep -q "ignoring initial-key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1 -grep -q "ignoring initial-key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1 -grep -q "ignoring initial-key for 'revoked\.managed\.': bad key type" ns8/named.run || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# The next two tests are fairly normal DNSSEC queries to signed zones with a -# default algorithm. First, a query is made against the server that is -# authoritative for the given zone (ns3). Second, a query is made against a -# resolver with trust anchors for the given zone (ns8). Both are expected to -# return an authentic data positive response. -echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.secure.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 -grep "; EDE: " dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key using a supported algorithm validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.secure.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 -grep "; EDE: " dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# The next two queries ensure that a zone signed with a DNSKEY with an unsupported -# algorithm will yield insecure positive responses. These trust anchors in ns8 are -# ignored and so this domain is treated as insecure. The AD bit should not be set -# in the response. -echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.unsupported.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 ns3.unsupported.trusted (cached))" dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.unsupported.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 ns3.unsupported.managed (cached))" dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# The next two queries ensure that a zone signed with a DNSKEY that the nameserver -# has a disabled algorithm match for will yield insecure positive responses. -# These trust anchors in ns8 are ignored and so this domain is treated as insecure. -# The AD bit should not be set in the response. -echo_i "checking that a trusted key using a disabled algorithm validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.disabled.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key using a disabled algorithm validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.disabled.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# The next two queries ensure that a zone signed with a DNSKEY that the -# nameserver has a disabled algorithm for, but for a different domain, will -# yield secure positive responses. Since "enabled.trusted." and -# "enabled.managed." do not match the "disable-algorithms" option, no -# special rules apply and these zones should validate as secure, with the AD -# bit set. -echo_i "checking that a trusted key using an algorithm disabled for another domain validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.enabled.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key using an algorithm disabled for another domain validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.enabled.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# A configured revoked trust anchor is ignored and thus the two queries below -# should result in insecure responses, since no trust points for the -# "revoked.trusted." and "revoked.managed." zones are created. -echo_i "checking that a trusted key that is revoked validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.revoked.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key that is revoked validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.revoked.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -### -### Additional checks for when the KSK is offline. -### - -# Save some useful information -zone="updatecheck-kskonly.secure" -KSK=$(cat ns2/${zone}.ksk.key) -ZSK=$(cat ns2/${zone}.zsk.key) -KSK_ID=$(cat ns2/${zone}.ksk.id) -ZSK_ID=$(cat ns2/${zone}.zsk.id) -SECTIONS="+answer +noauthority +noadditional" -echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" - -# Set key state for KSK. The ZSK rollovers below assume that there is a chain -# of trust established, so we tell named that the DS is in omnipresent state. -$SETTIME -s -d OMNIPRESENT now -K ns2 $KSK >/dev/null - -# Print IDs of keys used for generating RRSIG records for RRsets of type $1 -# found in dig output file $2. -get_keys_which_signed() { - qtype=$1 - output=$2 - # The key ID is the 11th column of the RRSIG record line. - awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$output" -} - -# Basic checks to make sure everything is fine before the KSK is made offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS"; do - echo_i "checking $qtype RRset is signed with KSK only ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -echo_i "checking SOA RRset is signed with ZSK only ($n)" -ret=0 -dig_with_opts $SECTIONS @10.53.0.2 soa $zone >dig.out.test$n -lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Roll the ZSK. -zsk2=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 "$zone") -keyfile_to_key_id "$zsk2" >ns2/$zone.zsk.id2 -ZSK_ID2=$(cat ns2/$zone.zsk.id2) -ret=0 -echo_i "prepublish new ZSK $ZSK_ID2 for $zone ($n)" -rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID $zone 2>&1 | sed 's/^/ns2 /' | cat_i -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -zsk_count_equals() { - expectedzsks=$1 - dig_with_opts @10.53.0.2 DNSKEY $zone >dig.out.test$n - lines=$(cat dig.out.test$n | grep "DNSKEY.*256 3 13" | wc -l) - test "$lines" -eq $expectedzsks || return 1 -} -echo_i "check DNSKEY RRset has successor ZSK $ZSK_ID2 ($n)" -ret=0 -# The expected number of ZSKs is 2. -retry_quiet 5 zsk_count_equals 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Make new ZSK active. -echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" -ret=0 -$SETTIME -s -I now -K ns2 $ZSK >/dev/null -$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk2 >/dev/null -dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Wait for newest ZSK to become active. -echo_i "wait until new ZSK $ZSK_ID2 active and ZSK $ZSK_ID inactive" -for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Remove the KSK from disk. -echo_i "remove the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key ns2/$KSK.key.bak -mv ns2/$KSK.private ns2/$KSK.private.bak - -# Update the zone that requires a resign of the SOA RRset. -echo_i "update the zone with $zone IN TXT nsupdate added me" -( - echo zone $zone - echo server 10.53.0.2 "$PORT" - echo update add $zone. 300 in txt "nsupdate added me" - echo send -) | $NSUPDATE - -# Redo the tests now that the zone is updated and the KSK is offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS"; do - echo_i "checking $qtype RRset is signed with KSK only, KSK offline ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -for qtype in "SOA" "TXT"; do - echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID2 only, KSK offline ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -# Put back the KSK. -echo_i "put back the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key.bak ns2/$KSK.key -mv ns2/$KSK.private.bak ns2/$KSK.private - -# Roll the ZSK again. -zsk3=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 "$zone") -ret=0 -keyfile_to_key_id "$zsk3" >ns2/$zone.zsk.id3 -ZSK_ID3=$(cat ns2/$zone.zsk.id3) -echo_i "delete old ZSK $ZSK_ID, schedule ZSK $ZSK_ID2 inactive, and pre-publish ZSK $ZSK_ID3 for zone $zone ($n)" -$SETTIME -s -k HIDDEN now -z HIDDEN now -D now -K ns2 $ZSK >/dev/null -$SETTIME -s -k OMNIPRESENT now -z OMNIPRESENT now -K ns2 $zsk2 >/dev/null -dnssec_loadkeys_on 2 $zone || ret=1 -rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID2 $zone 2>&1 | sed 's/^/ns2 /' | cat_i -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Wait for newest ZSK to become published. -echo_i "wait until new ZSK $ZSK_ID3 published" -for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now published" ns2/named.run >/dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Remove the KSK from disk. -echo_i "remove the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key ns2/$KSK.key.bak -mv ns2/$KSK.private ns2/$KSK.private.bak - -# Update the zone that requires a resign of the SOA RRset. -echo_i "update the zone with $zone IN TXT nsupdate added me again" -( - echo zone $zone - echo server 10.53.0.2 "$PORT" - echo update add $zone. 300 in txt "nsupdate added me again" - echo send -) | $NSUPDATE - -# Redo the tests now that the ZSK roll has deleted the old key. -for qtype in "DNSKEY" "CDNSKEY" "CDS"; do - echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -for qtype in "SOA" "TXT"; do - echo_i "checking $qtype RRset is signed with ZSK $ZSK_ID2 only, old ZSK deleted ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -# Put back the KSK. -echo_i "put back the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key.bak ns2/$KSK.key -mv ns2/$KSK.private.bak ns2/$KSK.private - -# Make the new ZSK (ZSK3) active. -echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -ret=0 -$SETTIME -s -I now -K ns2 $zsk2 >/dev/null -$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk3 >/dev/null -dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Wait for newest ZSK to become active. -echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive" -for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Remove the KSK from disk. -echo_i "remove the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key ns2/$KSK.key.bak -mv ns2/$KSK.private ns2/$KSK.private.bak - -# Update the zone that requires a resign of the SOA RRset. -echo_i "update the zone with $zone IN TXT nsupdate added me one more time" -( - echo zone $zone - echo server 10.53.0.2 "$PORT" - echo update add $zone. 300 in txt "nsupdate added me one more time" - echo send -) | $NSUPDATE -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Redo the tests one more time. -for qtype in "DNSKEY" "CDNSKEY" "CDS"; do - echo_i "checking $qtype RRset is signed with KSK only, new ZSK active ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -for qtype in "SOA" "TXT"; do - echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID3 only, new ZSK active ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -echo_i "checking secroots output with multiple views ($n)" -ret=0 -rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i -cp ns4/named.secroots named.secroots.test$n -check_secroots_layout named.secroots.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking signatures-validity second field hours vs days ($n)" -ret=0 -# zone configured with 'signatures-validity 500d; signatures-refresh 1d' -# 499 days in the future w/ a 20 minute runtime to now allowance -min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') -dig_with_opts @10.53.0.2 hours-vs-days AXFR >dig.out.ns2.test$n -awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking validation succeeds during transition to signed ($n)" -ret=0 -dig_with_opts @10.53.0.4 inprogress A >dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)" -ret=0 -grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 50" ns2/named.run >/dev/null 2>&1 || ret=1 -grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 50" ns3/named.run >/dev/null 2>&1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that the validating resolver will fallback to insecure if the answer -# contains NSEC3 records with high iteration count. -echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)" -ret=0 -dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations >dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)" -ret=0 -dig_with_opts @10.53.0.2 a.too-many-iterations txt >dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 a.too-many-iterations txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)" -ret=0 -dig_with_opts @10.53.0.2 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)" -ret=0 -dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that a query against a validating resolver succeeds when there is -# a negative cache entry with trust level "pending" for the DS. Prime -# with a +cd DS query to produce the negative cache entry, then send a -# query that uses that entry as part of the validation process. [GL #3279] -echo_i "check that pending negative DS cache entry validates ($n)" -ret=0 -dig_with_opts @10.53.0.4 +cd insecure2.example. ds >dig.out.prime.ns4.test$n || ret=1 -grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n >/dev/null || ret=1 -dig_with_opts @10.53.0.4 a.insecure2.example. a >dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "check that dnssec-keygen honours key tag ranges ($n)" -ret=0 -zone=settagrange -ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone") -zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone") -kid=$(keyfile_to_key_id "$ksk") -zid=$(keyfile_to_key_id "$zsk") -[ $kid -ge 0 -a $kid -le 32767 ] || ret=1 -[ $zid -ge 32768 -a $zid -le 65535 ] || ret=1 -rksk=$($REVOKE -R $ksk) -rzsk=$($REVOKE -R $zsk) -krid=$(keyfile_to_key_id "$rksk") -zrid=$(keyfile_to_key_id "$rzsk") -[ $krid -ge 0 -a $krid -le 32767 ] || ret=1 -[ $zrid -ge 32768 -a $zrid -le 65535 ] || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking NSEC3 nxdomain response closest encloser with 0 ENT ($n)" -ret=0 -dig_with_opts @10.53.0.4 b.b.b.b.b.a.nsec3.example. >dig.out.ns4.test$n -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# closest encloser (a.nsec3.example) -pat1="^6OVDUHTN094ML2PV8AN90U0DPU823GH2\.nsec3\.example\..*NSEC3 1 0 0 - 7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4 A RRSIG\$" -grep "$pat1" dig.out.ns4.test$n >/dev/null || ret=1 -# no QNAME proof (b.a.nsec3.example / DSPF4R9UKOEPJ9O34E1H4539LSOTL14E) -pat2="^CG2DVCNE20EKU1PDRLMI2L4DGC2FO1H3\.nsec3\.example\..*NSEC3 1 0 0 - EF2S05SGK1IR2K5SKMFIRERGQCLMR18M A RRSIG\$" -grep "$pat2" dig.out.ns4.test$n >/dev/null || ret=1 -# no WILDCARD proof (*.a.nsec3.example / TFGQ60S97BS31IT1EBEDO63ETM0T5JFA) -pat3="^R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\.nsec3\.example\..*NSEC3 1 0 0 - VH656EQUD4J02OFVSO4GKOK5D02MS1TL NS DS RRSIG\$" -grep "$pat3" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking NSEC3 nxdomain response closest encloser with 1 ENTs ($n)" -ret=0 -dig_with_opts @10.53.0.4 b.b.b.b.b.a.a.nsec3.example. >dig.out.ns4.test$n -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# closest encloser (a.a.nsec3.example) -pat1="^NGCJFSOLJUUE27PFNQNJIME4TQ0OU2DH\.nsec3\.example\..*NSEC3 1 0 0 - R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\$" -grep "$pat1" dig.out.ns4.test$n >/dev/null || ret=1 -# no QNAME proof (b.a.a.nsec3.example / V8I8SAIIVC3HOVMOVENSDRA6ATDCEMJI) -pat2="^R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\.nsec3\.example\..*NSEC3 1 0 0 - VH656EQUD4J02OFVSO4GKOK5D02MS1TL NS DS RRSIG\$" -grep "$pat2" dig.out.ns4.test$n >/dev/null || ret=1 -# no WILDCARD proof (*.a.a.nsec3.example / V7JNNDJ4NLRIU195FRB7DLUCSLU4LLFM) -pat3="^R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\.nsec3\.example\..*NSEC3 1 0 0 - VH656EQUD4J02OFVSO4GKOK5D02MS1TL NS DS RRSIG\$" -grep "$pat3" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking NSEC3 nxdomain response closest encloser with 2 ENTs ($n)" -ret=0 -dig_with_opts @10.53.0.4 b.b.b.b.b.a.a.a.nsec3.example. >dig.out.ns4.test$n -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# closest encloser (a.a.a.nsec3.example) -pat1="^H7RHPDCHSVVRAND332F878C8AB6IBJQV\.nsec3\.example\..*NSEC3 1 0 0 - K8IG76R2UPQ13IKFO49L7IB9JRVB6QJI\$" -grep "$pat1" dig.out.ns4.test$n >/dev/null || ret=1 -# no QNAME proof (b.a.a.a.nsec3.example / 18Q8D89RM8GGRSSOPFRB05QS6VEGB1P4) -pat2="^VH656EQUD4J02OFVSO4GKOK5D02MS1TL\.nsec3\.example\..*NSEC3 1 0 0 - 1HARMGSKJH0EBU2EI2OJIKTDPIQA6KBI NS DS RRSIG\$" -grep "$pat2" dig.out.ns4.test$n >/dev/null || ret=1 -# no WILDCARD proof (*.a.a.a.nsec3.example / 8113LDMSEFPUAG4VGFF1C8KLOUT4Q6PH) -pat3="^7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4\.nsec3\.example\..*NSEC3 1 0 0 - BEJ5GMQA872JF4DAGQ0R3O5Q7A2O5S9L A RRSIG\$" -grep "$pat3" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)" -ret=0 -( - cd signer || exit 0 - key1=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) - key2=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) - key3=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" revoke.example) - rkey=$(${REVOKE} "$key2") - cat >>revoke.example.db <>revoke.example.db - "${SIGNER}" -o revoke.example revoke.example.db >signer.out.$n -) || ret=1 -keycount=$(grep -c "RRSIG.DNSKEY ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -cdscount=$(grep -c "RRSIG.CDS ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -soacount=$(grep -c "RRSIG.SOA ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -[ $keycount -eq 3 ] || ret=1 -[ $cdscount -eq 2 ] || ret=1 -[ $soacount -eq 1 ] || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking validator behavior with mismatching NS ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -$DIG +tcp +cd -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2" dig.out.ns4.test$n.1 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.1 >/dev/null && ret=1 -$DIG +tcp +cd +dnssec -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2" dig.out.ns4.test$n.2 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.2 >/dev/null && ret=1 -$DIG +tcp +dnssec -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 -grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns4.test$n.3 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.3 >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking that a insecure negative response where there is a NSEC without a RRSIG succeeds ($n)" -ret=0 -# check server preconditions -dig_with_opts +notcp @10.53.0.10 nsec-rrsigs-stripped. TXT +dnssec >dig.out.ns10.test$n -grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 -grep "QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1" dig.out.ns10.test$n >/dev/null || ret=1 -grep "IN.RRSIG.NSEC" dig.out.ns10.test$n >/dev/null && ret=1 -# check resolver succeeds -dig_with_opts @10.53.0.4 nsec-rrsigs-stripped. TXT +dnssec >dig.out.ns4.test$n -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1" dig.out.ns4.test$n >/dev/null || ret=1 -grep "IN.RRSIG.NSEC" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking validating forwarder behavior with mismatching NS ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -$DIG +tcp +cd -p "$PORT" -t ns inconsistent @10.53.0.9 >dig.out.ns9.test$n.1 || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns9.test$n.1 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n.1 >/dev/null && ret=1 -$DIG +tcp +cd +dnssec -p "$PORT" -t ns inconsistent @10.53.0.9 >dig.out.ns9.test$n.2 || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns9.test$n.2 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n.2 >/dev/null && ret=1 -$DIG +tcp +dnssec -p "$PORT" -t ns inconsistent @10.53.0.9 >dig.out.ns9.test$n.3 || ret=1 -grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns9.test$n.3 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n.3 >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking forwarder CD behavior (DS mismatch and local trust anchor) ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -# confirm invalid DS produces SERVFAIL in resolver -$DIG +tcp +dnssec -p "$PORT" @10.53.0.4 localkey.example soa >dig.out.ns4.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -# check that lookup using forwarder succeeds and that SERVFAIL was received -nextpart ns9/named.run >/dev/null -$DIG +tcp +dnssec -p "$PORT" @10.53.0.9 localkey.example soa >dig.out.ns9.test$n || ret=1 -grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n >/dev/null || ret=1 -nextpart ns9/named.run | grep 'status: SERVFAIL' >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -copy_setports ns4/named5.conf.in ns4/named.conf -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 3 - -echo_i "checking forwarder CD behavior (forward server with bad trust anchor) ($n)" -ret=0 -# confirm invalid trust anchor produces SERVFAIL in resolver -$DIG +tcp +dnssec -p "$PORT" @10.53.0.4 a.secure.example >dig.out.ns4.