From bcf41973bbe2637a032d928e2deb7ad9e3e8e8c9 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 25 Jun 2025 19:00:22 -0700 Subject: [PATCH 01/14] start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. --- .../ns1/{named.conf.in => named.conf.j2} | 0 bin/tests/system/dnssec/ns1/sign.sh | 4 +- .../ns2/{named.conf.in => named.conf.j2} | 0 .../ns3/{named.conf.in => named.conf.j2} | 0 bin/tests/system/dnssec/ns4/named1.conf.in | 11 +- bin/tests/system/dnssec/ns4/named2.conf.in | 16 ++- bin/tests/system/dnssec/ns4/named3.conf.in | 20 ++- bin/tests/system/dnssec/ns4/named4.conf.in | 12 +- bin/tests/system/dnssec/ns4/named5.conf.in | 54 ------- .../ns5/{named2.conf.in => named.conf.j2} | 64 ++++++--- bin/tests/system/dnssec/ns5/named1.conf.in | 43 ------ .../ns6/{named.conf.in => named.conf.j2} | 0 .../ns7/{named.conf.in => named.conf.j2} | 0 .../ns8/{named.conf.in => named.conf.j2} | 0 .../ns9/{named.conf.in => named.conf.j2} | 5 + bin/tests/system/dnssec/setup.sh | 11 -- bin/tests/system/dnssec/tests.sh | 129 ----------------- bin/tests/system/dnssec/tests_badkey.py | 135 ++++++++++++++++++ bin/tests/system/dnssec/tests_sh_dnssec.py | 5 +- 19 files changed, 225 insertions(+), 284 deletions(-) rename bin/tests/system/dnssec/ns1/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns2/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns3/{named.conf.in => named.conf.j2} (100%) delete mode 100644 bin/tests/system/dnssec/ns4/named5.conf.in rename bin/tests/system/dnssec/ns5/{named2.conf.in => named.conf.j2} (56%) delete mode 100644 bin/tests/system/dnssec/ns5/named1.conf.in rename bin/tests/system/dnssec/ns6/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns7/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns8/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns9/{named.conf.in => named.conf.j2} (87%) create mode 100644 bin/tests/system/dnssec/tests_badkey.py diff --git a/bin/tests/system/dnssec/ns1/named.conf.in b/bin/tests/system/dnssec/ns1/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns1/named.conf.in rename to bin/tests/system/dnssec/ns1/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 90286fb3e6..bd434aeb80 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -45,7 +45,7 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 -# Configure the resolving server with a staitc key. +# Configure the resolving server with a static key. keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf @@ -70,4 +70,4 @@ keyfile_to_key_id "$ksk" >managed.key.id # Also generate a broken trusted-keys file for the dnssec test. # broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .) -keyfile_to_static_ds "$broken" >../ns4/broken.conf +keyfile_to_static_ds "$broken" >../ns5/broken.conf diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns2/named.conf.in rename to bin/tests/system/dnssec/ns2/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns3/named.conf.in rename to bin/tests/system/dnssec/ns3/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index e9264c169f..a2413cef79 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -22,26 +22,23 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; recursion yes; - dnssec-validation yes; minimal-responses no; nta-lifetime 12s; nta-recheck 9s; validate-except { corp; }; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; - disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; - # Note: We only reference the bind.keys file here to confirm that it # is *not* being used. It contains the real root key, and we're # using a local toy root zone for the tests, so it wouldn't work. # But since dnssec-validation is set to "yes" not "auto", that # won't matter. + dnssec-validation yes; bindkeys-file "../../../../../bind.keys"; }; +include "trusted.conf"; + key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; @@ -60,5 +57,3 @@ zone "corp" { type static-stub; server-addresses { 10.53.0.2; }; }; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index bf82385f71..04d98b89ad 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -22,13 +22,14 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; recursion yes; + minimal-responses no; + + nta-lifetime 12s; + nta-recheck 9s; + validate-except { corp; }; + dnssec-validation auto; bindkeys-file "managed.conf"; - minimal-responses no; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; - disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; }; key rndc_key { @@ -44,3 +45,8 @@ zone "." { type hint; file "../../_common/root.hint"; }; + +zone "corp" { + type static-stub; + server-addresses { 10.53.0.2; }; +}; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index d6a44c799d..28a9abe804 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -22,16 +22,17 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; recursion yes; - dnssec-validation auto; - bindkeys-file "managed.conf"; - dnssec-accept-expired yes; minimal-responses no; + + nta-lifetime 12s; + nta-recheck 9s; + validate-except { corp; }; + + dnssec-accept-expired yes; servfail-ttl 0; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";}; - disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; + dnssec-validation auto; + bindkeys-file "managed.conf"; }; key rndc_key { @@ -47,3 +48,8 @@ zone "." { type hint; file "../../_common/root.hint"; }; + +zone "corp" { + type static-stub; + server-addresses { 10.53.0.2; }; +}; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 34f59b498a..4655d5959e 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -21,6 +21,11 @@ options { pid-file "named.pid"; listen-on { 10.53.0.4; }; listen-on-v6 { none; }; + minimal-responses no; + + nta-lifetime 12s; + nta-recheck 9s; + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; @@ -41,14 +46,14 @@ key auth { algorithm @DEFAULT_HMAC@; }; -include "trusted.conf"; - view rec { match-recursive-only yes; recursion yes; - dnssec-validation yes; dnssec-accept-expired yes; minimal-responses no; + dnssec-validation yes; + + include "trusted.conf"; zone "." { type hint; @@ -69,6 +74,7 @@ view rec { view auth { recursion no; allow-recursion { none; }; + dnssec-validation no; zone "." { type hint; diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in deleted file mode 100644 index dae14c328b..0000000000 --- a/bin/tests/system/dnssec/ns4/named5.conf.in +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation yes; - minimal-responses no; - -}; - -# Note: This contains a deliberately incorrect key, -# so it won't work with the root zones used in the tests; -# all signed data should SERVFAIL. This is to test the case -# of a validating forwarder talking to a resolver that has -# a misconfigured trust anchor. -include "broken.conf"; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -zone "corp" { - type static-stub; - server-addresses { 10.53.0.2; }; -}; diff --git a/bin/tests/system/dnssec/ns5/named2.conf.in b/bin/tests/system/dnssec/ns5/named.conf.j2 similarity index 56% rename from bin/tests/system/dnssec/ns5/named2.conf.in rename to bin/tests/system/dnssec/ns5/named.conf.j2 index 6d0474b9d5..c47306f371 100644 --- a/bin/tests/system/dnssec/ns5/named2.conf.in +++ b/bin/tests/system/dnssec/ns5/named.conf.j2 @@ -13,15 +13,6 @@ // NS5 -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - options { query-source address 10.53.0.5; notify-source 10.53.0.5; @@ -31,23 +22,56 @@ options { listen-on { 10.53.0.5; 127.0.0.1; }; listen-on-v6 { none; }; recursion yes; - dnssec-validation yes; }; -view root { - match-destinations { 127.0.0.1; }; +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; - zone "." { - type primary; - file "root.db.signed"; +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +{% set revoked_key = revoked_key | default(False) %} +{% set broken_key = broken_key | default(False) %} +{% if revoked_key %} + view root { + match-destinations { 127.0.0.1; }; + dnssec-validation no; + + zone "." { + type primary; + file "root.db.signed"; + }; }; -}; -view other { -include "revoked.conf"; + view other { + dnssec-validation yes; + include "revoked.conf"; + zone "." { + type static-stub; + server-addresses { 127.0.0.1; }; + }; + }; +{% elif broken_key %} zone "." { + type hint; + file "../../_common/root.hint"; + }; + + zone "corp" { type static-stub; - server-addresses { 127.0.0.1; }; + server-addresses { 10.53.0.2; }; }; -}; + + include "broken.conf"; +{% else %} + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + include "trusted.conf"; +{% endif %} diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in deleted file mode 100644 index ef371e175a..0000000000 --- a/bin/tests/system/dnssec/ns5/named1.conf.in +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS5 - -options { - query-source address 10.53.0.5; - notify-source 10.53.0.5; - transfer-source 10.53.0.5; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.5; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation yes; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns6/named.conf.in rename to bin/tests/system/dnssec/ns6/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns7/named.conf.in rename to bin/tests/system/dnssec/ns7/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns8/named.conf.in rename to bin/tests/system/dnssec/ns8/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns9/named.conf.in b/bin/tests/system/dnssec/ns9/named.conf.j2 similarity index 87% rename from bin/tests/system/dnssec/ns9/named.conf.in rename to bin/tests/system/dnssec/ns9/named.conf.j2 index 147d328ccf..3b0e39d3b5 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.in +++ b/bin/tests/system/dnssec/ns9/named.conf.j2 @@ -24,7 +24,12 @@ options { recursion yes; dnssec-validation yes; forward only; +{% set forward_badkey = forward_badkey | default(False) %} +{% if forward_badkey %} + forwarders { 10.53.0.5; }; +{% else %} forwarders { 10.53.0.4; }; +{% endif %} servfail-ttl 0; }; diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index dc53ea83e2..c6234f686c 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -16,18 +16,7 @@ set -e -copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf -copy_setports ns3/named.conf.in ns3/named.conf - copy_setports ns4/named1.conf.in ns4/named.conf -copy_setports ns5/named1.conf.in ns5/named.conf - -copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf -copy_setports ns8/named.conf.in ns8/named.conf - -copy_setports ns9/named.conf.in ns9/named.conf ( cd ns1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 60a3959ab2..a5f879b589 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1054,33 +1054,6 @@ if [ -x "${DELV}" ]; then status=$((status + ret)) fi -# Try validating with a bad trusted key. -# This should fail. - -echo_i "checking that validation fails with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking that validation fails when key record is missing ($n)" ret=0 dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 @@ -1210,34 +1183,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -# Check that the setting the cd bit works - -echo_i "checking cd bit on a positive answer ($n)" -ret=0 -dig_with_opts +noauth example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on a negative answer ($n)" -ret=0 -dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking insecurity proof works using negative cache ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i @@ -1314,50 +1259,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking cd bit on a query that should fail ($n)" -ret=0 -dig_with_opts a.bogus.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on an insecurity proof ($n)" -ret=0 -dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on a negative insecurity proof ($n)" -ret=0 -dig_with_opts q.insecure.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking that validation of an ANY query works ($n)" ret=0 dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 @@ -3961,17 +3862,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking initialization with a revoked managed key ($n)" -ret=0 -copy_setports ns5/named2.conf.in ns5/named.conf -rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i -sleep 3 -dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n -grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" ret=0 ( @@ -4862,24 +4752,5 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -copy_setports ns4/named5.conf.in ns4/named.conf -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 3 - -echo_i "checking forwarder CD behavior (forward server with bad trust anchor) ($n)" -ret=0 -# confirm invalid trust anchor produces SERVFAIL in resolver -$DIG +tcp +dnssec -p "$PORT" @10.53.0.4 a.secure.example >dig.out.ns4.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -# check that lookup using forwarder succeeds and that SERVFAIL was received -nextpart ns9/named.run >/dev/null -$DIG +tcp +dnssec -p "$PORT" @10.53.0.9 a.secure.example soa >dig.out.ns9.test$n || ret=1 -grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n >/dev/null || ret=1 -nextpart ns9/named.run | grep 'status: SERVFAIL' >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_badkey.py b/bin/tests/system/dnssec/tests_badkey.py new file mode 100644 index 0000000000..b646789e3a --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey.py @@ -0,0 +1,135 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import flags + +import isctest + + +def test_misconfigured_validation(): + # check