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -# check that lookup using forwarder succeeds and that SERVFAIL was received -nextpart ns9/named.run >/dev/null -$DIG +tcp +dnssec -p "$PORT" @10.53.0.9 a.secure.example soa >dig.out.ns9.test$n || ret=1 -grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n >/dev/null || ret=1 -nextpart ns9/named.run | grep 'status: SERVFAIL' >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_badkey.py b/bin/tests/system/dnssec/tests_badkey.py new file mode 100644 index 0000000000..ca80734d4d --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey.py @@ -0,0 +1,89 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import flags + +import pytest + +import isctest +from isctest.util import param + + +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + +@pytest.mark.parametrize( + "check, qname, qtype", + [ + param("validation", "example.", "SOA"), + param("negative-validation", "example.", "PTR"), + param("insecurity-proof", "a.insecure.example.", "A"), + ], +) +def test_misconfigured_ta_servfail(check, qname, qtype): + isctest.log.info(f"check that {check} fails") + msg = isctest.query.create(qname, qtype) + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +@pytest.mark.parametrize( + "check, qname, qtype, rcode_func", + [ + param("positive-answer", "example.", "SOA", isctest.check.noerror), + param("negative-answer", "q.example.", "SOA", isctest.check.nxdomain), + param("bogus-answer", "a.bogus.example.", "SOA", isctest.check.noerror), + param("insecurity-proof", "a.insecure.example.", "SOA", isctest.check.noerror), + param( + "negative-insecurity-proof", + "q.insecure.example.", + "SOA", + isctest.check.nxdomain, + ), + ], +) +def test_misconfigured_ta_with_cd(check, qname, qtype, rcode_func): + isctest.log.info(f"check {check} with CD=1") + msg = isctest.query.create(qname, qtype) + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + rcode_func(res) + isctest.check.noadflag(res) + + isctest.log.debug("compare the response from a correctly configured server") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res2) + isctest.check.same_answer(res, res2) diff --git a/bin/tests/system/dnssec/tests_badkey_broken.py b/bin/tests/system/dnssec/tests_badkey_broken.py new file mode 100644 index 0000000000..8b27e19110 --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey_broken.py @@ -0,0 +1,42 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import flags + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(ns5, ns9, templates): + templates.render("ns5/named.conf", {"broken_key": True}) + ns5.reconfigure(log=False) + + templates.render("ns9/named.conf", {"forward_badkey": True}) + ns9.reconfigure(log=False) + + +def test_broken_forwarding(ns9): + # check forwarder CD behavior (forward server with bad trust anchor) + + # confirm invalid trust anchor produces SERVFAIL in resolver + msg = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + # check that lookup involving forwarder succeeds and SERVFAIL was received + with ns9.watch_log_from_here() as watcher: + msg = isctest.query.create("a.secure.example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + assert (res.flags & flags.AD) != 0 + watcher.wait_for_line("status: SERVFAIL") diff --git a/bin/tests/system/dnssec/tests_badkey_revoked.py b/bin/tests/system/dnssec/tests_badkey_revoked.py new file mode 100644 index 0000000000..bc9a422dca --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey_revoked.py @@ -0,0 +1,27 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(ns5, templates): + templates.render("ns5/named.conf", {"revoked_key": True}) + ns5.reconfigure(log=False) + + +def test_revoked_init(): + # use a revoked key and check for failure when using revoked key + msg = isctest.query.create(".", "SOA") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) diff --git a/bin/tests/system/dnssec/tests_delv.py b/bin/tests/system/dnssec/tests_delv.py new file mode 100644 index 0000000000..2e6f2f26c9 --- /dev/null +++ b/bin/tests/system/dnssec/tests_delv.py @@ -0,0 +1,188 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re +import subprocess + +import pytest + +import isctest + + +pytestmark = [ + pytest.mark.skipif(bool(os.getenv("TSAN_OPTIONS", "")), reason="TSAN"), + pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] + ), +] + + +# helper functions +def grep_c(regex, data): + blob = data.splitlines() + results = [x for x in blob if re.search(regex, x)] + return len(results) + + +# run delv +def delv(*args, tkeys=False): + delv_cmd = [os.environ.get("DELV")] + + tfile = "ns1/trusted.keys" if tkeys else "ns1/trusted.conf" + delv_cmd.extend(["@10.53.0.4", "-a", tfile, "-p", os.environ["PORT"]]) + delv_cmd.extend(args) + + return ( + isctest.run.cmd(delv_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + .stdout.decode("utf-8") + .strip() + ) + + +def test_positive_validation_delv(): + # check positive validation NSEC + response = delv("a", "a.example") + assert grep_c("a.example..*10.0.0.1", response) + assert grep_c("a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*", response) + + # check positive validation NSEC (trsuted-keys) + response = delv("a", "a.example", tkeys=True) + assert grep_c("a.example..*10.0.0.1", response) + assert grep_c("a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*", response) + + # check positive validation NSEC3 + response = delv("a", "a.nsec3.example") + assert grep_c("a.nsec3.example..*10.0.0.1", response) + assert grep_c("a.nsec3.example..*.RRSIG.A [0-9][0-9]* 3 300 .*", response) + + # check positive validation OPTOUT + response = delv("a", "a.optout.example") + assert grep_c("a.optout.example..*10.0.0.1", response) + assert grep_c("a.optout.example..*.RRSIG.A [0-9][0-9]* 3 300 .*", response) + + # check positive wildcard validation NSEC + response = delv("a", "a.wild.example") + assert grep_c("a.wild.example..*10.0.0.27", response) + assert grep_c("a.wild.example..*.RRSIG.A [0-9][0-9]* 2 300 .*", response) + + # check positive wildcard validation NSEC3 + response = delv("a", "a.wild.nsec3.example") + assert grep_c("a.wild.nsec3.example..*10.0.0.6", response) + assert grep_c("a.wild.nsec3.example..*.RRSIG.A [0-9][0-9]* 3 300 .*", response) + + # check positive wildcard validation OPTOUT + response = delv("a", "a.wild.optout.example") + assert grep_c("a.wild.optout.example..*10.0.0.6", response) + assert grep_c("a.wild.optout.example..*.RRSIG.A [0-9][0-9]* 3 300 .*", response) + + +def test_negative_validation_delv(): + # checking negative validation NXDOMAIN NSEC + response = delv("a", "q.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # checking negative validation NODATA NSEC + response = delv("txt", "a.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative validation NXDOMAIN NSEC3 + response = delv("a", "q.nsec3.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # checking negative validation NODATA NSEC3 + response = delv("txt", "a.nsec3.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative validation NXDOMAIN OPTOUT + response = delv("a", "q.optout.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # checking negative validation NODATA OPTOUT + response = delv("txt", "a.optout.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative wildcard validation NSEC + response = delv("txt", "b.wild.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative wildcard validation NSEC3 + response = delv("txt", "b.wild.nsec3.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative wildcard validation OPTOUT + response = delv("txt", "b.wild.optout.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + +def test_insecure_validation_delv(): + # check 1-server insecurity proof NSEC + response = delv("a", "a.insecure.example") + assert grep_c("a.insecure.example..*10.0.0.1", response) + + # check 1-server insecurity proof NSEC3 + response = delv("a", "a.insecure.nsec3.example") + assert grep_c("a.insecure.nsec3.example..*10.0.0.1", response) + + # check 1-server insecurity proof NSEC3 + response = delv("a", "a.insecure.optout.example") + assert grep_c("a.insecure.optout.example..*10.0.0.1", response) + + # check 1-server negative insecurity proof NSEC + response = delv("a", "q.insecure.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # check 1-server negative insecurity proof NSEC3 + response = delv("a", "q.insecure.nsec3.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # check 1-server negative insecurity proof OPTOUT + response = delv("a", "q.insecure.optout.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + +def test_validation_failure_delv(): + # check failed validation due to bogus data + response = delv("+cd", "a", "a.bogus.example") + assert grep_c("resolution failed: RRSIG failed to verify", response) + + # check failed validation due to missing key record + response = delv("+cd", "a", "a.b.keyless.example") + assert grep_c("resolution failed: insecurity proof failed", response) + + +def test_revoked_key_delv(): + # check failed validation succeeds when a revoked key is encountered + response = delv("+cd", "soa", "revkey.example") + assert grep_c("fully validated", response) diff --git a/bin/tests/system/dnssec/tests_policy.py b/bin/tests/system/dnssec/tests_policy.py new file mode 100644 index 0000000000..f32406def4 --- /dev/null +++ b/bin/tests/system/dnssec/tests_policy.py @@ -0,0 +1,115 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from datetime import timedelta +import time + +from dns import rdatatype + +import pytest + +import isctest + + +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + +def is_rrsig_soa(rrset): + return rrset.rdtype == rdatatype.RRSIG and rrset.covers == rdatatype.SOA + + +def test_signatures_validity(ns3, templates): + # check that increasing signatures-validity triggers resigning + msg = isctest.query.create("siginterval.example.", "AXFR") + res = isctest.query.tcp(msg, "10.53.0.3") + before = next(filter(is_rrsig_soa, res.answer)) + + templates.render("ns3/named.conf", {"long_sigs": True}) + with ns3.watch_log_from_here() as watcher: + ns3.reconfigure(log=False) + watcher.wait_for_line("siginterval.example/IN (signed): sending notifies") + + res = isctest.query.tcp(msg, "10.53.0.3") + after = next(filter(is_rrsig_soa, res.answer)) + + assert after != before + + ns3.rndc("sign siginterval.example", log=False) + + msg = isctest.query.create("siginterval.example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.3") + sexp = res.answer[-1][0].expiration + + msg = isctest.query.create("siginterval.example.", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.3") + kexp = res.answer[-1][0].expiration + + delta = timedelta(seconds=kexp - sexp) + assert delta > timedelta(days=54) + + +def test_signatures_validity_hours_vs_days(): + # zone configured with 'signatures-validity 500d; signatures-refresh 1d' + msg = isctest.query.create("hours-vs-days.", "AXFR") + res = isctest.query.tcp(msg, "10.53.0.2") + + # 499 days in the future w/ a 20 minute runtime to now allowance + future = timedelta(days=499) - timedelta(minutes=20) + minimum = time.time() + future.total_seconds() + for rrset in res.answer: + if rrset.rdtype != rdatatype.RRSIG: + continue + assert rrset[0].expiration >= minimum + + +def test_nsec_chain(): + # check that NSEC records are properly generated when DNSKEYs + # are added by dnssec-policy + msg = isctest.query.create("auto-nsec.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + assert [a for a in res.authority if a.rdtype == rdatatype.NSEC] + + +def test_nsec3_chain(): + # check that NSEC3 records are properly generated when DNSKEYs + # are added by dnssec-policy + msg = isctest.query.create("auto-nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + assert [a for a in res.authority if a.rdtype == rdatatype.NSEC3] diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py deleted file mode 100644 index c717eaff8f..0000000000 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ /dev/null @@ -1,195 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -import pytest - -pytestmark = pytest.mark.extra_artifacts( - [ - ".hypothesis/examples/*", - "K*", - "canonical*", - "delv.out*", - "dig.out.*", - "dnssectools.out.*", - "dsfromkey.out.*", - "keygen*.err*", - "named.secroots.*", - "nsupdate.out.*", - "python.out.*", - "rndc.out.*", - "signing.out.*", - "*/K*", - "*/dsset-*", - "*/managed.conf", - "*/trusted.conf", - "*/*.bk", - "*/*.jnl", - "*/*.jbk", - "*/*.signed", - "*/*.mkeys*", - "ans*/ans.run", - "ans*/query.log", - "ns1/managed.key.id", - "ns1/root.db", - "ns1/trusted.keys", - "ns2/algroll.db", - "ns2/badparam.db", - "ns2/badparam.db.bad", - "ns2/cdnskey-update.secure.db", - "ns2/cdnskey-update.secure.id", - "ns2/cdnskey-x.secure.db", - "ns2/cdnskey.secure.db", - "ns2/cds-update.secure.db", - "ns2/cds-update.secure.id", - "ns2/cds-x.secure.db", - "ns2/cds.secure.db", - "ns2/dnskey-rrsigs-stripped.db", - "ns2/dnskey-rrsigs-stripped.db.next", - "ns2/dnskey-rrsigs-stripped.db.stripped", - "ns2/child.ds-rrsigs-stripped.db", - "ns2/ds-rrsigs-stripped.db", - "ns2/ds-rrsigs-stripped.db.next", - "ns2/ds-rrsigs-stripped.db.stripped", - "ns2/example.db", - "ns2/in-addr.arpa.db", - "ns2/lazy-ksk.db", - "ns2/managed.db", - "ns2/nsec3chain-test.db", - "ns2/peer-ns-spoof.db", - "ns2/peer.peer-ns-spoof.db", - "ns2/peer.peer-ns-spoof.db.next", - "ns2/peer.peer-ns-spoof.db.stripped", - "ns2/settime.out.updatecheck-kskonly.secure.ksk", - "ns2/settime.out.updatecheck-kskonly.secure.zsk", - "ns2/single-nsec3.db", - "ns2/too-many-iterations.db", - "ns2/inconsistent.db", - "ns2/trusted.db", - "ns2/updatecheck-kskonly.secure.ksk.id", - "ns2/updatecheck-kskonly.secure.ksk.key", - "ns2/updatecheck-kskonly.secure.zsk.id", - "ns2/updatecheck-kskonly.secure.zsk.id2", - "ns2/updatecheck-kskonly.secure.zsk.id3", - "ns2/updatecheck-kskonly.secure.zsk.key", - "ns3/NSEC", - "ns3/NSEC3", - "ns3/auto-nsec.example.db", - "ns3/auto-nsec3.example.db", - "ns3/badds.example.db", - "ns3/bogus.example.db", - "ns3/digest-alg-unsupported.example.db", - "ns3/disabled.managed.db", - "ns3/disabled.trusted.db", - "ns3/dname-at-apex-nsec3.example.db", - "ns3/dnskey-nsec3-unknown.example.db", - "ns3/dnskey-nsec3-unknown.example.db.tmp", - "ns3/dnskey-unknown.example.db", - "ns3/dnskey-unknown.example.db.tmp", - "ns3/dnskey-unsupported-2.example.db", - "ns3/dnskey-unsupported.example.db", - "ns3/dnskey-unsupported.example.db.tmp", - "ns3/ds-unsupported.example.db", - "ns3/dynamic.example.db", - "ns3/enabled.managed.db", - "ns3/enabled.trusted.db", - "ns3/example.bk", - "ns3/expired.example.db", - "ns3/expiring.example.db", - "ns3/extended-ds-unknown-oid.example.db", - "ns3/extended-ds-unknown-oid.example.db.stage1", - "ns3/extended-ds-unknown-oid.example.db.stage2", - "ns3/extradsoid.example.db", - "ns3/extradsunknownoid.example.db", - "ns3/extradsunknownoid.example.db.stage1", - "ns3/extradsunknownoid.example.db.stage2", - "ns3/future.example.db", - "ns3/keyless.example.db", - "ns3/kskonly.example.db", - "ns3/localkey.example.db", - "ns3/lower.example.db", - "ns3/managed-future.example.db", - "ns3/multiple.example.db", - "ns3/nsec3-unknown.example.db", - "ns3/nsec3.example.db", - "ns3/nsec3.nsec3.example.db", - "ns3/nsec3.optout.example.db", - "ns3/nsec3chain-test.bk", - "ns3/occluded.example.db", - "ns3/optout-unknown.example.db", - "ns3/optout.example.db", - "ns3/optout.nsec3.example.db", - "ns3/optout.optout.example.db", - "ns3/revkey.example.db", - "ns3/revoked.managed.db", - "ns3/revoked.trusted.db", - "ns3/rfc2335.example.bk", - "ns3/rsasha256.example.db", - "ns3/rsasha256oid.example.db", - "ns3/rsasha512.example.db", - "ns3/rsasha512oid.example.db", - "ns3/secure.below-cname.example.db", - "ns3/secure.example.db", - "ns3/secure.managed.db", - "ns3/secure.nsec3.example.db", - "ns3/secure.optout.example.db", - "ns3/secure.trusted.db", - "ns3/siginterval.conf", - "ns3/siginterval.example.db", - "ns3/split-dnssec.example.db", - "ns3/split-smart.example.db", - "ns3/target.peer-ns-spoof.db", - "ns3/trusted-future.key", - "ns3/ttlpatch.example.db", - "ns3/ttlpatch.example.db.patched", - "ns3/unknownoid.example.db", - "ns3/unknownoid.example.db.stage1", - "ns3/unknownoid.example.db.stage2", - "ns3/unsupported.managed.db", - "ns3/unsupported.managed.db.tmp", - "ns3/unsupported.trusted.db", - "ns3/unsupported.trusted.db.tmp", - "ns3/update-nsec3.example.db", - "ns3/update-nsec3.example.db.signed", - "ns3/upper.example.db", - "ns3/upper.example.db.lower", - "ns4/broken.conf", - "ns4/managed.conf", - "ns4/managed-keys.bind", - "ns4/named.secroots", - "ns4/named_dump.db", - "ns4/named_dump.db.*", - "ns5/revoked.conf", - "ns6/optout-tld.db", - "ns7/split-rrsig.db", - "ns7/split-rrsig.db.unsplit", - "ns9/trusted-localkey.conf", - "signer/example.db", - "signer/example.db.after", - "signer/example.db.before", - "signer/example.db.changed", - "signer/example2.db", - "signer/example3.db", - "signer/general/dnskey.expect", - "signer/general/dsset-*", - "signer/general/signed.expect", - "signer/general/signed.zone", - "signer/general/signer.out.*", - "signer/nsec3param.out", - "signer/prepub.db", - "signer/revoke.example.db", - "signer/signer.err.*", - "signer/signer.out.*", - ] -) - - -def test_dnssec(run_tests_sh): - run_tests_sh() diff --git a/bin/tests/system/dnssec/tests_signing.py b/bin/tests/system/dnssec/tests_signing.py new file mode 100644 index 0000000000..2ff3e0e063 --- /dev/null +++ b/bin/tests/system/dnssec/tests_signing.py @@ -0,0 +1,635 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from collections import namedtuple +import os +import re +import struct +import time + +from dns import dnssec, name, rdataclass, rdatatype, update + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import isctest + + +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + +# helper functions +def grep_c(regex, filename): + with open(filename, "r", encoding="utf-8") as f: + blob = f.read().splitlines() + results = [x for x in blob if re.search(regex, x)] + return len(results) + + +# run dnssec-keygen +def keygen(*args): + keygen_cmd = [os.environ.get("KEYGEN")] + keygen_cmd.extend(args) + return isctest.run.cmd(keygen_cmd, log_stdout=True).stdout.decode("utf-8").strip() + + +# run dnssec-settime +def settime(*args): + settime_cmd = [os.environ.get("SETTIME")] + settime_cmd.extend(args) + return isctest.run.cmd(settime_cmd, log_stdout=True).stdout.decode("utf-8").strip() + + +@pytest.mark.parametrize( + "domain", + [ + "auto-nsec.example", + "auto-nsec3.example", + ], +) +def test_signing_complete(domain): + PrivateType = namedtuple("PrivateType", ["alg", "key", "rem", "complete"]) + + def convert_private(rdata) -> PrivateType: + length = len(rdata.to_wire()) + assert length in (5, 7) + if length == 7: + _, key, rem, complete, alg = struct.unpack(">BHBBH", rdata.to_wire()) + else: + alg, key, rem, complete = struct.unpack(">BHBB", rdata.to_wire()) + return PrivateType(alg, key, rem, complete) + + # query for a private type record, make sure it shows "complete" + def check_complete(): + msg = isctest.query.create(domain, 65534) + res = isctest.query.tcp(msg, "10.53.0.3") + assert res.answer + for rdata in res.answer[0]: + record = convert_private(rdata) + assert record.complete + return True + + isctest.run.retry_with_timeout(check_complete, 10) + + +def test_split_dnssec(): + # check that split-dnssec signing worked (dnssec-signzone -D) + msg = isctest.query.create("split-dnssec.example.", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 2) + isctest.check.adflag(res2) + + # check that smart split-dnssec signing worked (dnssec-signzone -DS) + msg = isctest.query.create("split-smart.example.", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 2) + isctest.check.adflag(res2) + + +def test_expiring_rrsig(): + # check soon-to-expire RRSIGs without a replacement private + # key aren't deleted. this response has to have an RRSIG: + msg = isctest.query.create("expiring.example.", "NS") + res = isctest.query.tcp(msg, "10.53.0.3") + _, sigs = res.answer + assert sigs + + # check that named doesn't loop when private keys are not available + n = grep_c("reading private key file expiring.example", "ns3/named.run") + assert n < 15 + + # check expired signatures stay place when updates are disabled + msg = isctest.query.create("expired.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.3") + _, sigs = res.answer + assert sigs + + +def test_apex_signing(): + # check that DNAME at apex with NSEC3 is correctly signed + msg = isctest.query.create("dname-at-apex-nsec3.example.", "TXT") + res = isctest.query.tcp(msg, "10.53.0.3") + sigs = [str(a) for a in res.authority if a.rdtype == rdatatype.RRSIG] + alg = os.environ.get("DEFAULT_ALGORITHM_NUMBER") + assert any(f"NSEC3 {alg} 3 600" in a for a in sigs) + + +def test_occluded_data(): + # check that DNSKEY and other occluded data are excluded from + # a delegating bitmap + msg = isctest.query.create("occluded.example.", "AXFR") + res = isctest.query.tcp(msg, "10.53.0.3") + + n = "delegation.occluded.example." + delegation = [r for r in res.answer if str(r.name) == n] + assert [r for r in delegation if r.rdtype == rdatatype.DNSKEY], str(delegation) + assert [r for r in delegation if r.rdtype == rdatatype.AAAA], str(delegation) + nsec = [r for r in delegation if r.rdtype == rdatatype.NSEC] + assert nsec, str(delegation) + assert "DNSKEY" not in str(nsec[0]), str(res) + assert "AAAA" not in str(nsec[0]), str(res) + + # check that DNSSEC records are occluded from ANY in an insecure zone + msg = isctest.query.create("x.extrakey.example.", "ANY") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.noerror(res) + isctest.check.empty_answer(res) + msg = isctest.query.create("z.secure.example.", "ANY") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 4) # A+RRSIG, NSEC+RRSIG + + +def test_update_signing(): + # minimal update test: add and delete a single record + up = update.UpdateMessage("dynamic.example.") + up.add("a.dynamic.example.", 300, "A", "73.80.65.49") + res = isctest.query.tcp(up, "10.53.0.3") + isctest.check.noerror(res) + + up = update.UpdateMessage("dynamic.example.") + up.delete("a.dynamic.example.") + res = isctest.query.tcp(up, "10.53.0.3") + isctest.check.noerror(res) + + msg = isctest.query.create("a.dynamic.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + isctest.check.adflag(res) + + # check that the NSEC3 record for the apex is properly signed + # when a DNSKEY is added via UPDATE + key = keygen( + "-Kns3", "-q3fk", "-a", os.environ["DEFAULT_ALGORITHM"], "update-nsec3.example." + ) + + with open(f"ns3/{key}.key", "r", encoding="utf-8") as f: + dnskey = f.read().splitlines()[-1] + dnskey = " ".join(dnskey.split()[3:]) + + up = update.UpdateMessage("update-nsec3.example.") + up.add("update-nsec3.example.", 300, "DNSKEY", dnskey) + res = isctest.query.tcp(up, "10.53.0.3") + isctest.check.noerror(res) + + msg = isctest.query.create("update-nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + nsec3 = [str(a) for a in res.authority if a.rdtype == rdatatype.NSEC3] + assert any("1 0 0 -" in a for a in nsec3) + + +def test_cds_signing(): + # check that CDS records are signed using KSK+ZSK by dnssec-signzone + msg = isctest.query.create("cds.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sigs = res.answer + assert len(sigs) == 2 + + # check that CDS records are not signed using ZSK by dnssec-signzone -x + msg = isctest.query.create("cds-x.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sigs = res.answer + assert len(sigs) == 2 # there are two KSKs here + + # check that CDS records are signed using KSK by dnssec-policy + msg = isctest.query.create("cds-auto.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sigs = res.answer + assert len(sigs) == 1 + + # check that CDS records are signed only using KSK when added by nsupdate + with open("ns2/cds-update.secure.id", encoding="utf-8") as f: + keyid = int(f.read().splitlines()[0]) + up = update.UpdateMessage("cds-update.secure.") + up.delete("cds-update.secure.", "CDS") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cds-update.secure.", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res) + dnskeys, sigs = res.answer + ksk = [a for a in dnskeys if a.flags == 257][0] + ds = dnssec.make_ds("cds-update.secure.", ksk, 2) + up.add("cds-update.secure.", 1, "CDS", str(ds)) + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cds-update.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sig = res.answer + assert len(cds) == 1 + assert len(sig) == 1 + assert sig[0].key_tag == keyid + + # check that CDS deletion records are signed only using KSK when + # added by nsupdate + up = update.UpdateMessage("cds-update.secure.") + up.delete("cds-update.secure.", "CDS") + up.add("cds-update.secure.", 0, "CDS", "0 0 0 00") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cds-update.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sig = res.answer + assert len(cds) == 1 + assert "0 0 0 00" in str(cds[0]) + assert len(sig) == 1 + assert sig[0].key_tag == keyid + + # check that a non-matching CDS record is accepted with a + # matching CDS record. first, generate a DNSKEY with different flags: + badksk = type(ksk)( + ksk.rdclass, ksk.rdtype, ksk.flags + 1, ksk.protocol, ksk.algorithm, ksk.key + ) + up = update.UpdateMessage("cds-update.secure.") + badds = dnssec.make_ds("cds-update.secure.", badksk, 2) + up.delete("cds-update.secure.", "CDS") + up.add("cds-update.secure.", 1, "CDS", str(ds)) + up.add("cds-update.secure.", 1, "CDS", str(badds)) + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cds-update.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sig = res.answer + assert len(cds) == 2 + assert len(sig) == 1 + + +def test_cdnskey_signing(): + # check that CDNSKEY records are signed using KSK+ZSK by dnssec-signzone + msg = isctest.query.create("cdnskey.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sigs = res.answer + assert len(sigs) == 2 + + # check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x + msg = isctest.query.create("cdnskey-x.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sigs = res.answer + assert len(sigs) == 2 # two KSKs here + + # check that CDNSKEY records are signed using KSK by dnssec-policy + msg = isctest.query.create("cdnskey-auto.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sigs = res.answer + assert len(sigs) == 1 + + # check that CDNSKEY records are signed only using KSK + # when added by nsupdate + with open("ns2/cdnskey-update.secure.id", encoding="utf-8") as f: + keyid = int(f.read().splitlines()[0]) + up = update.UpdateMessage("cdnskey-update.secure.") + up.delete("cdnskey-update.secure.", "CDNSKEY") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cdnskey-update.secure.", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res) + dnskeys, sigs = res.answer + ksk = [a for a in dnskeys if a.flags == 257][0] + up.add("cdnskey-update.secure.", 1, "CDNSKEY", str(ksk)) + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cdnskey-update.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sig = res.answer + assert len(cdnskey) == 1 + assert len(sig) == 1 + assert sig[0].key_tag == keyid + + # check that CDNSKEY deletion records are signed only using KSK when + # added by nsupdate + up = update.UpdateMessage("cdnskey-update.secure.") + up.delete("cdnskey-update.secure.", "CDNSKEY") + up.add("cdnskey-update.secure.", 0, "CDNSKEY", "0 3 0 AA==") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cdnskey-update.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sig = res.answer + assert len(cdnskey) == 1 + assert "0 3 0 AA==" in str(cdnskey[0]) + assert len(sig) == 1 + assert sig[0].key_tag == keyid + + # check that a non-matching CDNSKEY record is accepted with a + # matching CDNSKEY record. first, generate a DNSKEY with different flags: + badksk = type(ksk)( + ksk.rdclass, ksk.rdtype, ksk.flags + 1, ksk.protocol, ksk.algorithm, ksk.key + ) + up = update.UpdateMessage("cdnskey-update.secure.") + up.delete("cdnskey-update.secure.", "CDNSKEY") + up.add("cdnskey-update.secure.", 1, "CDNSKEY", str(ksk)) + up.add("cdnskey-update.secure.", 1, "CDNSKEY", str(badksk)) + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cdnskey-update.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sig = res.answer + assert len(cdnskey) == 2 + assert len(sig) == 1 + + +@pytest.mark.parametrize( + "cmd", + [ + "signing", # without arguments + "signing -list", # without zone + "signing -clear", # without zone + "signing -clear all", # without zone + ], +) +def test_rndc_signing_except(cmd, ns3): + # check that 'rndc signing' errors are handled + with pytest.raises(isctest.rndc.RNDCException): + ns3.rndc(cmd, log=False) + ns3.rndc("status", log=False) + + +def test_rndc_signing_output(ns3): + response = ns3.rndc("signing -list dynamic.example", log=False) + assert "No signing records found" in response + + +def test_zonestatus_signing(ns3): + # check that the correct resigning time is reported in zonestatus. + # zonestatus reports a name/type and expecting resigning time; + # we convert the time to seconds since epoch, look up the RRSIG + # for the name and type, and check that the resigning time is + # after the inception and before the expiration. + + response = ns3.rndc("zonestatus secure.example", log=False) + + # next resign node: secure.example/DNSKEY + nrn = [r for r in response.splitlines() if "next resign node" in r][0] + rdname, rdtype = nrn.split()[3].split("/") + + # next resign time: Thu, 24 Apr 2014 10:38:16 GMT + nrt = [r for r in response.splitlines() if "next resign time" in r][0] + rtime = " ".join(nrt.split()[3:]) + rt = time.strptime(rtime, "%a, %d %b %Y %H:%M:%S %Z") + when = int(time.strftime("%s", rt)) + + msg = isctest.query.create(rdname, rdtype) + res = isctest.query.tcp(msg, "10.53.0.3") + _, sigs = res.answer + assert sigs[0].inception < when + assert when < sigs[0].expiration + + +def test_offline_ksk_signing(ns2): + def getfrom(file): + with open(file, encoding="utf-8") as f: + return f.read().strip() + + def getkeyid(key: str): + m = re.match(r"K.*\+\d*\+(\d*)", key) + return int(m.group(1)) + + def check_signing_keys(types: list[str], expect: list[str], prohibit: list[str]): + for qtype in types: + isctest.log.debug(f"checking signing keys for {qtype}") + msg = isctest.query.create(zone, qtype) + res = isctest.query.tcp(msg, "10.53.0.2") + assert res.answer, str(res) + rrset = res.get_rrset( + res.answer, + name.from_text(f"{zone}."), + rdataclass.IN, + rdatatype.RRSIG, + rdatatype.RdataType.make(qtype), + ) + assert rrset, f"expected RRSIG({qtype}) missing from ANSWER" + str(res) + keys = {rr.key_tag for rr in rrset} + assert len(keys) == 1, str(res) + for exp in expect: + assert exp in keys + for proh in prohibit: + assert proh not in keys + return True + + def check_zskcount(): + msg = isctest.query.create(zone, "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + dnskeys, _ = res.answer + zskcount = len([rr for rr in dnskeys if rr.flags == 256]) + assert zskcount == 2, str(res) + return True + + def ksk_remove(): + isctest.log.info("remove the KSK from disk") + os.rename(f"ns2/{KSK}.key", f"ns2/{KSK}.key.bak") + os.rename(f"ns2/{KSK}.private", f"ns2/{KSK}.private.bak") + + def ksk_recover(): + isctest.log.info("put back the KSK") + os.rename(f"ns2/{KSK}.key.bak", f"ns2/{KSK}.key") + os.rename(f"ns2/{KSK}.private.bak", f"ns2/{KSK}.private") + + def loadkeys(): + pattern = re.compile(f"{zone}/IN.*next key event") + with ns2.watch_log_from_here() as watcher: + ns2.rndc(f"loadkeys {zone}", log=False) + watcher.wait_for_line(pattern) + + ksk_only_types = ["DNSKEY", "CDNSKEY", "CDS"] + + zone = "updatecheck-kskonly.secure" + KSK = getfrom(f"ns2/{zone}.ksk.key") + ZSK = getfrom(f"ns2/{zone}.zsk.key") + KSKID = int(getfrom(f"ns2/{zone}.ksk.id")) + ZSKID = int(getfrom(f"ns2/{zone}.zsk.id")) + + # set key state for KSK. the ZSK rollovers below assume that there is a + # chain of trust established, so we tell named that the DS is in + # omnipresent state. + settime("-s", "-d", "OMNIPRESENT", "now", "-Kns2", KSK) + + isctest.log.info("check state before KSK is made offline") + isctest.log.info("make sure certain types are signed with KSK only") + check_signing_keys(ksk_only_types, expect=[KSKID], prohibit=[ZSKID]) + + isctest.log.info("check SOA is signed with ZSK only") + check_signing_keys(["SOA"], expect=[ZSKID], prohibit=[KSKID]) + + isctest.log.info("roll the ZSK") + ZSK2 = keygen( + "-qKns2", + "-Pnone", + "-Anone", + "-a", + os.environ["DEFAULT_ALGORITHM"], + "-b", + os.environ["DEFAULT_BITS"], + zone, + ) + ZSKID2 = getkeyid(ZSK2) + + isctest.log.info("prepublish new ZSK") + ns2.rndc(f"dnssec -rollover -key {ZSKID} {zone}", log=False) + isctest.run.retry_with_timeout(check_zskcount, 5) + + isctest.log.info("make the new ZSK active") + settime("-sKns2", "-Inow", ZSK) + settime("-sKns2", "-Anow", "-k", "OMNIPRESENT", "now", ZSK2) + loadkeys() + + with ns2.watch_log_from_start() as watcher: + watcher.wait_for_line( + [f"{ZSKID2} (ZSK) is now active", f"{ZSKID} (ZSK) is now inactive"] + ) + + ksk_remove() + + isctest.log.info("update the zone, requiring a resign of the SOA RRset") + up = update.UpdateMessage(f"{zone}.") + up.add(f"{zone}.", 300, "TXT", "added by UPDATE") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + isctest.log.info( + "redo the tests now that the zone is updated and the KSK is offline" + ) + isctest.log.info("make sure certain types are signed with KSK only") + check_signing_keys(ksk_only_types, expect=[KSKID], prohibit=[ZSKID, ZSKID2]) + + isctest.log.info("check TXT, SOA are signed with ZSK2 only") + + def check_txt_soa_zsk2(): + return check_signing_keys( + ["TXT", "SOA"], expect=[ZSKID2], prohibit=[KSKID, ZSKID] + ) + + isctest.run.retry_with_timeout(check_txt_soa_zsk2, 5) + + ksk_recover() + + isctest.log.info("roll the ZSK again") + ZSK3 = keygen( + "-qKns2", + "-Pnone", + "-Anone", + "-a", + os.environ["DEFAULT_ALGORITHM"], + "-b", + os.environ["DEFAULT_BITS"], + zone, + ) + ZSKID3 = getkeyid(ZSK3) + + isctest.log.info("delete old ZSK, schedule ZSK2 inactive, pre-publish ZSK3") + settime("-sKns2", "-k", "HIDDEN", "now", "-z", "HIDDEN", "now", "-Dnow", ZSK) + settime("-sKns2", "-k", "OMNIPRESENT", "now", "-z", "OMNIPRESENT", "now", ZSK2) + loadkeys() + ns2.rndc(f"dnssec -rollover -key {ZSKID2} {zone}", log=False) + + with ns2.watch_log_from_start() as watcher: + watcher.wait_for_line(f"{ZSKID3} (ZSK) is now published") + + ksk_remove() + + isctest.log.info("update the zone again, requiring a resign of the SOA RRset") + up = update.UpdateMessage(f"{zone}.") + up.add(f"{zone}.", 300, "TXT", "added by UPDATE again") + up.add(f"{zone}.", 300, "A", "1.2.3.4") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + isctest.log.info("redo the tests now that the ZSK roll has deleted the old key") + + isctest.log.info("make sure certain types are signed with KSK only") + check_signing_keys(ksk_only_types, expect=[KSKID], prohibit=[ZSKID, ZSKID2, ZSKID3]) + + isctest.log.info("check A, TXT, SOA are signed with ZSK2 only") + + def check_a_txt_soa_zsk2(): + return check_signing_keys( + ["A", "TXT", "SOA"], expect=[ZSKID2], prohibit=[KSKID, ZSKID, ZSKID3] + ) + + isctest.run.retry_with_timeout(check_a_txt_soa_zsk2, 5) + + ksk_recover() + + isctest.log.info("make ZSK3 active") + settime("-sKns2", "-Inow", ZSK2) + settime("-sKns2", "-k", "OMNIPRESENT", "now", "-Anow", ZSK3) + loadkeys() + + with ns2.watch_log_from_start() as watcher: + watcher.wait_for_line( + [f"{ZSKID3} (ZSK) is now active", f"{ZSKID2} (ZSK) is now inactive"] + ) + + ksk_remove() + + isctest.log.info("update the zone again, requiring a resign of the SOA RRset") + up = update.UpdateMessage(f"{zone}.") + up.add(f"{zone}.", 300, "TXT", "added by UPDATE one more time") + up.add(f"{zone}.", 300, "A", "4.3.2.1") + up.add(f"{zone}.", 300, "AAAA", "dead::beef") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + isctest.log.info("redo the tests one last time") + isctest.log.info("make sure certain types are signed with KSK only") + check_signing_keys(ksk_only_types, expect=[KSKID], prohibit=[ZSKID, ZSKID2, ZSKID3]) + + isctest.log.info("check A, TXT, SOA are signed with ZSK2 only") + + def check_aaaa_a_txt_soa_zsk3(): + return check_signing_keys( + ["AAAA", "A", "TXT", "SOA"], + expect=[ZSKID3], + prohibit=[KSKID, ZSKID, ZSKID2], + ) + + isctest.run.retry_with_timeout(check_aaaa_a_txt_soa_zsk3, 5) diff --git a/bin/tests/system/dnssec/tests_tat.py b/bin/tests/system/dnssec/tests_tat.py new file mode 100644 index 0000000000..48e7891ca3 --- /dev/null +++ b/bin/tests/system/dnssec/tests_tat.py @@ -0,0 +1,88 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re + +from dns import edns + +import pytest + +import isctest + + +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + +def test_tat_queries(ns1, ns6): + # check that trust-anchor-telemetry queries are logged + with ns6.watch_log_from_start() as watcher: + watcher.wait_for_line("sending trust-anchor-telemetry query '_ta-") + + # check that _ta-XXXX trust-anchor-telemetry queries are logged + with ns1.watch_log_from_start() as watcher: + watcher.wait_for_line("trust-anchor-telemetry '_ta-") + + # check that _ta-AAAA trust-anchor-telemetry are not sent when disabled + ns1.log.prohibit("sending trust-anchor-telemetry query '_ta") + + # check that KEY-TAG (ednsopt 14) trust-anchor-telemetry queries are + # logged. this matches "dig . dnskey +ednsopt=KEY-TAG:ffff": + msg = isctest.query.create(".", "DNSKEY") + opt = edns.GenericOption(14, b"\xff\xff") + msg.use_edns(edns=True, options=[opt]) + pattern = re.compile("trust-anchor-telemetry './IN' from .* 65535") + with ns1.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, "10.53.0.1") + watcher.wait_for_line(pattern) + + # check that multiple KEY-TAG trust-anchor-telemetry options don't + # leak memory, by stopping and restarting the server (a memory leak + # would trigger a core dump). + msg = isctest.query.create(".", "DNSKEY") + opt1 = edns.GenericOption(14, b"\xff\xff") + opt2 = edns.GenericOption(14, b"\xff\xfe") + msg.use_edns(edns=True, options=[opt2, opt1]) + pattern = re.compile("trust-anchor-telemetry './IN' from .* 65534") + with ns1.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, "10.53.0.1") + isctest.check.noerror(res) + watcher.wait_for_line(pattern) + + ns1.stop() + with ns1.watch_log_from_here() as watcher: + ns1.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + watcher.wait_for_line("all zones loaded") diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py new file mode 100644 index 0000000000..36c743f6a0 --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation.py @@ -0,0 +1,1332 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re +import shutil +import time + +from dns import edns, flags, name, rdataclass, rdatatype + +import pytest + +import isctest +import isctest.mark +from isctest.util import param + + +pytest.importorskip("dns", minversion="2.0.0") +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + +# helper functions +def grep_q(regex, filename): + with open(filename, "r", encoding="utf-8") as f: + blob = f.read().splitlines() + results = [x for x in blob if re.search(regex, x)] + return len(results) != 0 + + +def getfrom(file): + with open(file, encoding="utf-8") as f: + return f.read().strip() + + +@pytest.mark.requires_zones_loaded("ns2", "ns3") +@pytest.mark.parametrize( + "qname, qtype", + [ + param("a.example.", "A"), + param("rfc2535.example.", "SOA"), + ], +) +def test_load_transfer(qname, qtype): + # check that we can load and transfer zone + msg = isctest.query.create(qname, qtype) + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res1) + + +def test_insecure_glue(): + # check that for a query against a validating resolver where the + # authoritative zone is unsigned (insecure delegation), glue is returned + # in the additional section + msg = isctest.query.create("a.insecure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.authority, 1) + isctest.check.rr_count_eq(res.additional, 1) + assert str(res.additional[0].name) == "ns3.insecure.example." + addrs = [str(a) for a in res.additional[0]] + assert "10.53.0.3" in addrs + + +def test_adflag(): + # compare auth and recursive answers + msg = isctest.query.create("a.example", "A", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + + # check no AD flag in authoritative response + isctest.check.noadflag(res1) + + # check validating resolver sends AD=1 if the client sent AD=1 + isctest.check.adflag(res2) + + # check that AD=0 unless the client sent AD=1 + msg = isctest.query.create("a.example", "A", dnssec=False, ad=False) + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res2) + + +def test_secure_root(ns4): + # check that a query for a secure root validates + msg = isctest.query.create(".", "KEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check that "rndc secroots" dumps the trusted keys + key = int(getfrom("ns1/managed.key.id")) + alg = os.environ["DEFAULT_ALGORITHM"] + expected = f"./{alg}/{key} ; static" + response = ns4.rndc("secroots -", log=False).splitlines() + assert expected in response + assert len(response) == 10 + + +def test_positive_validation_nsec(): + # positive answer + msg = isctest.query.create("a.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # wildcard + msg = isctest.query.create("a.wild.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + assert str(res2.authority[0].name) == "*.wild.example." + assert res2.authority[0].rdtype == rdatatype.NSEC + nsecs = [str(a).split(" ", maxsplit=1)[0] for a in res2.authority[0]] + assert "z.example." in nsecs + assert res2.authority[1].rdtype == rdatatype.RRSIG + assert res2.authority[1].covers == rdatatype.NSEC + + # mixed case + for rrtype in ["a", "txt", "aaaa", "loc"]: + msg = isctest.query.create("mixedcase.secure.example", rrtype) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_positive_validation_nsec3(): + # positive answer + msg = isctest.query.create("a.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + # wildcard + msg = isctest.query.create("a.wild.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + isctest.check.rr_count_eq(res2.authority, 4) + + # unknown NSEC3 hash algorithm + msg = isctest.query.create("nsec3-unknown.example", "SOA", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + isctest.check.rr_count_eq(res2.answer, 1) + + +def test_positive_validation_optout(): + # positive answer + msg = isctest.query.create("a.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # wildcard + msg = isctest.query.create("a.wild.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # unknown NSEC3 hash algorithm + msg = isctest.query.create("optout-unknown.example", "SOA", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + isctest.check.rr_count_eq(res2.answer, 1) + + +def answer_has(r, rdtype): + return bool([r for r in r.answer if r.rdtype == rdtype]) + + +def test_chain_validation(): + # check validation of ANY response + msg = isctest.query.create("foo.example", "ANY") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 6) # 2 records, 1 NSEC, 3 RRSIGs + + # check validation of CNAME response + msg = isctest.query.create("cname1.