that validation fails with a misconfigured trust anchor + msg = isctest.query.create("example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +def test_misconfigured_negative_validation(): + # check that negative validation fails with a misconfigured trust anchor + msg = isctest.query.create("example.", "PTR") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +def test_misconfigured_insecurity(): + # check that insecurity proofs fail with a misconfigured trust anchor + msg = isctest.query.create("a.insecure.example.", "A") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +def test_misconfigured_cd_positive(): + # check AD bit of a positive answer with misconfigured trust anchor, CD=1 + msg = isctest.query.create("example.", "SOA") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res) + assert (res.flags & flags.AD) == 0 + + +def test_misconfigured_cd_negative(): + # check cd bit on a negative answer with misconfigured trust anchor, CD=1 + msg = isctest.query.create("q.example.", "SOA") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.nxdomain(res) + assert (res.flags & flags.AD) == 0 + # compare the response from a correctly configured server + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res2) + assert (res2.flags & flags.AD) == 0 + assert res.answer == res2.answer + + +def test_misconfigured_cd_bogus(): + # check cd bit on a query that should fail + msg = isctest.query.create("a.bogus.example.", "SOA") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res) + assert (res.flags & flags.AD) == 0 + # compare the response from a correctly configured server + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res2) + assert (res2.flags & flags.AD) == 0 + assert res.answer == res2.answer + + +def test_misconfigured_cd_insecurity(): + # check cd bit on an insecurity proof + msg = isctest.query.create("a.insecure.example.", "SOA") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res) + assert (res.flags & flags.AD) == 0 + # compare the response from a correctly configured server + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res2) + assert (res2.flags & flags.AD) == 0 + assert res.answer == res2.answer + + +def test_misconfigured_cd_negative_insecurity(): + # check cd bit on an insecurity proof + msg = isctest.query.create("q.insecure.example.", "A") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.nxdomain(res) + assert (res.flags & flags.AD) == 0 + # compare the response from a correctly configured server + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res2) + assert (res2.flags & flags.AD) == 0 + assert res.answer == res2.answer + + +def test_revoked_init(servers, templates): + # use a revoked key and try to reiniitialize; check for failure + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"revoked_key": True}) + ns5.reconfigure(log=False) + + msg = isctest.query.create(".", "SOA") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +def test_broken_forwarding(servers, templates): + # check forwarder CD behavior (forward server with bad trust anchor) + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"broken_key": True}) + ns5.reconfigure(log=False) + + ns9 = servers["ns9"] + templates.render("ns9/named.conf", {"forward_badkey": True}) + ns9.reconfigure(log=False) + + # confirm invalid trust anchor produces SERVFAIL in resolver + msg = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + # check that lookup involving forwarder succeeds and SERVFAIL was received + with ns9.watch_log_from_here() as watcher: + msg = isctest.query.create("a.secure.example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + assert (res.flags & flags.AD) != 0 + watcher.wait_for_line("status: SERVFAIL") diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index c717eaff8f..bf1108518e 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -35,6 +35,7 @@ pytestmark = pytest.mark.extra_artifacts( "*/*.jbk", "*/*.signed", "*/*.mkeys*", + "*/managed-keys.bind", "ans*/ans.run", "ans*/query.log", "ns1/managed.key.id", @@ -160,12 +161,11 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/update-nsec3.example.db.signed", "ns3/upper.example.db", "ns3/upper.example.db.lower", - "ns4/broken.conf", "ns4/managed.conf", - "ns4/managed-keys.bind", "ns4/named.secroots", "ns4/named_dump.db", "ns4/named_dump.db.