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 4) # CNAME, TXT, 2 RRSIGs + + # check validation of DNAME response + msg = isctest.query.create("foo.dname1.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 5) # DNAME, TXT, 2 RRSIGs, synth CNAME + + # check validation of CNAME response to ANY query + msg = isctest.query.create("cname2.example", "ANY") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 4) # CNAME, NSEC, 2 RRSIGs + + # check validation of DNAME response to ANY query + msg = isctest.query.create("foo.dname2.example", "ANY") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 3) # DNAME, RSRIG, synth CNAME + + # check bad CNAME signature is caught after +CD query + msg = isctest.query.create("bad-cname.example", "A", dnssec=False, cd=True) + # query once with CD to prime the cache + res = isctest.query.tcp(msg, "10.53.0.4") + # query again with CD, bogus pending data should be returned + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + assert "a.example." in str(res.answer[0]) + assert "10.0.0.1" in str(res.answer[1]) + # query again without CD, bogus data should be rejected + msg = isctest.query.create("bad-cname.example", "A", dnssec=False) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + # check bad DNAME signature is caught after +CD query + msg = isctest.query.create("a.bad-dname.example", "A", dnssec=False, cd=True) + # query once with CD to prime the cache + res = isctest.query.tcp(msg, "10.53.0.4") + # query again with CD, bogus pending data should be returned + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + assert "example." in str(res.answer[0]) + assert "a.example." in str(res.answer[1]) + assert "10.0.0.1" in str(res.answer[2]) + # query again without CD, bogus data should be rejected + msg = isctest.query.create("a.bad-dname.example", "A", dnssec=False) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + # check DNSKEY lookup via CNAME + msg = isctest.query.create("cnameandkey.secure.example", "DNSKEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert answer_has(res2, rdatatype.CNAME) + + # check KEY lookup via CNAME + msg = isctest.query.create("cnameandkey.secure.example", "KEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert not answer_has(res2, rdatatype.CNAME) + + # check KEY lookup via CNAME (not present) + msg = isctest.query.create("cnamenokey.secure.example", "KEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert not answer_has(res2, rdatatype.CNAME) + + # check DNSKEY lookup via DNAME + msg = isctest.query.create("a.dnameandkey.secure.example", "DNSKEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert answer_has(res2, rdatatype.DNAME) + + # check KEY lookup via DNAME + msg = isctest.query.create("a.dnameandkey.secure.example", "KEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert answer_has(res2, rdatatype.DNAME) + + +@isctest.mark.rsasha1 +def test_signing_algorithms_rsasha1(): + # rsasha1 (should work with FIPS mode we're as only validating) + msg = isctest.query.create("a.rsasha1.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # rsasha1 (1024 bits) NSEC + msg = isctest.query.create("a.rsasha1-1024.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_signing_algorithms(): + # rsasha256 + msg = isctest.query.create("a.rsasha256.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # rsasha512 + msg = isctest.query.create("a.rsasha512.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # KSK-only DNSKEY + msg = isctest.query.create("a.kskonly.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_private_algorithms(ns4): + # positive answer, private algorithm + msg = isctest.query.create("a.rsasha256oid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # positive answer, unknown private algorithm + msg = isctest.query.create("a.unknownoid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noadflag(res2) + + # positive answer, extra ds for private algorithm + msg = isctest.query.create("a.extradsoid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # positive anwer, extra ds for unknown private algorithm + with ns4.watch_log_from_here() as watcher: + msg = isctest.query.create("a.extradsunknownoid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.servfail(res2) + watcher.wait_for_line( + "No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID" + ) + + +@isctest.mark.extended_ds_digest +def test_private_algorithms_extended_ds(): + # check positive validation with extra ds using extended digest + # type for unknown private algorithm + msg = isctest.query.create("a.extended-ds-unknown-oid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_negative_validation_nsec(): + # nxdomain + msg = isctest.query.create("q.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.adflag(res2) + + # nodata + msg = isctest.query.create("a.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.empty_answer(res2) + isctest.check.adflag(res2) + + # negative wildcard + msg = isctest.query.create("b.wild.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_negative_validation_nsec3(): + # nxdomain + msg = isctest.query.create("q.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.adflag(res2) + + # nodata + msg = isctest.query.create("a.nsec3.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.empty_answer(res2) + isctest.check.adflag(res2) + + # negative wildcard + msg = isctest.query.create("b.wild.nsec3.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + # check NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters + msg = isctest.query.create("non-exist.badparam", "A") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.nxdomain(res) + + # check negative unknown NSEC3 hash algorithm does not validate + msg = isctest.query.create("nsec3-unknown.example", "A", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.servfail(res2) + + +def test_excessive_nsec3_iterations(): + assert grep_q( + "zone too-many-iterations/IN: excessive NSEC3PARAM iterations", "ns2/named.run" + ) + assert grep_q( + "zone too-many-iterations/IN: excessive NSEC3PARAM iterations", "ns3/named.run" + ) + + # check fallback to insecure with NSEC3 iterations is too high + msg = isctest.query.create("does-not-exist.too-many-iterations", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + isctest.check.rr_count_eq(res2.answer, 0) + isctest.check.rr_count_eq(res2.authority, 8) + + # check fallback to insecure with NSEC3 iterations is too high (nodata) + msg = isctest.query.create("a.too-many-iterations", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + isctest.check.rr_count_eq(res2.answer, 0) + isctest.check.rr_count_eq(res2.authority, 4) + + # check fallback to insecure with NSEC3 iterations is too high (wildcard) + msg = isctest.query.create("wild.a.too-many-iterations", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + isctest.check.rr_count_eq(res2.answer, 2) + isctest.check.rr_count_eq(res2.authority, 4) + a, _ = res2.answer + assert str(a.name) == "wild.a.too-many-iterations." + assert str(a[0]) == "10.0.0.3" + + # check fallback to insecure with high NSEC3 iterations (wildcard nodata) + msg = isctest.query.create("wild.a.too-many-iterations", 100) + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + isctest.check.rr_count_eq(res2.authority, 8) + + +def test_auth_nsec3(): + # nxdomain response, closest encloser with 0 empty non-terminals + msg = isctest.query.create("b.b.b.b.b.a.nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + # closest encloser (a.nsec3.example): + rrset = res.get_rrset( + res.authority, + name.from_text("6OVDUHTN094ML2PV8AN90U0DPU823GH2.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "NSEC3 missing from AUTHORITY: " + str(res) + assert "7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4" in str(rrset[0]).upper() + # no QNAME (b.a.nsec3.example/DSPF4R9UKOEPJ9O34E1H4539LSOTL14E) + rrset = res.get_rrset( + res.authority, + name.from_text("BEJ5GMQA872JF4DAGQ0R3O5Q7A2O5S9L.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "EF2S05SGK1IR2K5SKMFIRERGQCLMR18M" in str(rrset[0]).upper() + # no WILDCARD (*.a.nsec3.example/TFGQ60S97BS31IT1EBEDO63ETM0T5JFA) + rrset = res.get_rrset( + res.authority, + name.from_text("R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "VH656EQUD4J02OFVSO4GKOK5D02MS1TL" in str(rrset[0]).upper() + + # nxdomain response, closest encloser with 1 ENT + msg = isctest.query.create("b.b.b.b.b.a.a.nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + # closest encloser (a.a.nsec3.example): + rrset = res.get_rrset( + res.authority, + name.from_text("NGCJFSOLJUUE27PFNQNJIME4TQ0OU2DH.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q" in str(rrset[0]).upper() + # noqname (b.a.a.nsec3.example): + rrset = res.get_rrset( + res.authority, + name.from_text("R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "VH656EQUD4J02OFVSO4GKOK5D02MS1TL" in str(rrset[0]).upper() + # no wildcard (*.a.a.nsec3.example/V7JNNDJ4NLRIU195FRB7DLUCSLU4LLFM) + # is covered by the noqname proof in this case + + # nxdomain response, closest encloser with 2 ENTs + msg = isctest.query.create("b.b.b.b.b.a.a.a.nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + # closest encloser (a.a.a.nsec3.example): + rrset = res.get_rrset( + res.authority, + name.from_text("H7RHPDCHSVVRAND332F878C8AB6IBJQV.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "K8IG76R2UPQ13IKFO49L7IB9JRVB6QJI" in str(rrset[0]).upper() + # noqname (b.a.a.a.nsec3.example/18Q8D89RM8GGRSSOPFRB05QS6VEGB1P4) + rrset = res.get_rrset( + res.authority, + name.from_text("0T7VH688AEK0612T69V8692OCMJD50M4.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "1HARMGSKJH0EBU2EI2OJIKTDPIQA6KBI" in str(rrset[0]).upper() + # no WILDCARD (*.a.a.a.nsec3.example/8113LDMSEFPUAG4VGFF1C8KLOUT4Q6PH) + rrset = res.get_rrset( + res.authority, + name.from_text("7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "BEJ5GMQA872JF4DAGQ0R3O5Q7A2O5S9L" in str(rrset[0]).upper() + + +def test_negative_validation_optout(): + # nxdomain + msg = isctest.query.create("q.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # nodata + msg = isctest.query.create("a.optout.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.empty_answer(res2) + isctest.check.adflag(res2) + + # negative wildcard + msg = isctest.query.create("b.wild.optout.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # empty NODATA + msg = isctest.query.create("empty.optout.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # (rt22007 regression tests:) + # check optout NSEC3 referral with only insecure delegatons + msg = isctest.query.create("delegation.single-nsec3", "A") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res) + for rrset in res.authority: + if ( + rrset.rdtype != rdatatype.NSEC3 + or "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" not in rrset.name + ): + continue + assert "1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" in str(rrset[0]) + + # check optout NSEC3 NXDOMAIN with only insecure delegatons + msg = isctest.query.create("nonexist.single-nsec3", "A") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.nxdomain(res) + for rrset in res.authority: + if ( + rrset.rdtype != rdatatype.NSEC3 + or "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" not in rrset.name + ): + continue + assert "1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" in str(rrset[0]) + + # check optout NSEC3 NODATA with only insecure delegatons + msg = isctest.query.create("single-nsec3", "A") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res) + for rrset in res.authority: + if ( + rrset.rdtype != rdatatype.NSEC3 + or "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" not in rrset.name + ): + continue + assert "1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" in str(rrset[0]) + + # check negative unknown NSEC3-OPTOUT hash algorithm does not validate + msg = isctest.query.create("optout-unknown.example", "A", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.servfail(res2) + + +def test_cache(ns4): + # check that key id's are logged when dumping the cache + ns4.rndc("dumpdb -cache", log=False) + assert grep_q("; key id = ", "ns4/named_dump.db") + + # check for RRSIG covered type in negative cache + assert grep_q("; example. RRSIG NSEC ", "ns4/named_dump.db") + + # check validated data are not cached longer than originalttl + msg = isctest.query.create("a.ttlpatch.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.rr_count_eq(res1.answer, 2) + isctest.check.rr_count_eq(res2.answer, 2) + for rrset in res1.answer: + assert 3000 <= rrset.ttl <= 3600 + for rrset in res2.answer: + assert rrset.ttl <= 300 + + # query for a record, then follow it with a query for the + # corresponding RRSIG, check that it's answered from the cache + msg = isctest.query.create("normalthenrrsig.secure.example", "A") + isctest.query.tcp(msg, "10.53.0.4") + + msg = isctest.query.create("normalthenrrsig.secure.example", "RRSIG") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.raflag(res2) + + # check direct query for RRSIG: if it's not cached with other records, + # it should result in an empty response. + msg = isctest.query.create("rrsigonly.secure.example", "RRSIG") + res1 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.empty_answer(res1) + isctest.check.noraflag(res1) + + # check that a DNSKEY query with no data still gets cached + msg = isctest.query.create("insecure.example", "DNSKEY") + res1 = isctest.query.tcp(msg, "10.53.0.4") + time.sleep(1) # give the TTL time to change + res2 = isctest.query.tcp(msg, "10.53.0.4") + if res1.authority[0].ttl == res2.authority[0].ttl: + time.sleep(1) + res2 = isctest.query.tcp(msg, "10.53.0.4") + assert res1.authority[0].ttl != res2.authority[0].ttl + + +def test_insecure_proof_nsec(ns4): + # 1-server positive + msg = isctest.query.create("a.insecure.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # 1-server negative + msg = isctest.query.create("q.insecure.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # 1-server negative with SOA hack + msg = isctest.query.create("r.insecure.example", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + assert res2.authority[0].rdtype == rdatatype.SOA + assert res2.authority[0].ttl == 0 + + # 2-server positive + msg = isctest.query.create("a.insecure.secure.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # 2-server negative + msg = isctest.query.create("q.insecure.secure.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # 2-server negative with SOA hack + msg = isctest.query.create("r.insecure.secure.example", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # insecurity proof using negative cache + ns4.rndc("flush", log=False) + msg = isctest.query.create("insecure.example", "DS", cd=True) + isctest.query.tcp(msg, "10.53.0.4") + + def query_and_check_nxdomain(): + msg = isctest.query.create("nonexistent.insecure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + return True + + isctest.run.retry_with_timeout(query_and_check_nxdomain, 20) + + # check insecure negative response with an unsigned NSEC + # first try the auth server... + msg = isctest.query.create("nsec-rrsigs-stripped", "TXT") + res1 = isctest.query.udp(msg, "10.53.0.10") + isctest.check.noerror(res1) + isctest.check.empty_answer(res1) + isctest.check.rr_count_eq(res1.authority, 2) + isctest.check.rr_count_eq(res1.additional, 0) + # make sure there's no RRSIG(NSEC) + for rrset in res1.authority: + assert rrset.rdtype != rdatatype.RRSIG or rrset.covers != rdatatype.NSEC + # now try the resolver + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + + +def test_insecure_proof_nsec3(): + # 1-server + msg = isctest.query.create("a.insecure.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # 1-server negative + msg = isctest.query.create("q.insecure.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # 1-server negative with SOA hack + msg = isctest.query.create("r.insecure.nsec3.example", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + assert res2.authority[0].rdtype == rdatatype.SOA + assert res2.authority[0].ttl == 0 + + +def test_insecure_proof_optout(): + # 1-server + msg = isctest.query.create("a.insecure.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # 1-server negative + msg = isctest.query.create("q.insecure.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # 1-server negative with SOA hack + msg = isctest.query.create("r.insecure.optout.example", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + assert res2.authority[0].rdtype == rdatatype.SOA + assert res2.authority[0].ttl == 0 + + +def test_below_cname(): + # check insecure zone below a cname resolves + msg = isctest.query.create("insecure.below-cname.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + isctest.check.rr_count_eq(res.answer, 1) + + # check secure zone below a cname resolves and validates + msg = isctest.query.create("secure.below-cname.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + isctest.check.rr_count_eq(res.answer, 2) + + +@pytest.mark.parametrize( + "qname", + [ + "a.secure.example", # NSEC/NSEC + "a.nsec3.example", # NSEC/NSEC3 + "a.optout.example", # NSEC/OPTOUT + "a.secure.nsec3.example", # NSEC3/NSEC + "a.nsec3.nsec3.example", # NSEC3/NSEC3 + "a.optout.nsec3.example", # NSEC3/OPTOUT + "a.secure.optout.example", # OPTOUT/NSEC + "a.nsec3.optout.example", # OPTOUT/NSEC3 + "a.optout.optout.example", # OPTOUT/OPTOUT + ], +) +def test_positive_validation_multistage(qname): + msg = isctest.query.create(qname, "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_validation_recovery(ns2, ns4): + # check recovery from spoofed server address. + # prime cache with spoofed address records... + msg = isctest.query.create("target.peer-ns-spoof", "A", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + ns4.rndc("dumpdb", log=False) + grep_q("10.53.0.100", "ns4/named_dump.db") + + # then reload server with properly signed zone + shutil.copyfile( + "ns2/peer.peer-ns-spoof.db.next", "ns2/peer.peer-ns-spoof.db.signed" + ) + with ns2.watch_log_from_here() as watcher: + ns2.rndc("reload peer.peer-ns-spoof", log=False) + watcher.wait_for_line("zone peer.peer-ns-spoof/IN: loaded serial 2000042408") + + # and check we can resolve with the correct server address + msg = isctest.query.create("test.target.peer-ns-spoof", "TXT") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + isctest.check.adflag(res) + + # check recovery from stripped DNSKEY RRSIG. + # prime cache with spoofed address records... + msg = isctest.query.create("dnskey-rrsigs-stripped", "DNSKEY", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 2) + + # then reload server with properly signed zone + shutil.copyfile( + "ns2/dnskey-rrsigs-stripped.db.next", "ns2/dnskey-rrsigs-stripped.db.signed" + ) + with ns2.watch_log_from_here() as watcher: + ns2.rndc("reload dnskey-rrsigs-stripped", log=False) + watcher.wait_for_line( + "zone dnskey-rrsigs-stripped/IN: loaded serial 2000042408" + ) + + # and check we can now resolve with the correct server address + msg = isctest.query.create("b.dnskey-rrsigs-stripped", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # check recovery from stripped DS RRSIG. + # prime cache with spoofed address records... + msg = isctest.query.create("child.ds-rrsigs-stripped", "DS", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 1) + + # then reload server with properly signed zone + shutil.copyfile( + "ns2/ds-rrsigs-stripped.db.next", "ns2/ds-rrsigs-stripped.db.signed" + ) + with ns2.watch_log_from_here() as watcher: + ns2.rndc("reload ds-rrsigs-stripped", log=False) + watcher.wait_for_line("zone ds-rrsigs-stripped/IN: loaded serial 2000042408") + + # and check we can now resolve with the correct server address + msg = isctest.query.create("b.child.ds-rrsigs-stripped", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # check recovery with mismatching NS + ns4.rndc("flush", log=False) + msg = isctest.query.create("inconsistent", "NS", dnssec=False, cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.additional, 1) + + msg = isctest.query.create("inconsistent", "NS", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.additional, 1) + + msg = isctest.query.create("inconsistent", "NS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.adflag(res) + isctest.check.rr_count_eq(res.answer, 3) + isctest.check.rr_count_eq(res.additional, 0) + + +def test_failed_validation(): + # bogus zone + msg = isctest.query.create("a.bogus.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + # missing key record + msg = isctest.query.create("a.b.keyless.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + +def test_revoked_key(): + # validation should succeed if a revoked key is encountered + msg = isctest.query.create("revkey.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + +def test_standby_key(): + # check that a secure chain with one active and one inactive KSK + # validates as secure + msg = isctest.query.create("a.lazy-ksk", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + +def test_transitions(): + # check that a zone finishing transitioning from one algorithm + # to another validates secure + msg = isctest.query.create("algroll", "NS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check that validation yields insecure during transition to signed + msg = isctest.query.create("inprogress", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + a, _ = res.answer + assert str(a[0]) == "10.53.0.10" + + +def test_validating_forwarder(ns4, ns9): + # check validating forwarder behavior with mismatching NS + ns4.rndc("flush", log=False) + msg = isctest.query.create("inconsistent", "NS", dnssec=False, cd=True) + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.additional, 0) + isctest.check.noadflag(res) + + msg = isctest.query.create("inconsistent", "NS", cd=True) + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.rr_count_eq(res.additional, 0) + isctest.check.noadflag(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.authority, 0) + isctest.check.rr_count_eq(res.additional, 0) + + msg.flags &= ~flags.CD + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.rr_count_eq(res.answer, 3) + isctest.check.rr_count_eq(res.authority, 0) + isctest.check.rr_count_eq(res.additional, 0) + isctest.check.adflag(res) + + # check validating forwarder sends CD to validate with a local trust anchor + ns4.rndc("flush", log=False) + msg = isctest.query.create("localkey.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + with ns9.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + isctest.check.adflag(res) + watcher.wait_for_line("status: SERVFAIL") + + +def test_expired_signatures(ns4): + # check expired signatures do not validate + msg = isctest.query.create("expired.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.3") + rrsig = res.get_rrset( + res.answer, + name.from_text("expired.example."), + rdataclass.IN, + rdatatype.RRSIG, + rdatatype.SOA, + ) + assert rrsig, "expected RRSIG(SOA) missing from AUTHORITY: " + str(rrsig) + isctest.check.rr_count_eq(res.answer, 2) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert res.extended_errors()[0].code == edns.EDECode.SIGNATURE_EXPIRED + assert grep_q("expired.example/.*: RRSIG has expired", "ns4/named.run") + + # check future signatures do not validate + msg = isctest.query.create("future.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert res.extended_errors()[0].code == edns.EDECode.SIGNATURE_NOT_YET_VALID + assert grep_q( + "future.example/.*: RRSIG validity period has not begun", "ns4/named.run" + ) + + # check that a dynamic zone with future signatures is re-signed on load + msg = isctest.query.create("managed-future.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.adflag(res) + isctest.check.noerror(res) + + # test TTL is capped at RRSIG expiry time + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "SOA", cd=True) + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "SOA") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.answer: + assert 240 <= rrset.ttl <= 300 + for rrset in res2.answer: + assert rrset.ttl <= 60 + + # test TTL is capped at RRSIG expiry time in the additional section (NS) + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "NS", cd=True) + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "NS") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert 240 <= rrset.ttl <= 300 + for rrset in res2.additional: + assert rrset.ttl <= 60 + + # test TTL is capped at RRSIG expiry time in the additional section (MX) + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "MX", cd=True) + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "MX") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert 240 <= rrset.ttl <= 300 + for rrset in res2.additional: + assert rrset.ttl <= 60 + + +def test_casing(): + # test legacy upper-case signer name validation + msg = isctest.query.create("upper.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.adflag(res) + _, sig = res.answer + assert sig.rdtype == rdatatype.RRSIG + assert sig.covers == rdatatype.SOA + assert "UPPER.EXAMPLE." in str(sig[0]) + + # test that we lower-case signer name + msg = isctest.query.create("LOWER.EXAMPLE", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + _, sig = res.answer + assert sig.rdtype == rdatatype.RRSIG + assert sig.covers == rdatatype.SOA + assert "lower.example." in str(sig[0]) + + +def test_broken_servers(): + # check that a non-cacheable NODATA works + msg = isctest.query.create("a.nosoa.secure.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.6") + isctest.check.rr_count_eq(res1.authority, 0) + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res2) + + # check that a non-cacheable NXDOMAIN works + msg = isctest.query.create("b.nosoa.secure.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.6") + isctest.check.rr_count_eq(res1.authority, 0) + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res2) + + # check that split RRSIGs are handled + msg = isctest.query.create("split-rrsig", "SOA") + res = isctest.query.tcp(msg, "10.53.0.6") + soa, _ = res.answer + assert soa[0].serial > 1 + + # check that not-at-zone-apex RRSIG(SOA) rrsets are removed + msg = isctest.query.create("split-rrsig", "AXFR") + res = isctest.query.tcp(msg, "10.53.0.6") + + nza = [ + r + for r in res.answer + if str(r.name) == "not-at-zone-apex.split-rrsig." + and r.rdtype == rdatatype.RRSIG + and r.covers == rdatatype.SOA + ] + assert not nza + + # check validation with missing nearest encloser proof + msg = isctest.query.create("b.c.d.optout-tld", "DS") + res = isctest.query.tcp(msg, "10.53.0.6") + nsec3s = [a for a in res.authority if a.rdtype == rdatatype.NSEC3] + assert len(nsec3s) == 2 + + msg = isctest.query.create("b.c.d.optout-tld", "A") + res = isctest.query.tcp(msg, "10.53.0.6") + nsec3s = [a for a in res.authority if a.rdtype == rdatatype.NSEC3] + assert len(nsec3s) == 1 + + res = isctest.query.tcp(msg, "10.53.0.6") + isctest.check.noerror(res) + isctest.check.noadflag(res) + msg = isctest.query.create("optout-tld", "SOA") + res = isctest.query.tcp(msg, "10.53.0.6") + isctest.check.noadflag(res) + + +def test_pending_ds(ns4): + # check that a query against a validating resolver succeeds when there is + # a negative cache entry with trust level "pending" for the DS. prime + # with a +cd DS query to produce the negative cache entry, then send a + # query that uses that entry as part of the validation process. + ns4.rndc("flush", log=False) + msg = isctest.query.create("insecure.example", "DS", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.authority, 4) + msg = isctest.query.create("a.insecure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.authority, 1) + isctest.check.noadflag(res) + + +def test_unknown_algorithms(): + # check that unknown DNSKEY algorithm validates as insecure + msg = isctest.query.create("dnskey-unknown.example", "A", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # check that unsupported DNSKEY algorithms are in the DNSKEY RRsets + msg = isctest.query.create("dnskey-unsupported.example", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.noerror(res) + + msg = isctest.query.create("dnskey-unsupported-2.example", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.noerror(res) + rrsets = [str(r) for r in res.answer] + assert any("257 3 255" in r for r in rrsets) + + # check that unsupported DNSKEY algorithm validates as insecure + msg = isctest.query.create("dnskey-unsupported.example", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert ( + res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + + # check that DNSKEY with an unsupported reserve key validates + msg = isctest.query.create("dnskey-unsupported-2.example", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check EDE code 2 for unsupported DS digest algorithm + msg = isctest.query.create("a.ds-unsupported.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + if hasattr(res, "extended_errors"): + assert res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DS_DIGEST_TYPE + + # check EDE code 1 for bad algorithm mnemonic + msg = isctest.query.create("badalg.secure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert ( + res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + + # check both EDE code 1 and 2 for unsupported digest on one DNSKEY + # and unsupported algorithm on the other + msg = isctest.query.create("a.digest-alg-unsupported.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + codes = {ede.code for ede in res.extended_errors()} + assert edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM in codes + assert edns.EDECode.UNSUPPORTED_DS_DIGEST_TYPE in codes + + # check that unknown DNSKEY algorithm + unknown NSEC3 hash algorithm + # validates as insecure + msg = isctest.query.create("dnskey-nsec3-unknown.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) diff --git a/bin/tests/system/dnssec/tests_validation_accept_expired.py b/bin/tests/system/dnssec/tests_validation_accept_expired.py new file mode 100644 index 0000000000..43b44d8cff --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation_accept_expired.py @@ -0,0 +1,61 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import flags + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(ns4, templates): + templates.render("ns4/named.conf", {"accept_expired": True}) + ns4.reconfigure(log=False) + + +def test_accept_expired(ns4): + # test TTL of about-to-expire rrsets with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "SOA") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "SOA") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.answer: + assert 240 <= rrset.ttl <= 300 + for rrset in res2.answer: + assert rrset.ttl <= 120 + + # test TTL is capped at RRSIG expiry time in the additional section + # with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "MX") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "MX") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert 240 <= rrset.ttl <= 300 + for rrset in res2.additional: + assert rrset.ttl <= 120 + + # test TTL of expired rrsets with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expired.example", "SOA") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expired.example", "SOA") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert 240 <= rrset.ttl <= 300 + for rrset in res2.additional: + assert rrset.ttl <= 120 diff --git a/bin/tests/system/dnssec/tests_validation_managed_keys.py b/bin/tests/system/dnssec/tests_validation_managed_keys.py new file mode 100644 index 0000000000..a72c35ea44 --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation_managed_keys.py @@ -0,0 +1,105 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import shutil + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(ns4, templates): + assert os.path.exists("ns4/managed-keys.bind.jnl") is False + shutil.copyfile("ns4/managed-keys.bind.in", "ns4/managed-keys.bind") + templates.render("ns4/named.conf", {"managed_key": True}) + ns4.reconfigure(log=False) + + +# helper functions +def getfrom(file): + with open(file, encoding="utf-8") as f: + return f.read().strip() + + +def test_secure_root_managed(ns4): + # check that a query for a secure root validates + msg = isctest.query.create(".", "KEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check that "rndc secroots" dumps the trusted keys + key = int(getfrom("ns1/managed.key.id")) + alg = os.environ["DEFAULT_ALGORITHM"] + expected = f"./{alg}/{key} ; managed" + response = ns4.rndc("secroots -", log=False).splitlines() + assert expected in response + assert len(response) == 10 + + +def test_positive_validation_nsec_managed(): + msg = isctest.query.create("a.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_positive_validation_nsec3_managed(): + msg = isctest.query.create("a.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_positive_validation_optout_managed(): + msg = isctest.query.create("a.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_negative_validation_nsec_managed(): + # nxdomain + msg = isctest.query.create("q.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.adflag(res2) + + +def test_ds_managed(): + # check root DS queries validate + msg = isctest.query.create(".", "DS") + res1 = isctest.query.tcp(msg, "10.53.0.1") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.adflag(res2) + isctest.check.noerror(res2) + + # check DS queries succeed at RFC 1918 empty zone + msg = isctest.query.create("10.in-addr.arpa", "DS") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noerror(res2) + + +def test_keydata_storage(ns4): + ns4.rndc("managed-keys sync", log=False) + with isctest.log.WatchLogFromStart("ns4/managed-keys.bind") as watcher: + watcher.wait_for_line(["KEYDATA", "next refresh:"]) diff --git a/bin/tests/system/dnssec/tests_validation_many_anchors.py b/bin/tests/system/dnssec/tests_validation_many_anchors.py new file mode 100644 index 0000000000..fd6e10eb16 --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation_many_anchors.py @@ -0,0 +1,136 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import edns +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(ns5, templates): + templates.render("ns5/named.conf", {"many_anchors": True}) + with ns5.watch_log_from_here() as watcher: + ns5.reconfigure(log=False) + watcher.wait_for_line( + [ + "ignoring static-key for 'disabled.trusted.': algorithm is disabled", + "ignoring static-key for 'disabled.managed.': algorithm is disabled", + "ignoring static-key for 'unsupported.trusted.': algorithm is unsupported", + "ignoring static-key for 'unsupported.managed.': algorithm is unsupported", + "ignoring static-key for 'unsupported.managed.': algorithm is unsupported", + "ignoring static-key for 'revoked.trusted.': bad key type", + "ignoring static-key for 'revoked.managed.': bad key type", + ] + ) + + +def test_trust_anchors(): + # DNSSEC tests related to unsupported, disabled and revoked trust anchors. + # + # This nameserver is loaded with a bunch of trust anchors. + # Some of them are good (enabled.managed, enabled.trusted, + # secure.managed, secure.trusted), and some of them are bad + # (disabled.managed, revoked.managed, unsupported.managed, + # disabled.trusted, revoked.trusted, unsupported.trusted). Make sure + # that the bad trust anchors are ignored. This is tested by looking + # for the corresponding lines in the logfile. + + # check that a key with supported algorithm validates as secure + msg = isctest.query.create("a.secure.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + if hasattr(res2, "extended_errors"): + assert not res2.extended_errors() + + msg = isctest.query.create("a.secure.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + if hasattr(res2, "extended_errors"): + assert not res2.extended_errors() + + # check that an unsupported signing algorithm yields insecure + msg = isctest.query.create("a.unsupported.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + if hasattr(res2, "extended_errors"): + assert ( + res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.unsupported.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + if hasattr(res2, "extended_errors"): + assert ( + res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # check that a disabled signing algorithm yields insecure + msg = isctest.query.create("a.disabled.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.disabled.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # check that zone signed with an algorithm that's disabled for + # some other domain, but not for this one, validates as secure. + # "enabled.trusted." and "enabled.managed." do not match the + # "disable-algorithms" option, so no special rules apply. (static) + msg = isctest.query.create("a.enabled.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + msg = isctest.query.create("a.enabled.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + # a revoked trust anchor is ignored when configured; check that + # this yields insecure. + msg = isctest.query.create("a.revoked.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.revoked.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) diff --git a/bin/tests/system/dnssec/tests_validation_multiview.py b/bin/tests/system/dnssec/tests_validation_multiview.py new file mode 100644 index 0000000000..a1edf64be0 --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation_multiview.py @@ -0,0 +1,61 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(ns4, templates): + templates.render("ns4/named.conf", {"multi_view": True}) + ns4.reconfigure(log=False) + + +def getfrom(file): + with open(file, encoding="utf-8") as f: + return f.read().strip() + + +def test_staticstub_delegations(): + # check insecure delegation between static-stub zones + def docheck(): + msg = isctest.query.create("insecure.secure.example", "NS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + msg = isctest.query.create("secure.example", "NS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + return True + + isctest.run.retry_with_timeout(docheck, 5) + + +def test_validator_logging(ns4): + # check that validator logging includes the view name with multiple views + pattern = re.compile("view rec: *validat") + with ns4.watch_log_from_start() as watcher: + msg = isctest.query.create("secure.example", "NS") + isctest.query.tcp(msg, "10.53.0.4") + watcher.wait_for_line(pattern) + + +def test_secure_roots(ns4): + # check that "rndc secroots" dumps the trusted keys with multiple views + key = int(getfrom("ns1/managed.key.id")) + alg = os.environ["DEFAULT_ALGORITHM"] + expected = f"./{alg}/{key} ; static" + response = ns4.rndc("secroots -", log=False).splitlines() + assert expected in response, response + assert len(response) == 17 diff --git a/bin/tests/system/dnssectools/algroll.dnskey b/bin/tests/system/dnssectools/algroll.dnskey new file mode 100644 index 0000000000..a249180bb9 --- /dev/null +++ b/bin/tests/system/dnssectools/algroll.dnskey @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12263 +;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 +;; WARNING: recursion requested but not available + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags: do; udp: 1232 +; COOKIE: d70bfeeee608e7490100000068630120672a49b90d12287f (good) +;; QUESTION SECTION: +;algroll. IN DNSKEY + +;; ANSWER SECTION: +algroll. 30 IN DNSKEY 257 3 13 8ZsRCWjcBidh4U5O2xldz97ZODaXz9FzeNxQVcpf2bOlKE6QOSEgkvuG IYNnOuHwekp4wpC4x8aqEsULsO1p4w== +algroll. 30 IN DNSKEY 256 3 13 w6cJYtYydN0OL+N64KM75NtWtl+KUzPCqGD9TE9vO+cCtb5qILojunGr jjxT3LzGVjgwhyLReJwVJkIDMWvHXw== +algroll. 30 IN RRSIG DNSKEY 8 1 30 20250730202512 20250630202512 47525 algroll. vDuABgFYmjaw9ehT+lb4KDDnOiFu/Ts3LqAFLLRDU9CpPGIY0eH5c00P seEpRaapEF8N55t8/MRQpMxWaQCd67ERenUn3DFuSDACYoftyAdXsFvi 56giRNDziVhWJXKaQDQ/DIfLJ3W7F8BFSVZCFKq5Gv4MiS92+uvdQUkl 7cIgmJEWpcZ7PQB55r0vQizBP8rXrpcMXMtsojTFXQjF0uomW7/o1RIv KOQTcUnqfT1X4nRkQghhJQNJMftVrjVRkxPu+zq2AST+s2XQD9DBntA3 LFd1Yy1+X3OypjY9ZuD6Y5tC+5e1+IEY2CG/fbrqywMo/4pQ3DZ4ZbWC KATW1g== +algroll. 30 IN RRSIG DNSKEY 8 1 30 20250730202512 20250630202512 60676 algroll. fMZaKG2IwwFMoglH5UxZBVjtT0XGwGokdmO+mA6EJxnBBpKXwhBpv24r Mn61ZXN+pmpn4yUDIsMc1Mb6Irwnak7REfsVO/CKmhNmx/hjmoC2y6B5 +xkoUxCDml8hn/nAFftNVpaFq//1UcPyaXvvALN73hgyuE/Cnrl8DTLL kXfqPzHi7sbEgJf2Fkk0crc+gb4E+Wdrz3D354ogRZ2sguvnOfBZvzA/ uQ5UqKtVx2/44C/nW9Wbnkdi+Z1RuRKJOOoJBHIE0f1dTYnbyUOEMEIW AOAUzoKStDnNom0aWfDs6CGQmPcc9vHp2j63D+h2PkfzmyvHI2K3T9ep HbDCMw== +algroll. 30 IN RRSIG DNSKEY 13 1 30 20250730202512 20250630202512 13162 algroll. otMMLO7OiYbMvZsYDKBzJrJKsN5E5WCfQLP2KWo5/V0c88U/PJHY9kEa ysChyPRLDM5VN5WnRzzPxgT/KMnqWw== +algroll. 30 IN RRSIG DNSKEY 13 1 30 20250730202512 20250630202512 54661 algroll. nHj9WTm112HMVGpcg3BsBb4s12R3pLl/mVYnz8snFDBuLrRS0dERMQSp PuNmd3D9WDbLyFBClrjzG+BDHBSILQ== + diff --git a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in b/bin/tests/system/dnssectools/dsset-algroll. similarity index 81% rename from bin/tests/system/dnssec/ns2/cdnskey.secure.db.in rename to bin/tests/system/dnssectools/dsset-algroll. index aa3aaabfaf..f5480969bf 100644 --- a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in +++ b/bin/tests/system/dnssectools/dsset-algroll. @@ -9,6 +9,4 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. +algroll. IN DS 54661 13 2 56CE829B928999965B985F77B8725A553B87FDB4B5241AAA1B306959 5621764F diff --git a/bin/tests/system/dnssectools/revkey.dnskey b/bin/tests/system/dnssectools/revkey.dnskey new file mode 100644 index 0000000000..36f660a8b5 --- /dev/null +++ b/bin/tests/system/dnssectools/revkey.dnskey @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51808 +;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags: do; udp: 1232 +; COOKIE: e2c7e750ed266cde0100000068630121f863ce122f5ef67e (good) +;; QUESTION SECTION: +;revkey.example. IN DNSKEY + +;; ANSWER SECTION: +revkey.example. 300 IN DNSKEY 385 3 13 8dtsAwGIpEVKQMxW/Oyf+aoUU6keQ3+q7jeKcXc1GZf9O/wb5a93ghI9 mnmJSMKNPOXUZlz8XuwNu0kuIU/f+g== +revkey.example. 