*", + "ns5/broken.conf", "ns5/revoked.conf", "ns6/optout-tld.db", "ns7/split-rrsig.db", @@ -177,6 +177,7 @@ pytestmark = pytest.mark.extra_artifacts( "signer/example.db.changed", "signer/example2.db", "signer/example3.db", + "signer/general/*.jnl", "signer/general/dnskey.expect", "signer/general/dsset-*", "signer/general/signed.expect", From d3bfa916b38a0974c620833638351676e3e625de Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 26 Jun 2025 13:05:40 -0700 Subject: [PATCH 02/14] move NTA test cases to a separate python test the tests of "rndc nta" behavior have been moved out of the dnssec shell test, into bin/tests/system/nta, and converted to python. features of the dnssec test framework that were needed for NTA testing have been moved to the nta test, and dnssec has been correspondingly simplified. --- bin/tests/system/dnssec/ns2/named.conf.j2 | 5 - bin/tests/system/dnssec/ns4/named1.conf.in | 9 - bin/tests/system/dnssec/ns4/named2.conf.in | 9 - bin/tests/system/dnssec/ns4/named3.conf.in | 9 - bin/tests/system/dnssec/ns4/named4.conf.in | 3 - bin/tests/system/dnssec/ns5/named.conf.j2 | 5 - bin/tests/system/dnssec/tests.sh | 488 +----------------- bin/tests/system/nta/ns1/named.conf.j2 | 36 ++ bin/tests/system/nta/ns1/root.db.in | 24 + bin/tests/system/nta/ns1/sign.sh | 37 ++ bin/tests/system/{dnssec => nta}/ns2/corp.db | 0 bin/tests/system/nta/ns2/example.db.in | 35 ++ bin/tests/system/nta/ns2/named.conf.j2 | 50 ++ bin/tests/system/nta/ns2/sign.sh | 38 ++ bin/tests/system/nta/ns3/bogus.example.db.in | 27 + bin/tests/system/nta/ns3/named.conf.j2 | 62 +++ bin/tests/system/nta/ns3/secure.example.db.in | 30 ++ bin/tests/system/nta/ns3/sign.sh | 62 +++ bin/tests/system/nta/ns4/named.conf.j2 | 53 ++ bin/tests/system/nta/ns9/named.conf.j2 | 40 ++ .../{dnssec/ntadiff.pl => nta/setup.sh} | 18 +- bin/tests/system/nta/tests_nta.py | 430 +++++++++++++++ 22 files changed, 933 insertions(+), 537 deletions(-) create mode 100644 bin/tests/system/nta/ns1/named.conf.j2 create mode 100644 bin/tests/system/nta/ns1/root.db.in create mode 100644 bin/tests/system/nta/ns1/sign.sh rename bin/tests/system/{dnssec => nta}/ns2/corp.db (100%) create mode 100644 bin/tests/system/nta/ns2/example.db.in create mode 100644 bin/tests/system/nta/ns2/named.conf.j2 create mode 100644 bin/tests/system/nta/ns2/sign.sh create mode 100644 bin/tests/system/nta/ns3/bogus.example.db.in create mode 100644 bin/tests/system/nta/ns3/named.conf.j2 create mode 100644 bin/tests/system/nta/ns3/secure.example.db.in create mode 100644 bin/tests/system/nta/ns3/sign.sh create mode 100644 bin/tests/system/nta/ns4/named.conf.j2 create mode 100644 bin/tests/system/nta/ns9/named.conf.j2 rename bin/tests/system/{dnssec/ntadiff.pl => nta/setup.sh} (58%) mode change 100755 => 100644 create mode 100644 bin/tests/system/nta/tests_nta.py diff --git a/bin/tests/system/dnssec/ns2/named.conf.j2 b/bin/tests/system/dnssec/ns2/named.conf.j2 index 3b31574579..da6df5d5fb 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.j2 +++ b/bin/tests/system/dnssec/ns2/named.conf.j2 @@ -190,11 +190,6 @@ zone "updatecheck-kskonly.secure" { allow-update { any; }; }; -zone "corp" { - type primary; - file "corp.db"; -}; - zone "hours-vs-days" { type primary; file "hours-vs-days.db.signed"; diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index a2413cef79..66975a352a 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -24,10 +24,6 @@ options { recursion yes; minimal-responses no; - nta-lifetime 12s; - nta-recheck 9s; - validate-except { corp; }; - # Note: We only reference the bind.keys file here to confirm that it # is *not* being used. It contains the real root key, and we're # using a local toy root zone for the tests, so it wouldn't work. @@ -52,8 +48,3 @@ zone "." { type hint; file "../../_common/root.hint"; }; - -zone "corp" { - type static-stub; - server-addresses { 10.53.0.2; }; -}; diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index 04d98b89ad..c8699834f3 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -24,10 +24,6 @@ options { recursion yes; minimal-responses no; - nta-lifetime 12s; - nta-recheck 9s; - validate-except { corp; }; - dnssec-validation auto; bindkeys-file "managed.conf"; }; @@ -45,8 +41,3 @@ zone "." { type hint; file "../../_common/root.hint"; }; - -zone "corp" { - type static-stub; - server-addresses { 10.53.0.2; }; -}; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index 28a9abe804..24012b38e7 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -24,10 +24,6 @@ options { recursion yes; minimal-responses no; - nta-lifetime 12s; - nta-recheck 