300 IN DNSKEY 256 3 13 E+r2vT9F+V/dV2RALkjYSFyZGSv2FMjzNSgscold+M6tT7HRlWU5dOSF BhJfHF1AwyzWjsn2AjdhU15VZQxb7g== +revkey.example. 300 IN DNSKEY 257 3 13 utSQOEBp4zNV8AnNC+aEU+Pf+zXcutD863bKWhWQRVB/+yBUmtS/q26H ke68j35nLAywm+7/OS+x7Iryhlnh/w== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 25492 revkey.example. p+D2U3RHcdklSeehdbPP1aoZSRYD0rjbQW1cR8PqygCFaWX3M88D5aKS m8L2t6kl5w6ks529zWkpZWsBSj2Vnw== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 54617 revkey.example. fCB4AYrdcceLW5MeDpGim5ItqGOCyw0/M1WYNsbj5D0G4P7lACRISJng plg/H3n1EZUN69H7suKcYo/fn+VT0Q== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 57467 revkey.example. lZLA4ik9SoF4+nyQlBoA/Haj8OO/sBpYQ3e597StgSKX2Cq3apfXGcB2 jLIu0raNQ6OjqI2WtwHhKauPlJZloA== + diff --git a/bin/tests/system/dnssectools/signer/example.db.in b/bin/tests/system/dnssectools/signer/example.db.in new file mode 100644 index 0000000000..3ab6aa2fc5 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/example.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +example. 60 IN SOA example. . 0 0 0 0 0 +example. 60 IN NS example. +example. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23640.key b/bin/tests/system/dnssectools/signer/general/K.+013+23640.key new file mode 100644 index 0000000000..df4ff32c11 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23640.key @@ -0,0 +1,6 @@ +; This is a key-signing key, keyid 23640, for . +; Created: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Publish: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Activate: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Revoke: 20250310185208 (Mon Mar 10 18:52:08 2025) +. IN DNSKEY 257 3 13 uKwpRtMH+9iuUk/Xj6LciIP5ZckaBtXaUqxUxzJYexXjvxGZGX4470Jv hq2NCI3HBZQNaCCP/h9sluhIzRGPTA== diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23640.private b/bin/tests/system/dnssectools/signer/general/K.+013+23640.private new file mode 100644 index 0000000000..36f932fd3c --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23640.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: m5udfGNSijISQ8Tfp4kx09O1em4PErLUw/mCj3SKmqw= +Created: 20250310185208 +Publish: 20250310185208 +Activate: 20250310185208 +Revoke: 20250310185208 diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23768.key b/bin/tests/system/dnssectools/signer/general/K.+013+23768.key new file mode 100644 index 0000000000..85e460a5bc --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23768.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 23768, for . +; Created: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Publish: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Activate: 20250310185208 (Mon Mar 10 18:52:08 2025) +. IN DNSKEY 256 3 13 TFelYtTRBWeA9A307vvuWIcaNwW4txW4RgSELtsi46ZQs24ncRxmxtFf uJuPyVXePNiE4HNI9CIowGUsn5WuBw== diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key new file mode 100644 index 0000000000..104face02c --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 19857, for example.com. +; Created: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Publish: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Activate: 20220902075244 (Fri Sep 2 17:52:44 2022) +example.com. IN DNSKEY 256 3 5 AwEAAaUr14RTAa2dr/JPoMv5QM32IbLMNUZFPAM9M2Zm6Ef9S3/UsRk9 W+P08Dx5Xte/PMuZK8ejWUyou37LowmVbahkP2kcS7Z552btsLnGK2+5 me5Y/GgnodhMVN7phkEQNPRKSUQQyLdQC6Ltzt0JVp48q4PmgCta22et rgq1YEoj2E8Po53bn5eQXCUsnkBFhkql9/17Ls2ckWNBkHWiItMDaWk7 qkM4ZJu7C/jq3ybBjn0bi4Svlt7PNiuuo3h5WaJYJHXd2M7PIN14rUDE cas/b+iy4eF7VC3CRUgt1spFinW/G4wSro55e6phstc3I1BE6B+pC4pq eGlAfQqWWcs= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private new file mode 100644 index 0000000000..91171b032b --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: pSvXhFMBrZ2v8k+gy/lAzfYhssw1RkU8Az0zZmboR/1Lf9SxGT1b4/TwPHle1788y5krx6NZTKi7fsujCZVtqGQ/aRxLtnnnZu2wucYrb7mZ7lj8aCeh2ExU3umGQRA09EpJRBDIt1ALou3O3QlWnjyrg+aAK1rbZ62uCrVgSiPYTw+jndufl5BcJSyeQEWGSqX3/XsuzZyRY0GQdaIi0wNpaTuqQzhkm7sL+OrfJsGOfRuLhK+W3s82K66jeHlZolgkdd3Yzs8g3XitQMRxqz9v6LLh4XtULcJFSC3WykWKdb8bjBKujnl7qmGy1zcjUEToH6kLimp4aUB9CpZZyw== +PublicExponent: AQAB +PrivateExponent: HzQaIgCAd6krnS5X5VDwYjiWgy26/syDmuUL+dOFHFyIz9yBnJAP9Q/H9tTDCyUwuhH0yGFetHHIAhs8cMoPDlnp9NSIpS+AfNx4n5AFkrTQlMuw24hpNfCts/MQDuid6GzETJyTHrZ7jEs64l0qRPiXOnLoUch3XK3eDF3ZlAfFkoPBFA5KIbiK8dcCahUmV4WReyE80X2N2dUloE8vLzy/j7yY2z1/HjhAu74S264wQMxNmJ0MsHeu78y7n8SKEJxncbgAciCNoamiQFiBGYYrs72B6BGHc19fhD5G7ldjpXukes9bHJSgj5ohseRJ27hkK7sKnqzOx/5Se6F5EQ== +Prime1: vNcFqw4Gu/gsEcte00YXSGGkOWlsEAOEARMy+l7yYVC9GMR41YuINydu42Bj+D/Qq1ifYk9ok26VnXsJ6GFWK9DdFFtSElCzq1Crb7/7yuRR86cM9UBr3045g9tvlH6sL+yeH1ESr8vNZtmlytDifw2Xp2kg0xoJnlnV0ZXphOk= +Prime2: 3+nmSodd/lDzVvn3uGMKux2B1mI2iApKM6bbwMwrzobN5bFkLkW1y1PuOYJytX1Sm39ecLCPYEmSf56kCitAquj7B98sblg05Y1QKvTTyX4uUsKFx3YAjvgp+acuI0Rq5J5GeSFCvdttgqAWdvvjoI8ic44K3sT1XTexaoLByJM= +Exponent1: jUmr2gHSlAzonB+3QQfuH5++iZ4Q1iJrP4qn15/2ZU1NThyh89REBFAirUjPQ0wryieyiJG1Qqm4k20dSpqZKItK/hIdY8qxwvnGawQPVgxiLJTOIykiDJ+wdLFX2Ji2J903qWK1QoaPleY+H3MOI9V9pCoJ/yg6DhpU2kz5vRE= +Exponent2: 04rLQ0Y4ivg3rchjPRR1Iupxq/UFx+jQyZOusaszB99bztGU8BJz+jDFNBgF/2jzDm1678Qe8L0RZvidye2rHs0VvQ4fj/BNqUGkp7C+FfLcGNwmP5dAV9Ik9fP4JuGQi4Ts16uQvoX8JBjSoH7BQwN3bOyZYHV7yiG/v/zgz3k= +Coefficient: l8vCrMMiS8eWYQNM/SPa4/swn1/EZtcgPcBqMa3zia+9rOJ4/mzRcQTKz6B7c7Z9BVoTzMWGlgd94PTDeLN9fbTNmRs/8JwwgzJ8FeJeisvZquvarFtq2PdVVZQSxTwt7N6DUMVcA8Vbdq+uGjJghs22/sJ23MS3key+PUHtwFI= +Created: 20220902075244 +Publish: 20220902075244 +Activate: 20220902075244 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key new file mode 100644 index 0000000000..717d65f256 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 45884, for example.com. +; Created: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Publish: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Activate: 20220902075336 (Fri Sep 2 17:53:36 2022) +example.com. IN DNSKEY 257 3 5 AwEAAZ6aTwNhgMDJ8AObT38LEX4nZe0CFXKkFv8fzBhEJEWgJRplhEhx laqGc47NoXChBiz5qdX2qAC0zi4CRydmV8TdG9shpED9kapIl7KVM3wj +irX36R9TpFT7Otmvsh7/RbRfpKz4I0pCC01hRHyj7EodMC4j3LMF9sc GWNmiOTQI1PTxbvIEDeDfoTUDMFzvOwVmH1Bq+SzA9Ikm2VADZO4vIIO J/07lWT+LDQ/g1qiCNaSDyNhGfNVf8xYvmB8OXomGFLqDuSpUkwdL5kB 2gGmnUbIH+Pn+pcN9fxVniKH3mzYEGCxIspePbhvwDfB30gTmE8uaFMa 7McouGKW3Ps= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private new file mode 100644 index 0000000000..891c6c3831 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: nppPA2GAwMnwA5tPfwsRfidl7QIVcqQW/x/MGEQkRaAlGmWESHGVqoZzjs2hcKEGLPmp1faoALTOLgJHJ2ZXxN0b2yGkQP2RqkiXspUzfCP6KtffpH1OkVPs62a+yHv9FtF+krPgjSkILTWFEfKPsSh0wLiPcswX2xwZY2aI5NAjU9PFu8gQN4N+hNQMwXO87BWYfUGr5LMD0iSbZUANk7i8gg4n/TuVZP4sND+DWqII1pIPI2EZ81V/zFi+YHw5eiYYUuoO5KlSTB0vmQHaAaadRsgf4+f6lw31/FWeIofebNgQYLEiyl49uG/AN8HfSBOYTy5oUxrsxyi4Ypbc+w== +PublicExponent: AQAB +PrivateExponent: SSWu0kbaPFAGH4u2NsgSicW+5vfCj4xpRMHT/c8TkX8CDbILN+QW3D5FNnPVBJ5nPD/rGdC3/BdnTeXkDiJP0W4Ohlp2KDkqQMhZGlZgl9z56F+GeBUIstLrnkfVLp6sg6UcBKnsIv5tFHiuBjCCH/kiG64jDpVdXUMQ3HyyHyC67sB1gIqpZdhQxFliVIaebwXHlv4uWi31DxTUj0mmutmpTD1r4z+43DlU3JL07WBBpIoOmG/GoFoDr+JNWWwArnhHDZFl6XL1Z2u5ojdIOcgLTXcU1SdvFwBHIAH9PIwvow0gVcZTIHwDYJ41CL6YExXF8ymVpIPspZPaFwSxvQ== +Prime1: 2iWvbJTRrJuceM1CgOTMMoi/qMN/GtthmbL5V0w+hyFE6UzCWYQXED5YTPtoXk9tZ/YpnD7i5i7ru8VbLx0DAIrLkAFP3Xpxa7dvdRGzyPGuYARsjgNnj57M5Sl1tTTsZpkXaKEeiONCA6+vcSuc2l1NxqdDbhC/TwlpjOAbPRc= +Prime2: uh+ZuRel3T3qvD7acXm2UyF2BdeEEwwIvzqZVi3uxwUTd/TxFA7+3xuX6LNM+HK5fNxuB3exVC8OzALFzUOOJECVFUfhKi/1+VrVfBuJnyLlqQ14RncbZvsn+ScfGZpgYuacvq0zWiP2scxmXSQxchxcFVRCKFRCCVGVuOLzNb0= +Exponent1: coA7TrPiRkY7YBDk6kCtiYzLhKpwaclitkkBpTeozkbBI++dR10UufrvYCDJzE7Gbz3+4zsC360bIKjbTqRcsgkoBcMah3bAV7ilsP4EruFkFJPd4sCYuAKzK0mStfU8bDHI3qtLGrCmMschQDaTEu7MZwveUcRKlhKrqzzqLys= +Exponent2: jlnU7KeViBzvB4La96crN3GEHvuyXA78MaXT2QHQeg770OdZ6wl9DY7BJIzd9bdo/oJo9PUqf0RugMIuHsvoTvnGDDypjeaYrlo2pXE6VKgQFrfioaI/Jwg4jmrJcn+L8JiIkZ1OhUa0S1AVim9AEhJ2qymCX+3xg8cOSBXsBdE= +Coefficient: xotWVi9P/9Xr1FlKANoKVviBZaoT0xqbrVJLdmSLvyca+OipgxDilaPq+To7nAujkwtH/qdR14CHbkFSjxzzEp3jhOOSeh1HysCDlk5N7dCz2X+FHv977IYeC9vuGPG75Vbz18D7FUEy0huXgq003zJdd0e7djNca9a/GAp3gvc= +Created: 20220902075336 +Publish: 20220902075336 +Activate: 20220902075336 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key new file mode 100644 index 0000000000..d4b8efbe61 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 15002, for example.com. +; Created: 20210423012926 (Fri Apr 23 11:29:26 2021) +; Publish: 20210423012926 (Fri Apr 23 11:29:26 2021) +; Activate: 20210423012926 (Fri Apr 23 11:29:26 2021) +example.com. IN DNSKEY 257 3 8 AwEAAdp+oCXl7vpKA3Mmyndx6/iA+wLrtxeMUiWL7uWJ9ZF24EdS8Dye 63p0lGlyvjvM9T5dTiyEpTAdutEBr79H0MlDqIBqpadrCdJRI2S4kC+0 nq5+Aj2CEyiAamPGujwWeXwtfLAvVPfBqs42PBr6wPQIJOByFYDaZBU3 enUEWgHYy/7OnJDrt0QlswKphR6SvYtyuixiUR8J/WouWXglUY5qlC7Z vVDxs9E4q7B1mfKCyoqcFMKPh9lzEBH+IfUZ543xXEYf2BEztKB1SZ2R QnpYedjATGDcgPis46uA2gHMfvDYJTQ5UqTBtveGb3Wsqc0oRXVPMEoY 3WnWhaKDzkk= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private new file mode 100644 index 0000000000..72b8e2e0c1 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 2n6gJeXu+koDcybKd3Hr+ID7Auu3F4xSJYvu5Yn1kXbgR1LwPJ7renSUaXK+O8z1Pl1OLISlMB260QGvv0fQyUOogGqlp2sJ0lEjZLiQL7Sern4CPYITKIBqY8a6PBZ5fC18sC9U98GqzjY8GvrA9Agk4HIVgNpkFTd6dQRaAdjL/s6ckOu3RCWzAqmFHpK9i3K6LGJRHwn9ai5ZeCVRjmqULtm9UPGz0TirsHWZ8oLKipwUwo+H2XMQEf4h9RnnjfFcRh/YETO0oHVJnZFCelh52MBMYNyA+Kzjq4DaAcx+8NglNDlSpMG294ZvdaypzShFdU8wShjdadaFooPOSQ== +PublicExponent: AQAB +PrivateExponent: SD4X64/0DTONonRP+2Biej8DP7r6RcHyo1F6QtDzrg4VJ+AHaLPO/iUvsRHsTk99QwqMv3F4QMmDrHmXR3KSWQmS3Crm7M0aaTzErBfOLMfWs7EcQoQQm5KiGq1phFaWAnXzxTlRKb4SIK6T/wOr6sQKlV+DNqB++Pjn92rh67vLM8kZBUzWI14Vl9N0ib+xOOFH1oYFo7ynDgMfJhpnQSkuRfyQls3aD1eKQsNazRtZ7lFi2S0HR/V0AKYH2AQi7SdL5wH6hYba5cHfpKSw7PebI0lYkUJ4PAg3Xw7DPMkg8O0hkpLICpU8x7MPqQQ74eKDaEY+fjbL0KLL0Dy9UQ== +Prime1: /IDRb7WzMY6wp14LqDORULoUnmiQOqkRjOQnCoEXT2KVpYwPmGMG+GR40hrMFgqqAZFVmi56VBoasWpYbSBEqM4aJv1JVimMPREk23v5i+TY93kxICO/ee9/v0hXgLmrKUkS1Kwu4a1PxLX5U/LAzXPR6zF+EHP9OKFjDRWHqN0= +Prime2: 3YU9QdtsXofjNmlDETRwemKv45pa0oVNPmNvS1vtzIpQ3m/QSuhJxzyTgSP9x1XMiIsg63er3LOCtkRifXVE1IBrfIUgchp8YD5LsyesRl2ielE8Hw8PwSA1YjUVu90yRHcVfbZJ8lm2KyRKHgDWXz94t2Xnm/9M5XjUGuNW7l0= +Exponent1: 7KIkpJYZyvW4ZAFk10sMgiUBMbs4f2D2i509YUC9ga4YJD7wVpVncN1nxS9L19RCopl7KbUo+yxDm8TX/dzhu3j7VVLFqbPiM1Cfw/mZUhszoii3ezFFPpbOl4rKRl66I0TSGvEKNoDfYrBPavby7Rf/wHRveifZRXspgpeMvRk= +Exponent2: yvvtjuxW2CRiopg/+YL40lyd2cy2DpRRnKqW8BHzzGquAbWpwwopmOS8MSjewgqv2irK5pmJJTpku0nciiOsB6EJXVfLzGLSt4o96ZOf+/aPDNBla/xsLkaqRCxqlvPwvOX2DnS8O9PS5qNhOy7/QNYzcrJxUfPV7awTh/Pr040= +Coefficient: PHxU1tqPKTpI/8nABvso0SRerc1m+RPWGRk7s/SVcADSBvEW7fUDcwiZeRfK9MdlwPvLiVozbYnRbgRQl8GuKSqAD1+Cnvn2yOQk81AgNKbuKPwF7UvKIdq/c/xnhj2bvZUVSavJ91ux/RlZNP50378Ks8bj5HJl1xzAMVHXB5o= +Created: 20210423012926 +Publish: 20210423012926 +Activate: 20210423012926 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key new file mode 100644 index 0000000000..990b837003 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 63613, for example.com. +; Created: 20210423012810 (Fri Apr 23 11:28:10 2021) +; Publish: 20210423012810 (Fri Apr 23 11:28:10 2021) +; Activate: 20210423012810 (Fri Apr 23 11:28:10 2021) +example.com. IN DNSKEY 256 3 8 AwEAAZzun7bYfjmGDwUEn4pyJG34vsiawRMW6pEdoNMH87ozxriOzgG6 /4zTjEv8JyYjGQz2k2vcoWWcD+86xD5IUqfa1pdXXUU8bdhG9DBtW/K1 mc4P6g8heU+0f++mq/L4TPlWVZUG8lVH4H8mD6r8PsVK7v/QR7wMeg9b JpCYyxon2A9rZ4zS0J9kX9bfciQVh6ODGVENctwEK5FNp5u0VonPEIx3 5Kj+IVn/mHpfbz4LaC02s7C6Kgvn3ToFFSJczwbOaexl/d+/ai8FLJi7 8UgiAq5/178bcVLItMeY6aD5eQGkRtr2c3JZ/JR4Nf+TQAWFBnl9NSDa RH4Qa55ZNqs= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private new file mode 100644 index 0000000000..1765d3f0f6 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: nO6ftth+OYYPBQSfinIkbfi+yJrBExbqkR2g0wfzujPGuI7OAbr/jNOMS/wnJiMZDPaTa9yhZZwP7zrEPkhSp9rWl1ddRTxt2Eb0MG1b8rWZzg/qDyF5T7R/76ar8vhM+VZVlQbyVUfgfyYPqvw+xUru/9BHvAx6D1smkJjLGifYD2tnjNLQn2Rf1t9yJBWHo4MZUQ1y3AQrkU2nm7RWic8QjHfkqP4hWf+Yel9vPgtoLTazsLoqC+fdOgUVIlzPBs5p7GX9379qLwUsmLvxSCICrn/XvxtxUsi0x5jpoPl5AaRG2vZzcln8lHg1/5NABYUGeX01INpEfhBrnlk2qw== +PublicExponent: AQAB +PrivateExponent: N4egcDzO/V/YdLgcFAsrpNY9/BH2e+DCA7NuMv4/WgX0LV4quyYGQzigDksdNzt4I8Qkiig53BCK+uXahwdkaAzhng/F6zfkzoDc6z3nKUzlLasn8U6w9Gk0VAKwGXuPETNheShKG68hWxyGssQrGfjX9SEoIPxxPHnOfZ/zTj95KAnVV5qPz90xVAb0+FUrLXAt72KuRwepOTlsETsMFDKe17uUCqCCdX98Ko0u14wrO6zGRQtNhUsfvNB/pY8fvbHD1GcCTbFSx4FxsUsZMrNtMsvMe3HN9ggC0Y9htbH9HV0hS0w9SKCUyoeOVwf/JZL4hlfoe8+jglsyJpAgoQ== +Prime1: zeXvO3PT4iXv9GlGeebl39pF1sXs8tXY4B9VHUJGGSYlyOlyCEy4URQJIPfuL6VjFKCErSxUJSrGz0HyQuKr8l9qP/0MGxGRH7wxvUR7YTmai84yyQ4fFENRmn8bzxGwj0MVHIW7cKC59j7nWT24gseT21/NP5m8EnPsjz/K40M= +Prime2: wx5vVFSydUfr8HtOHNS1kRrTjhnQOfjmj8SxGi72Hk+mgi9fBCTC5fRLifd80wGbgyFk1vZOXeStOC8L3IlnBGLX0O9MNip+vVX3hRzIRhLwHhL1ygN3xEd04qwVH0XJ8+4A0XCzh/FJgW59F62geN6gwedo7GmZAOSZUBAyRHk= +Exponent1: IlkqeLuQ7Fgx2I87b5iiXp62Keco6TXdkT4I3/GvagCgKw0utc2+rd/uye4ycQZhKg7BM3aCrxScx/STaq8PykY6nmQjgdyDXkzx60YiYwzOCGakuD+/1YyJb4Gm7PthffTN780rgNV/UGIcDBoszrxmoSExR1vpMRbfruIQgas= +Exponent2: or0Os/KUibc79W6Snv9WlLkgPAQRpViQzNaLtD/47R0Xzrs975HNsMgJ/P+bb86Ga1994MC8ahmh1BuBNCax8nmScWQ1V3QoEzjRYoe4DqIa/aposF4mFWJX/fry/wtRPo+CxSzPwJGh8j86PHaHQmjFAhVFcPE+OP1xVdK8alk= +Coefficient: r5wPmPXUF5pVC0Y7La3jVkL4w/3wvq9LBz91tH9gA8OUNLpDDBuFZISiJdhOZ4JVw+qSSoHcEa+3Phd+BqxmXzwZDU1Fqta9mLDDGCqCWjVQOopeeJgrvkv9P0TIzEuoGmW50cQhyqHYCtuUxjOnHfiQSc53p7rfD4Vom1VQ3Ok= +Created: 20210423012810 +Publish: 20210423012810 +Activate: 20210423012810 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key new file mode 100644 index 0000000000..47003a44c2 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 18240, for example.com. +; Created: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Publish: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Activate: 20211221062121 (Tue Dec 21 17:21:21 2021) +example.com. IN DNSKEY 256 3 10 AwEAAe5GunnuJFyzmKiGUknSQY3aPtR5UR8vNLLyMCJswffRzoYwY14/ 60ZTsqzh7N+lJV3KAOraocFSsTnmWIM7D7DPpqtaJMQw90ypBG0cnUP1 wKX9L/gdOH/ITlluBiZpCv9Aux3FRECHBO4Gx8Rse8ST2Vag3UuOPW+q HkLsWQt22K/hYuDhEtUWWx2dTIaXUVXNSNbk2zPL+lhC9PaRV+//1Fjo UX4qXCUuUN4TiqlkK2v4UkcIyld1n2R7qTQAkoN9amGFtPu8z5Zw7CxC San03yUSNuKub3fGys11gQRFuEHRX7FxKxvJjmcngG9qCh8AyfHZ8zYb VstTy1unFoM= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private new file mode 100644 index 0000000000..f16b62708a --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: 7ka6ee4kXLOYqIZSSdJBjdo+1HlRHy80svIwImzB99HOhjBjXj/rRlOyrOHs36UlXcoA6tqhwVKxOeZYgzsPsM+mq1okxDD3TKkEbRydQ/XApf0v+B04f8hOWW4GJmkK/0C7HcVEQIcE7gbHxGx7xJPZVqDdS449b6oeQuxZC3bYr+Fi4OES1RZbHZ1MhpdRVc1I1uTbM8v6WEL09pFX7//UWOhRfipcJS5Q3hOKqWQra/hSRwjKV3WfZHupNACSg31qYYW0+7zPlnDsLEJJqfTfJRI24q5vd8bKzXWBBEW4QdFfsXErG8mOZyeAb2oKHwDJ8dnzNhtWy1PLW6cWgw== +PublicExponent: AQAB +PrivateExponent: U/ipDv9V4TWJvxpXNZzbbVpUehym8g54y/d97yPU17kgxzmWS0jLaWVluneEOuzAVmUyHZIfHzo9KuJ6nwTZar5DRm/mNR3siR+nZ6yF38VjtxubJB1oI+A7fFjB4hdywLHXP46dlv/+RMQu8pIorAZOubDHTDE8hXW2ZG9WkisJ5P7KoaL4KFHHHXi5vsXAMph4Zphd/zPxVL2tHD3l5c3QXRpQWfTNZNQcZ1f/4yVCuMRibg5LCvpia0ZwRrlygfZdAHUUd0VJDfRO45J5nlIJSAHQtjYtVTL+xNISWOHXovVlInkVyluACqfX94I7qPXTu41yg3SxrrtHE6RTwQ== +Prime1: +/YsRxmUxgvHKUh4SxdjzqNDDEi8b2BtM5IpctjVG3oYsL6J9xJB3U5/lbrGEPgl/1ndBUSXMQ6zQ5WcDE1qBAdW8t0eyniyuiexcgQ9f04Ds7p7oUiSHGLRn8YqQOzmiASXoZmkzfJZ+42pGhT3RZ+aYKtWQGMHqXabwV3zZl0= +Prime2: 8hhnKzPzExy6wv/MV0aYKo1g4azrRjug6743/ctTC7zjnMmDW7RMFTXmq5Tu3pFaIL4N4C4m1b7P3abfTrjm+DwHnrlRIvLWS3zJnvUEM22i4BwqqTLRiJpoT5Bfp4pVsdOPT7Iyx1q5UsJZ7Q4qMpg2TFpGiQyieRB5Xwpu4l8= +Exponent1: ZFPx7Z3SD8pA0793pu75Xx7DY/DSl8bdtNtOhdyxfu9vRXGZnjg24diQFR76H2ewOa2exKo7Sd2ApDi+mmd4/4Gsrag+yoClKlsD3VKy6i42ayqmb+Jly8fNkMFnsdKjOSYa+s4jQZ5vFiuiWjBfBeo3nqabAahtNJ12B9lRQkE= +Exponent2: tNz4TnVsFo4zFLVHsrghvECM7WxjBMBNc3FToT6CV1WRcjO1+A/Ve08eenc0kYBjpex2r1GrX6pC3uPpFoXav/8Q7kqiTArBf/nFIwUHU2iH8wf38xntIjHA1hgU7jTR2p0kBrUpbHfh1esuhYQ8kDnY7ufOpFqVEv70vcUsm98= +Coefficient: 3acDCJ9jCnHAP1km7jRO388mOpiI8U6SMv0PBD8l2UoB4CYwujrFxy6PhgUa486bbm5xZEaOwhYZcbw/g1qyC6Qt5kYOb2fVWOob/lEQmyqbDvHMQWTJoIbqaDTKQN/szI4xVdb/xZ6QR4Bq7JgbJpUACgweS540Y7Lf8Dry8C0= +Created: 20211221062121 +Publish: 20211221062121 +Activate: 20211221062121 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key new file mode 100644 index 0000000000..37bd259f6b --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 28633, for example.com. +; Created: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Publish: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Activate: 20211221062130 (Tue Dec 21 17:21:30 2021) +example.com. IN DNSKEY 257 3 10 AwEAAc4lt8fDsdCzMCLHxXm8Ok/dw6XDiqx06Rf47LTeLmo6b64xm1Fs 0zloNMrcZDgwS5IxjQ3Breqc5aEc+jehueqCXa/fJXMdIt1VpUG0H7GP 4B+1IVmEiziHfmOozktdkuAyLqcsNhsf+J1+bCoHJSffgz6KbjBks/jR 12uyUnZCDrKGE/KfiR0gpT3watqGqqChO0KXq2N2PsnYfyRDea5FMUjM oPgOOyAT8LIMsM8x4f+EbU6m9Zc3Esafek9iLCS9R1333Pm1EEh5ghQT BsZ7omc5aSvrKUaIneojU3RdofceZouCliIDXmqscfY0y6bivGcmCQI/ LM4XUh7GWlM= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private new file mode 100644 index 0000000000..6d7f72e48b --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: ziW3x8Ox0LMwIsfFebw6T93DpcOKrHTpF/jstN4uajpvrjGbUWzTOWg0ytxkODBLkjGNDcGt6pzloRz6N6G56oJdr98lcx0i3VWlQbQfsY/gH7UhWYSLOId+Y6jOS12S4DIupyw2Gx/4nX5sKgclJ9+DPopuMGSz+NHXa7JSdkIOsoYT8p+JHSClPfBq2oaqoKE7QperY3Y+ydh/JEN5rkUxSMyg+A47IBPwsgywzzHh/4RtTqb1lzcSxp96T2IsJL1HXffc+bUQSHmCFBMGxnuiZzlpK+spRoid6iNTdF2h9x5mi4KWIgNeaqxx9jTLpuK8ZyYJAj8szhdSHsZaUw== +PublicExponent: AQAB +PrivateExponent: Wr3fl99cdjFqDuVA18UzJdTIOj9I24Da2eKIz1S9uaTfZB4R8FWm5K4qDuHUe6dGnKOTI2sN0ygdLD5FJhfabo/UDYZ8RZ+dqS/5/mH7UX2zekGQ3Iargcaiq9uycxpNfMKaJpwfdPEtzqXHlvhuMo8AhpcIyeSKFAzKdm2YPtUqIrum4RARHyfRLfLyWlkIotPdyiaKCVGQxiRbFsTcmIB2Bizmt7zRjlB+Hxf8MooXmaKUFRQtMCLnFGK0ecFI1CWAxmLSanvYVKQ0HxcFkFKzRiZAz1au7ZfMgYDZj0jF72WAGU3Edcmdc0QIQRTWjb/3wcBfwlr9s6lKoF3ngQ== +Prime1: 1EIziKhz7dF41rb/hckdr2qeY8eM7tLrT5jIMPLISHCCuKm5IK2u7PY6m6NjMdhx1ilm7K2RGTt+TTFZaqDIEd8qpzRCxAGcfTVOmB9iHwmi9i9RoPSlY6o+iShft68ZnvPiGJWUF2huRYVK2F0cIWErwSqaBGsFd79mXmlkn98= +Prime2: +KEdNtZj9JyCCR2xbLAw3tnAYxHvJ3skVMjxV3cyUupMWi12NWxGhHH1nnetXxDR2LBBuqIl4pE/4MeXe3sClMHTL3Z9XG+pzQAsHS7yvsfZERdyuWZYYy0ya/7XY2auvRVO6LxN7d47VWjYxAGfoCsbCEivgDxmt1dTZhAtRA0= +Exponent1: d5TcZ69PsLoEtCLhDkRh/wO4PEqeMaaOf4d5sWn2QCly3Apyi+CN3l5SYoDIT7q7V4Z3v/uA9ZA49dBJqfLvBHKQGycsPjUSLtAreTSlGQtazguWl3F9BAtTs/4U/u0dKBoKVQNgLVfeWDhiFEdQo9WUyvzvTHHm4LHqQGJsGE0= +Exponent2: EU2dK+DVygNOZXYEkAzfCdNbuUlZPIUsbR4i9bRc8zpNIAWD8YncioEn1+R6U2BnSk5R9LwuKMt1B568YyKXdmTa3rW/WbyHs7WsXEeVK0PbTn40RMTjp9tQZAWzVb6isJQYDsh0H/bUaEhItbNrOYlmczgjxqftehsAudysWc0= +Coefficient: sl2u/8vttxpiTbspGV4SsaDmKUNdzQH7BgJ5rl3mXPp/aUpLw0Sr7FuARy8W8tq3yVNi9qCOnvGwVl6aQzZP7b8N04KiH8gewlAVdSfxG24yFKJIQNbWGKFZYZFYyjtLVlpK6NYF0f0I1KpAjn58XR0qIBvRFZYWBAkggU9C7ro= +Created: 20211221062130 +Publish: 20211221062130 +Activate: 20211221062130 diff --git a/bin/tests/system/dnssectools/signer/general/bogus-ksk.key b/bin/tests/system/dnssectools/signer/general/bogus-ksk.key new file mode 100644 index 0000000000..e4685741ff --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/bogus-ksk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 23221 +; +example.com. IN DNSKEY 257 3 10 AwEAAbcyptpM++pVjhpYQW2fVtyOw04IBSw4X0SYi/Ke4wVkmDNW2vBm AFkgiVVKmmNbb0IHDYQiIY7seXk0fjEwjzeY2bmeOAZxDdv2KT9VQpoY Matk2y4NTi6F/V04x0lL/CBvyifTeNbZKvY+S1eKFuWHeS5Ss8tiagz9 zdYWUe/msvmin+Hbs2tlLwXVl4hOmABCL9uK9H8R6GPL5VdEXYyFOh/v 71CNhRU5ufrARti69YYkfzH6NpWhlJWyJvDjqAdt2L3H8V71C2vcXbBu S5NscEYl+8JQfwUvOTN553I5IQrG+NQEusW36UM/Rkad8mMnUVM9Vzqk GH86GHKtLMc= diff --git a/bin/tests/system/dnssectools/signer/general/bogus-zsk.key b/bin/tests/system/dnssectools/signer/general/bogus-zsk.key new file mode 100644 index 0000000000..aa45938426 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/bogus-zsk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 48930 +; +example.com. IN DNSKEY 256 3 10 AwEAAa/0IcnbGutPVkrz04tw5ZIYx6rU+FprB2rlKS8cTK/wiBOqbOC6 QIDdegDpZG1fOdj04ZQGa3pIizqC2CnlIWfxpfR6W+qSLRBuQ8gmwTmS c/Jy/0vAGB3fv3oVIqKslLNqIXZb3CKNiA2kGcut3aUgfeOW970Jga6z PAGKqPpPZTelW1Qy9N5BO4cRTuYo4uvbZveJv1W/2n5RN+UaeqU0f+AE DP0+wqSWNUfZsi6HygLwk08x3eO8PzTBlqBlAMfvNAygrmXqccMREyyH KEc5dVJ1qOXfj8BAdJUPmunyJhIwC9PxzOW7mn1lW7mZO2D5U/Jaxw2k eX2KblmVk8s= diff --git a/bin/tests/system/dnssectools/signer/general/test1.zone b/bin/tests/system/dnssectools/signer/general/test1.zone new file mode 100644 index 0000000000..98c9f0233c --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test1.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssectools/signer/general/test10.zone b/bin/tests/system/dnssectools/signer/general/test10.zone new file mode 100644 index 0000000000..10a8bc97e1 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test10.zone @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00100000 1200 3600 604800 300 +extra.example.com. IN A 1.2.3.4 +$include Kexample.com.+008+63613.key +$include Kexample.com.+008+15002.key diff --git a/bin/tests/system/dnssectools/signer/general/test11.zone b/bin/tests/system/dnssectools/signer/general/test11.zone new file mode 100644 index 0000000000..538305fc14 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test11.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+19857.key +$include Kexample.com.+005+45884.key diff --git a/bin/tests/system/dnssectools/signer/general/test12.zone b/bin/tests/system/dnssectools/signer/general/test12.zone new file mode 100644 index 0000000000..4e4c9baef6 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test12.zone @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 30 ; 30 seconds +. IN SOA a.root.servers.nil. each.isc.org. ( + 2000042101 ; serial + 600 ; refresh (10 minutes) + 600 ; retry (10 minutes) + 1200 ; expire (20 minutes) + 600 ; minimum (10 minutes) + ) + NS a.root-servers.nil. + DNSKEY 256 3 13 ( + TFelYtTRBWeA9A307vvuWIcaNwW4txW4RgSELtsi46ZQ + s24ncRxmxtFfuJuPyVXePNiE4HNI9CIowGUsn5WuBw== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 23768 + DNSKEY 257 3 13 ( + OSmhpULEDCUzHCBeDU5uJXzkCcGuW2qrkQznKRPGhRZN + j7ZUIGInGzM5Um5m02ULWt8tKbi55NJUeifKWegQ0g== + ) ; KSK; alg = ECDSAP256SHA256 ; key id = 22255 + DNSKEY 385 3 13 ( + uKwpRtMH+9iuUk/Xj6LciIP5ZckaBtXaUqxUxzJYexXj + vxGZGX4470Jvhq2NCI3HBZQNaCCP/h9sluhIzRGPTA== + ) ; revoked KSK; alg = ECDSAP256SHA256 ; key id = 23768 +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/dnssectools/signer/general/test2.zone b/bin/tests/system/dnssectools/signer/general/test2.zone new file mode 100644 index 0000000000..97c0d3d8dc --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test2.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one non-KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically and the zone +; correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key diff --git a/bin/tests/system/dnssectools/signer/general/test3.zone b/bin/tests/system/dnssectools/signer/general/test3.zone new file mode 100644 index 0000000000..bf9bc66c56 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test3.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically. As there +; is no non-KSK DNSKEY the resulting zone should be rejected. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssectools/signer/general/test4.zone b/bin/tests/system/dnssectools/signer/general/test4.zone new file mode 100644 index 0000000000..9f05de50fb --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test4.zone @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK + ZSK) of +; which have existing private key files available. The third is a +; pre-published ZSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test5.zone b/bin/tests/system/dnssectools/signer/general/test5.zone new file mode 100644 index 0000000000..d61504fbf9 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test5.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which +; have existing private key files available. The third is a KSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-ksk.key diff --git a/bin/tests/system/dnssectools/signer/general/test6.zone b/bin/tests/system/dnssectools/signer/general/test6.zone new file mode 100644 index 0000000000..fcfb1ec260 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test6.zone @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has four DNSKEY records, two (KK + ZSK) of which +; have existing private key files available. There are also a KSK and ZSK +; for which there will be no signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test7.zone b/bin/tests/system/dnssectools/signer/general/test7.zone new file mode 100644 index 0000000000..e52c535527 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test7.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, none of which have +; existing private key files available. The resulting zone should fail +; the consistency tests. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test8.zone b/bin/tests/system/dnssectools/signer/general/test8.zone new file mode 100644 index 0000000000..893d32da10 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test8.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, one of which, +; the KSK, has a private key. The resulting zone should be rejected as +; it has no ZSK signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+28633.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test9.zone b/bin/tests/system/dnssectools/signer/general/test9.zone new file mode 100644 index 0000000000..14c47d040c --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test9.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+008+63613.key +$include Kexample.com.+008+15002.key diff --git a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in b/bin/tests/system/dnssectools/signer/prepub.db.in similarity index 74% rename from bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in rename to bin/tests/system/dnssectools/signer/prepub.db.in index aa3aaabfaf..946aac1bf5 100644 --- a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in +++ b/bin/tests/system/dnssectools/signer/prepub.db.in @@ -9,6 +9,9 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. +$TTL 60 +prepub. 60 IN SOA prepub. . 0 0 0 0 0 +prepub. 60 IN NS prepub. +prepub. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssectools/signer/remove.db.in b/bin/tests/system/dnssectools/signer/remove.db.in new file mode 100644 index 0000000000..5629a426ae --- /dev/null +++ b/bin/tests/system/dnssectools/signer/remove.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +remove. 60 IN AAAA ::ffff:1.2.3.4 +remove. 60 IN MX 0 remove. +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in b/bin/tests/system/dnssectools/signer/remove2.db.in similarity index 77% rename from bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in rename to bin/tests/system/dnssectools/signer/remove2.db.in index aa3aaabfaf..b2962b9ff1 100644 --- a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in +++ b/bin/tests/system/dnssectools/signer/remove2.db.in @@ -9,6 +9,8 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssectools/tests.sh b/bin/tests/system/dnssectools/tests.sh new file mode 100644 index 0000000000..85cd1ac2a6 --- /dev/null +++ b/bin/tests/system/dnssectools/tests.sh @@ -0,0 +1,1022 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# shellcheck source=conf.sh +. ../conf.sh + +status=0 +n=1 + +# check that a zone file is raw format, version 0 +israw0() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 0);' || return $? +} + +# check that a zone file is raw format, version 1 +israw1() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 1);' || return $? +} + +echo_i "basic dnssec-signzone checks:" +echo_ic "two DNSKEYs ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)" +ret=0 +( + cd signer/general || exit 1 + cp signed.zone signed.expect + grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1 + mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline + $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n 2>/dev/null + mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private + grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1 +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "one non-KSK DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "one KSK DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "three DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "three DNSKEY, one private key missing ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "four DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEY, both private keys missing ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEY, one private key missing ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)" +ret=0 +if $FEATURETEST --fips-provider; then + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone + ) || ret=1 +else + echo_i "skipped no FIPS provider available" +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)" +ret=0 +if ! $FEATURETEST --fips-provider; then + echo_i "skipped no FIPS provider available" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test11.zone >signer.out.$n 2>&1 && exit 1 + grep -F -e "fatal: No signing keys specified or found" \ + -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n >/dev/null + ) || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "revoked KSK ID collides with ZSK ($n)" +ret=0 +# signing should fail, but should not coredump +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -S -f signed.zone -o . test12.zone >signer.out.$n 2>/dev/null +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone -J loads journal files ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl + $SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone >signer.out.$n + grep -q extra signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +get_default_algorithm_key_ids_from_sigs() { + zone=$1 + + awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + NF < 8 { next } + $(NF-5) != "RRSIG" { next } + $(NF-3) != alg { next } + $NF != "(" { next } + { + getline; + print $3; + } + ' signer/$zone.db.signed | sort -u +} + +# Test dnssec-signzone ZSK prepublish smooth rollover. +echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)" +ret=0 +zone=prepub +# Generate keys. +ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone") +zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") +zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") +zskid1=$(keyfile_to_key_id "$zsk1") +zskid2=$(keyfile_to_key_id "$zsk2") +( + cd signer || exit 1 + # Set times such that the current set of keys are introduced 60 days ago and + # start signing now. The successor key is prepublished now and will be active + # next day. + $SETTIME -P now-60d -A now $ksk >/dev/null + $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null + $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null + $SETTIME -P now -A now+1d $zsk2.key >/dev/null + # Sign the zone with initial keys and prepublish successor. The zone signatures + # are valid for 30 days and the DNSKEY signature is valid for 60 days. + cp -f $zone.db.in $zone.db + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null + echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" +status=$((status + ret)) + +echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" +ret=0 +zone=prepub +( + cd signer || exit 1 + # Roll the ZSK. The predecessor is inactive from now on and the successor is + # activated. The zone signatures are valid for 30 days and the DNSKEY + # signature is valid for 60 days. Because of the predecessor/successor + # relationship, the signatures of the predecessor are retained and no new + # signatures with the successor should be generated. + $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null + $SETTIME -A now $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" +ret=0 +zone=prepub +( + cd signer || exit 1 + # After some time the signatures should be replaced. When signing, set the + # interval to 30 days plus one second, meaning all predecessor signatures + # are within the refresh interval and should be replaced with successor + # signatures. + $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null + $SETTIME -A now-20d $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" +ret=0 +zone=example +# If dnssec-keygen fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-keygen unexpectedly +# succeeds, by using "&& ret=1". +$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" +ret=0 +zone=example +# Fake an unsupported algorithm key +unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp +mv ${unsupportedkey}.tmp ${unsupportedkey}.key +# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent +# that from happening, and also trigger a test failure if dnssec-dsfromkey +# unexpectedly succeeds, by using "&& ret=1". +$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" +ret=0 +ret=0 +cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db +# If dnssec-signzone fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-signzone +# unexpectedly succeeds, by using "&& ret=1". +$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that we can sign a zone with out-of-zone records ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db example.db >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null + awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out + + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example3.db + echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db + $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null + awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out + + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db.before example.db >/dev/null + sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed + $SIGNER -o example -f example.db.after example.db.changed >/dev/null +) +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +keyid2=$(keyfile_to_key_id "$key2") +key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +keyid3=$(keyfile_to_key_id "$key3") +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -D -o example example.db >/dev/null + + # now switch out key2 for key3 and resign the zone + cat example.db.in "$key1.key" "$key3.key" >example.db + echo "\$INCLUDE \"example.db.signed\"" >>example.db + $SIGNER -D -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -RD -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" +ret=0 +zone=example +( + cd signer || exit 1 + cp -f example.db.in example.db + $SIGNER -SD -o example example.db >/dev/null + echo "\$INCLUDE \"example.db.signed\"" >>example.db + # now retire key2 and resign the zone + $SETTIME -I now "$key2" >/dev/null 2>&1 + $SIGNER -SD -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -SDQ -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone retains unexpired signatures ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -Sxt -o example example.db >signer.out.1 + $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 +) || ret=1 +gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) +retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) +gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) +retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) +drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) +[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 +[ "$gen2" -eq 0 ] || ret=1 +[ "$drop2" -eq 0 ] || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" +ret=0 +( + cd signer || exit 1 + # remove NSEC-only keys + rm -f Kexample.+005* + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +( + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" +ret=0 +( + cd signer || exit 1 + rm -f example2.db.signed + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +( + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone output format ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null + $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null + $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null + $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null + $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null +) || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 +israw1 signer/signer.out.5 || ret=1 +israw0 signer/signer.out.6 || ret=1 +israw1 signer/signer.out.7 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null +) || ret=1 +awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -N date ($n)" +ret=0 +( + cd signer || exit 1 + TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null +) || ret=1 +# shellcheck disable=SC2016 +now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') +serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) +[ "$now" -eq "$serial" ] || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G ($n)" +ret=0 +( + cd signer || exit 1 + $SETTIME -P ds now -P sync now "$key1" >/dev/null + $SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (default) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (empty) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (no CDS) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad argument) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "digest must specify cds:algorithm ('foobar')" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad digest - name) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "bad digest 'cds:foobar'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad digest - number) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "bad digest 'cds:256': out of range" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "unsupported digest 'cds:gost'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "unsupported digest 'cds:200'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( + cd signer || exit 1 + $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null + $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null + echo >remove.db.signed + $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n +} +# re-generate signed zone without MX and AAAA records at apex. +( + cd signer || exit 1 + $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n +} +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( + cd signer || exit 1 + echo >remove.db.signed + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n +} +# re-generate signed zone without MX and AAAA records at apex. +( + cd signer || exit 1 + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n +} +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)" +ret=0 +( + cd signer || exit 0 + key1=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) + key2=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) + key3=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" revoke.example) + rkey=$(${REVOKE} "$key2") + cat >>revoke.example.db <>revoke.example.db + "${SIGNER}" -o revoke.example revoke.example.db >signer.out.$n +) || ret=1 +keycount=$(grep -c "RRSIG.DNSKEY ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +cdscount=$(grep -c "RRSIG.CDS ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +soacount=$(grep -c "RRSIG.SOA ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +[ $keycount -eq 3 ] || ret=1 +[ $cdscount -eq 2 ] || ret=1 +[ $soacount -eq 1 ] || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" +ret=0 +alg=1 +until test $alg -eq 258; do + zone="keygen-$alg." + case $alg in + 2) # Diffie Helman + alg=$((alg + 1)) + continue + ;; + 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard + alg=$((alg + 1)) + continue + ;; + 1 | 5 | 7 | 8 | 10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true) + ;; + 15 | 16) + key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) + ;; + 256) + key1=$($KEYGEN -a "RSASHA256OID" "$zone" 2>"keygen-$alg.err" || true) + ;; + 257) + key1=$($KEYGEN -a "RSASHA512OID" "$zone" 2>"keygen-$alg.err" || true) + ;; + *) + key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) + ;; + esac + if grep "unknown algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if test -z "$key1"; then + echo_i "'$KEYGEN -a $alg': failed" + cat "keygen-$alg.err" + ret=1 + alg=$((alg + 1)) + continue + fi + $SETTIME -I now+4d "$key1.private" >/dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg + 1)) +done +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)" +ret=0 +if $FEATURETEST --have-fips-mode; then + echo_i "skipped: already in FIPS mode" +elif ! $FEATURETEST --fips-provider; then + echo_i "skipped no FIPS provider available" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + $KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true + grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" >/dev/null || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)" +ret=0 +if $FEATURETEST --have-fips-mode; then + echo_i "skipped: already in FIPS mode" +elif ! $FEATURETEST --fips-provider; then + echo_i "skipped: cannot switch to FIPS mode" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + $KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true + grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" >/dev/null || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that dnssec-keygen honours key tag ranges ($n)" +ret=0 +zone=settagrange +ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone") +zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone") +kid=$(keyfile_to_key_id "$ksk") +zid=$(keyfile_to_key_id "$zsk") +[ $kid -ge 0 -a $kid -le 32767 ] || ret=1 +[ $zid -ge 32768 -a $zid -le 65535 ] || ret=1 +rksk=$($REVOKE -R $ksk) +rzsk=$($REVOKE -R $zsk) +krid=$(keyfile_to_key_id "$rksk") +zrid=$(keyfile_to_key_id "$rzsk") +[ $krid -ge 0 -a $krid -le 32767 ] || ret=1 +[ $zrid -ge 32768 -a $zrid -le 65535 ] || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check dnssec-dsfromkey from stdin ($n)" +ret=0 +cat algroll.dnskey | $DSFROMKEY -f - algroll. >dsfromkey.out.test$n +NF=$(awk '{print NF}' dsfromkey.out.test$n | sort -u) +[ "${NF}" = 7 ] || ret=1 +# make canonical +awk '/^algroll/ { + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' canonical1.$n || ret=1 +awk '/^algroll/ { + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' canonical2.$n || ret=1 +diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Intentionally strip ".key" from keyfile name to ensure the error message +# includes it anyway to avoid confusion (RT #21731) +echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" +ret=0 +key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example. 