9s; - validate-except { corp; }; - dnssec-accept-expired yes; servfail-ttl 0; @@ -48,8 +44,3 @@ zone "." { type hint; file "../../_common/root.hint"; }; - -zone "corp" { - type static-stub; - server-addresses { 10.53.0.2; }; -}; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 4655d5959e..f5b387d0bd 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -23,9 +23,6 @@ options { listen-on-v6 { none; }; minimal-responses no; - nta-lifetime 12s; - nta-recheck 9s; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; diff --git a/bin/tests/system/dnssec/ns5/named.conf.j2 b/bin/tests/system/dnssec/ns5/named.conf.j2 index c47306f371..bdbd1f3b30 100644 --- a/bin/tests/system/dnssec/ns5/named.conf.j2 +++ b/bin/tests/system/dnssec/ns5/named.conf.j2 @@ -61,11 +61,6 @@ controls { file "../../_common/root.hint"; }; - zone "corp" { - type static-stub; - server-addresses { 10.53.0.2; }; - }; - include "broken.conf"; {% else %} zone "." { diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index a5f879b589..d61dbcc736 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2156,7 +2156,7 @@ check_secroots_layout named.secroots.test$n || ret=1 linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) [ "$linecount" -eq 1 ] || ret=1 linecount=$(wc dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive and negative validation with negative trust anchors ($n)" -ret=0 - -# -# check correct initial behavior -# -dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 - -if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi -status=$((status + ret)) -ret=0 - -# -# add negative trust anchors -# -rndccmd 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -# reconfig should maintain NTAs -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 -lines=$(wc -l &1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i -# reload should maintain NTAs -rndc_reload ns4 10.53.0.4 -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 -lines=$(wc -l dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 -dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 >/dev/null && ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.6 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.6 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 >/dev/null && ret=1 -dig_with_opts a.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.7 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 >/dev/null && ret=1 -echo_i "dumping secroots" -rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i -cp ns4/named.secroots named.secroots.test$n -check_secroots_layout named.secroots.test$n || ret=1 -grep "bogus.example: expiry" named.secroots.test$n >/dev/null || ret=1 -grep "badds.example: expiry" named.secroots.test$n >/dev/null || ret=1 -grep "secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 -grep "fakenode.secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 - -if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi -status=$((status + ret)) -ret=0 - -echo_i "waiting for NTA rechecks/expirations" - -# -# secure.example and badds.example used default nta-duration -# (configured as 12s in ns4/named1.conf), but nta recheck interval -# is configured to 9s, so at t=10 the NTAs for secure.example and -# fakenode.secure.example should both be lifted, but badds.example -# should still be going. -# -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -dig_with_opts b.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.8 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.8 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 >/dev/null || ret=1 -dig_with_opts b.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.9 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n.9 >/dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.10 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.10 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 >/dev/null && ret=1 - -if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi -status=$((status + ret)) -ret=0 - -# -# bogus.example was set to expire in 20s, so at t=13 -# it should still be NTA'd, but badds.example used the default -# lifetime of 12s, so it should revert to SERVFAIL now. -# -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -# check nta table -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n._11 -lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true) -[ "$lines" -le 2 ] || ret=1 -grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null || ret=1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null && ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.11 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.11 >/dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.12 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.12 >/dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 >/dev/null && ret=1 -dig_with_opts c.