2>/dev/null) || ret=1 +mv "$key.key" "$key" +$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check dnssec-dsfromkey with revoked key ($n)" +ret=0 +$DSFROMKEY -f revkey.dnskey revkey.example. >dsfromkey.out.test$n || ret=1 +test $(wc -l "$zonefile" + +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$ksk" >trusted.conf +cp trusted.conf ../ns4/trusted.conf +cp trusted.conf ../ns9/trusted.conf diff --git a/bin/tests/system/dnssec/ns2/corp.db b/bin/tests/system/nta/ns2/corp.db similarity index 100% rename from bin/tests/system/dnssec/ns2/corp.db rename to bin/tests/system/nta/ns2/corp.db diff --git a/bin/tests/system/dnssec/ns2/badparam.db.in b/bin/tests/system/nta/ns2/example.db.in similarity index 67% rename from bin/tests/system/dnssec/ns2/badparam.db.in rename to bin/tests/system/nta/ns2/example.db.in index b18d1863d5..f72258f63c 100644 --- a/bin/tests/system/dnssec/ns2/badparam.db.in +++ b/bin/tests/system/nta/ns2/example.db.in @@ -11,11 +11,25 @@ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( - 2010081000 ; serial + 2000042407 ; serial 20 ; refresh (20 seconds) 20 ; retry (20 seconds) 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) NS ns2 + NS ns3 ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +; A secure subdomain +secure NS ns3.secure +ns3.secure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A subdomain with a corrupt DS +badds NS ns.badds +ns.badds A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns5/named2.conf.in b/bin/tests/system/nta/ns2/named.conf.j2 similarity index 51% rename from bin/tests/system/dnssec/ns5/named2.conf.in rename to bin/tests/system/nta/ns2/named.conf.j2 index 6d0474b9d5..9bfbcde9d2 100644 --- a/bin/tests/system/dnssec/ns5/named2.conf.in +++ b/bin/tests/system/nta/ns2/named.conf.j2 @@ -11,43 +11,40 @@ * information regarding copyright ownership. */ -// NS5 +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + notify yes; + notify-delay 1; + dnssec-validation no; + minimal-responses no; +}; key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; }; controls { - inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -options { - query-source address 10.53.0.5; - notify-source 10.53.0.5; - transfer-source 10.53.0.5; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.5; 127.0.0.1; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation yes; +zone "example" { + type primary; + file "example.db.signed"; + allow-update { any; }; }; -view root { - match-destinations { 127.0.0.1; }; - - zone "." { - type primary; - file "root.db.signed"; - }; -}; - -view other { -include "revoked.conf"; - - zone "." { - type static-stub; - server-addresses { 127.0.0.1; }; - }; +zone "corp" { + type primary; + file "corp.db"; }; diff --git a/bin/tests/system/nta/ns2/sign.sh b/bin/tests/system/nta/ns2/sign.sh new file mode 100644 index 0000000000..5eb698e842 --- /dev/null +++ b/bin/tests/system/nta/ns2/sign.sh @@ -0,0 +1,38 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +# Sign child zones (served by ns3). +(cd ../ns3 && $SHELL sign.sh) + +# The "example." zone. +zone=example. +infile=example.db.in +zonefile=example.db + +# Get the DS records for the "example." zone. +for subdomain in bogus badds secure; do + cp "../ns3/dsset-$subdomain.example." . +done + +# Sign the "example." zone. +keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" + +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bin/tests/system/nta/ns3/bogus.example.db.in similarity index 100% rename from bin/tests/system/dnssec/ns3/bogus.example.db.in rename to bin/tests/system/nta/ns3/bogus.example.db.in diff --git a/bin/tests/system/nta/ns3/named.conf.j2 b/bin/tests/system/nta/ns3/named.conf.j2 new file mode 100644 index 0000000000..3c3f256ca4 --- /dev/null +++ b/bin/tests/system/nta/ns3/named.conf.j2 @@ -0,0 +1,62 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + notify yes; + dnssec-validation no; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.2; }; + file "example.bk"; +}; + +zone "secure.example" { + type primary; + file "secure.example.db.signed"; + allow-update { any; }; +}; + +zone "bogus.example" { + type primary; + file "bogus.example.db.signed"; + allow-update { any; }; +}; + +zone "badds.example" { + type primary; + file "badds.example.db.signed"; + allow-update { any; }; +}; diff --git a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in b/bin/tests/system/nta/ns3/secure.example.db.in similarity index 88% rename from bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in rename to bin/tests/system/nta/ns3/secure.example.db.in index f37dd750ce..182329bf42 100644 --- a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in +++ b/bin/tests/system/nta/ns3/secure.example.db.in @@ -17,13 +17,14 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns -ns A 10.53.0.3 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 +c A 10.0.0.3 d A 10.0.0.4 +e A 10.0.0.5 +f A 10.0.0.6 +g A 10.0.0.7 z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/nta/ns3/sign.sh b/bin/tests/system/nta/ns3/sign.sh new file mode 100644 index 0000000000..5e5405abed --- /dev/null +++ b/bin/tests/system/nta/ns3/sign.sh @@ -0,0 +1,62 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +# a validly signed zone +zone=secure.example. +infile=secure.example.db.in +zonefile=secure.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null +cat "$zonefile" "$zonefile".signed >"$zonefile".tmp +mv "$zonefile".tmp "$zonefile".signed + +# a zone that we'll add bogus data to +zone=bogus.example. +infile=bogus.example.db.in +zonefile=bogus.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + +{ + echo "a.bogus.example. A 10.0.0.22" + echo "b.bogus.example. A 10.0.0.23" + echo "c.bogus.example. A 10.0.0.23" +} >>bogus.example.db.signed + +# +# A zone with a bad DS in the parent +# (sourced from bogus.example.db.in) +# +zone=badds.example. +infile=bogus.example.db.in +zonefile=badds.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null +sed -e 's/bogus/badds/g' dsset-badds.example. diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/nta/ns4/named.conf.j2 similarity index 77% rename from bin/tests/system/dnssec/ns4/named5.conf.in rename to bin/tests/system/nta/ns4/named.conf.j2 index dae14c328b..87f70e2f21 100644 --- a/bin/tests/system/dnssec/ns4/named5.conf.in +++ b/bin/tests/system/nta/ns4/named.conf.j2 @@ -22,17 +22,16 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; recursion yes; - dnssec-validation yes; minimal-responses no; + nta-lifetime 12s; + nta-recheck 9s; + validate-except { corp; }; + + dnssec-validation yes; }; -# Note: This contains a deliberately incorrect key, -# so it won't work with the root zones used in the tests; -# all signed data should SERVFAIL. This is to test the case -# of a validating forwarder talking to a resolver that has -# a misconfigured trust anchor. -include "broken.conf"; +include "trusted.conf"; key rndc_key { secret "1234abcd8765"; diff --git a/bin/tests/system/dnssec/ns9/named.conf.in b/bin/tests/system/nta/ns9/named.conf.j2 similarity index 96% rename from bin/tests/system/dnssec/ns9/named.conf.in rename to bin/tests/system/nta/ns9/named.conf.j2 index 147d328ccf..cdbe7ec8ea 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.in +++ b/bin/tests/system/nta/ns9/named.conf.j2 @@ -38,4 +38,3 @@ controls { }; include "trusted.conf"; -include "trusted-localkey.conf"; diff --git a/bin/tests/system/dnssec/ntadiff.pl b/bin/tests/system/nta/setup.sh old mode 100755 new mode 100644 similarity index 58% rename from bin/tests/system/dnssec/ntadiff.pl rename to bin/tests/system/nta/setup.sh index ca80eac9b8..4a4db2dd0d --- a/bin/tests/system/dnssec/ntadiff.pl +++ b/bin/tests/system/nta/setup.sh @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/bin/sh -e # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # @@ -11,14 +11,12 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -use strict; -use Time::Piece; -use Time::Seconds; +# shellcheck source=conf.sh +. ../conf.sh -exit 1 if (scalar(@ARGV) != 2); +set -e -my $actual = Time::Piece->strptime($ARGV[0], '%d-%b-%Y %H:%M:%S.000 %z'); -my $expected = Time::Piece->strptime($ARGV[1], '%s') + ONE_WEEK; -my $diff = abs($actual - $expected); - -print($diff . "\n"); +( + cd ns1 + $SHELL sign.sh +) diff --git a/bin/tests/system/nta/tests_nta.py b/bin/tests/system/nta/tests_nta.py new file mode 100644 index 0000000000..f4ca8d3e7f --- /dev/null +++ b/bin/tests/system/nta/tests_nta.py @@ -0,0 +1,428 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re +import time + +import isctest + + +# helper functions +def hasmatch(regex, blob): + return re.search(regex, blob, flags=re.MULTILINE) + + +def active(blob): + return len([x for x in blob.splitlines() if " expiry" in x]) + + +# global start-time variable +# pylint: disable=global-statement +# pylint: disable=global-variable-not-assigned +start = 0 + + +def test_initial(): + m = isctest.query.create("a.bogus.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + + m = isctest.query.create("badds.example.", "SOA") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + + m = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + +def test_nta_validate_except(servers): + ns4 = servers["ns4"] + response = ns4.rndc("secroots -", log=False) + assert hasmatch("^corp: permanent", response) + + # check insecure local domain works with validate-except + m = isctest.query.create("www.corp", "NS") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + +def test_nta_bogus_lifetimes(servers): + ns4 = servers["ns4"] + + # no nta lifetime specified: + response = ns4.rndc("nta -l '' foo", ignore_errors=True, log=False) + assert "'nta' failed: bad ttl" in response + + # bad nta lifetime: + response = ns4.rndc("nta -l garbage foo", ignore_errors=True, log=False) + assert "'nta' failed: bad ttl" in response + + # excessive nta lifetime: + response = ns4.rndc("nta -l 7d1h foo", ignore_errors=True, log=False) + assert "'nta' failed: out of range" in response + + +def test_nta_install(servers): + global start + + ns4 = servers["ns4"] + ns4.rndc("nta -f -l 20s bogus.example", log=False) + ns4.rndc("nta badds.example", log=False) + + # NTAs should persist after reconfig + with ns4.watch_log_from_here() as watcher: + ns4.reconfigure(log=False) + watcher.wait_for_line("any newly configured zones are now loaded") + + response = ns4.rndc("nta -d", log=False) + assert len(response.splitlines()) == 3 + + ns4.rndc("nta secure.example", log=False) + ns4.rndc("nta fakenode.secure.example", log=False) + with ns4.watch_log_from_here() as watcher: + ns4.rndc("reload", log=False) + watcher.wait_for_line("all zones loaded") + + response = ns4.rndc("nta -d", log=False) + assert len(response.splitlines()) == 5 + + start = time.time() + + +def test_nta_behavior(servers): + global start + assert start, "test_nta_behavior must be run as part of the full NTA test" + + m = isctest.query.create("a.bogus.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + m = isctest.query.create("badds.example.", "SOA") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + m = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + m = isctest.query.create("a.fakenode.secure.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noadflag(res) + + ns4 = servers["ns4"] + response = ns4.rndc("secroots -", log=False) + assert hasmatch("^bogus.example: expiry", response) + assert hasmatch("^badds.example: expiry", response) + assert hasmatch("^secure.example: expiry", response) + assert hasmatch("^fakenode.secure.example: expiry", response) + + # secure.example and badds.example used the default nta-duration + # (configured as 12s in ns4/named1.conf), but the nta recheck interval + # is configured to 9s, so at t=10 the NTAs for secure.example and + # fakenode.secure.example should both be lifted, while badds.example + # should still be going. + delay = start + 10 - time.time() + if delay > 0: + time.sleep(delay) + + m = isctest.query.create("b.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + m = isctest.query.create("b.fakenode.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.nxdomain(res) + isctest.check.adflag(res) + + m = isctest.query.create("badds.example.", "SOA") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + # bogus.example was set to expire in 20s, so at t=13 + # it should still be NTA'd, but badds.example used the default + # lifetime of 12s, so it should revert to SERVFAIL now. + delay = start + 13 - time.time() + if delay > 0: + time.sleep(delay) + + response = ns4.rndc("nta -d", log=False) + assert active(response) <= 2 + + response = ns4.rndc("secroots -", log=False) + assert hasmatch("bogus.example: expiry", response) + assert not hasmatch("badds.example: expiry", response) + + m = isctest.query.create("b.bogus.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + + m = isctest.query.create("a.badds.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + + m = isctest.query.create("c.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # at t=21, all the NTAs should have expired. + delay = start + 21 - time.time() + if delay > 0: + time.sleep(delay) + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + m = isctest.query.create("d.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + m = isctest.query.create("c.bogus.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + + +def test_nta_removals(servers): + ns4 = servers["ns4"] + ns4.rndc("nta badds.example", log=False) + + response = ns4.rndc("nta -d", log=False) + assert hasmatch("^badds.example/_default: expiry", response) + + m = isctest.query.create("a.badds.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + response = ns4.rndc("nta -remove badds.example", log=False) + assert "Negative trust anchor removed: badds.example" in response + + response = ns4.rndc("nta -d", log=False) + assert not hasmatch("^badds.example/_default: expiry", response) + + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + + # remove non-existent NTA three times + ns4.rndc("nta -r foo", log=False) + ns4.rndc("nta -remove foo", log=False) + response = ns4.rndc("nta -r foo", log=False) + assert "not found" in response + + +def test_nta_restarts(servers): + global start + assert start, "test_nta_restarts must be run as part of the full NTA test" + + # test NTA persistence across restarts + ns4 = servers["ns4"] + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + start = time.time() + ns4.rndc("nta -f -l 30s bogus.example", log=False) + ns4.rndc("nta -f -l 10s badds.example", log=False) + response = ns4.rndc("nta -d", log=False) + assert active(response) == 2 + + # stop the server + ns4.stop() + + # wait 14s before restarting. badds.example's NTA (lifetime=10s) should + # have expired, and bogus.example should still be running. + delay = start + 14 - time.time() + if delay > 0: + time.sleep(delay) + ns4.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 1 + assert hasmatch("^bogus.example/_default: expiry", response) + + m = isctest.query.create("a.badds.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + + m = isctest.query.create("a.bogus.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + ns4.rndc("nta -r bogus.example", log=False) + + +def test_nta_regular(servers): + global start + assert start, "test_nta_regular must be run as part of the full NTA test" + + # check "regular" attribute in NTA file + ns4 = servers["ns4"] + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + # secure.example validates with AD=1 + m = isctest.query.create("a.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # stop the server, update _default.nta, restart + ns4.stop() + now = time.localtime() + future = str(now.tm_year + 20) + "0101010000" + with open("ns4/_default.nta", "w", encoding="utf-8") as f: + f.write(f"secure.example. regular {future}") + + ns4.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + + # NTA active; secure.example. should now return an AD=0 answer. + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + # nta-recheck is configured as 9s, so at t=12 the NTA for + # secure.example. should be lifted as it is not a "forced" NTA. + start = time.mktime(now) + delay = start + 12 - time.time() + if delay > 0: + time.sleep(delay) + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + # NTA lifted; secure.example. flush the cache to trigger a new query, + # and it should now return an AD=1 answer. + ns4.rndc("flushtree secure.example", log=False) + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + +def test_nta_forced(servers): + global start + assert start, "test_nta_regular must be run as part of the full NTA test" + + # check "forced" attribute in NTA file + ns4 = servers["ns4"] + + # just to be certain, clean up any existing NTA first + ns4.rndc("nta -r secure.example", log=False) + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + # secure.example validates with AD=1 + m = isctest.query.create("a.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # stop the server, update _default.nta, restart + ns4.stop() + now = time.localtime() + future = str(now.tm_year + 20) + "0101010000" + with open("ns4/_default.nta", "w", encoding="utf-8") as f: + f.write(f"secure.example. forced {future}") + + ns4.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + + # NTA active; secure.example. should now return an AD=0 answer + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + # nta-recheck is configured as 9s. at t=12 the NTA for + # secure.example. should NOT be lifted as it is "forced". + start = time.mktime(now) + delay = start + 12 - time.time() + if delay > 0: + time.sleep(delay) + + # NTA lifted; secure.example. should still return an AD=0 answer + ns4.rndc("flushtree secure.example", log=False) + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + +def test_nta_clamping(servers): + ns4 = servers["ns4"] + + # clean up any existing NTA + ns4.rndc("nta -r secure.example", log=False) + + # stop the server, update _default.nta, restart + ns4.stop() + now = time.localtime() + future = str(now.tm_year + 20) + "0101010000" + with open("ns4/_default.nta", "w", encoding="utf-8") as f: + f.write(f"secure.example. forced {future}") + + ns4.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + + # check that NTA lifetime read from file is clamped to 1 week. + response = ns4.rndc("nta -d", log=False) + assert active(response) == 1 + + nta = next((s for s in response.splitlines() if " expiry" in s), None) + assert nta is not None + + nta = nta.split(" ") + expiry = f"{nta[2]} {nta[3]}" + then = time.mktime(time.strptime(expiry, "%d-%b-%Y %H:%M:%S.000")) + nextweek = time.mktime(now) + (86400 * 7) + + # normally there's no more than a few seconds difference between the + # clamped expiration date and the calculated date for next week, + # but add a 3600 second fudge factor to allow for daylight savings + # changes. + assert abs(nextweek - then < 3610) + + # remove the NTA + ns4.rndc("nta -r secure.example", log=False) + + +def test_nta_forward(servers): + ns9 = servers["ns9"] + + m = isctest.query.create("badds.example", "SOA") + res = isctest.query.tcp(m, "10.53.0.9") + isctest.check.servfail(res) + isctest.check.empty_answer(res) + isctest.check.noadflag(res) + + # add NTA and expect resolution to succeed + ns9.rndc("nta badds.example", log=False) + res = isctest.query.tcp(m, "10.53.0.9") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 2) + isctest.check.noadflag(res) + + # remove NTA and expect resolution to fail again + ns9.rndc("nta -remove badds.example", log=False) + res = isctest.query.tcp(m, "10.53.0.9") + isctest.check.servfail(res) + isctest.check.empty_answer(res) + isctest.check.noadflag(res) diff --git a/bin/tests/system/rrchecker/tests_rrchecker.py b/bin/tests/system/rrchecker/tests_rrchecker.py index bbe578f98b..367450319a 100644 --- a/bin/tests/system/rrchecker/tests_rrchecker.py +++ b/bin/tests/system/rrchecker/tests_rrchecker.py @@ -193,3 +193,11 @@ def test_rrchecker_conversions(option): assert rr_class_orig == rr_class assert rr_type_orig == rr_type assert rr_rest_orig == " ".join(rr_rest) + + +def test_rrchecker_seconds(): + # check the acceptance of seconds as RRSIG inception and expiration + intext = "NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo=" + expected = "NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo=" + _, _, *rr_rest = run_rrchecker("-p", "IN", "RRSIG", intext) + assert " ".join(rr_rest) == expected diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl index a82bc98f22..79757fc0a7 100755 --- a/bin/tests/system/start.pl +++ b/bin/tests/system/start.pl @@ -264,8 +264,8 @@ sub construct_ns_command { foreach my $t_option( "dropedns", "ednsformerr", "ednsnotimp", "ednsrefused", - "cookiealwaysvalid", "noaa", "noedns", "nosoa", - "maxudp512", "maxudp1460", + "cookiealwaysvalid", "noaa", "noedns", "nonearest", + "nosoa", "maxudp512", "maxudp1460", "tat=1", "tat=3" ) { if (-e "$testdir/$server/named.$t_option") { $command .= "-T $t_option "