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.13 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.13 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 >/dev/null || ret=1 - -if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi -status=$((status + ret)) -ret=0 - -# -# at t=21, all the NTAs should have expired. -# -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -# check correct behavior after bogus.example expiry -dig_with_opts d.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.14 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.14 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 >/dev/null || ret=1 -dig_with_opts c.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.15 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.15 >/dev/null || ret=1 -# check nta table has been cleaned up now -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 -lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true) -[ "$lines" -eq 0 ] || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi -status=$((status + ret)) -ret=0 - -echo_i "testing NTA removals ($n)" -rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 >/dev/null || ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null && ret=1 -grep "^a.badds.example." dig.out.ns4.test$n.1 >/dev/null || ret=1 -rndccmd 10.53.0.4 nta -remove badds.example >rndc.out.ns4.test$n.2 -grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 >/dev/null || ret=1 -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -echo_i "remove non-existent NTA three times" -rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.4 2>&1 -rndccmd 10.53.0.4 nta -remove foo >rndc.out.ns4.test$n.5 2>&1 -rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.6 2>&1 -grep "not found" rndc.out.ns4.test$n.6 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -n=$((n + 1)) -echo_i "testing NTA with bogus lifetimes ($n)" -echo_i "check with no nta lifetime specified" -rndccmd 10.53.0.4 nta -l "" foo >rndc.out.ns4.test$n.1 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -echo_i "check with bad nta lifetime" -rndccmd 10.53.0.4 nta -l garbage foo >rndc.out.ns4.test$n.2 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -echo_i "check with too long nta lifetime" -rndccmd 10.53.0.4 nta -l 7d1h foo >rndc.out.ns4.test$n.3 2>&1 || true -grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 >/dev/null || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) -ret=0 - -# -# check NTA persistence across restarts -# -n=$((n + 1)) -echo_i "testing NTA persistence across restarts ($n)" -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 -lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true) -[ "$lines" -eq 0 ] || ret=1 -rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 -lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true) -[ "$lines" -eq 2 ] || ret=1 -# shellcheck disable=SC2016 -start=$($PERL -e 'print time()."\n";') - -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi -status=$((status + ret)) -ret=0 - -echo_i "killing ns4 with SIGTERM" -kill -TERM "$(cat ns4/named.pid)" -rm -f ns4/named.pid - -# -# ns4 has now shutdown. wait until t=14 when badds.example's NTA -# (lifetime=10s) would have expired, and then restart ns4. -# -echo_i "waiting till 14s have passed since NTAs were added before restarting ns4" -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' - -if - start_server --noclean --restart --port "$PORT" ns4 -then - echo_i "restarted server ns4" -else - echo_i "could not restart server ns4" - exit 1 -fi - -echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" -sleep 4 - -# -# ns4 should be back up now. The NTA for bogus.example should still be -# valid, whereas badds.example should not have been added during named -# startup (as it had already expired), the fact that it's ignored should -# be logged. -# -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 -lines=$(wc -l /dev/null || ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null || ret=1 -grep "ignoring expired NTA at badds.example" ns4/named.run >/dev/null || ret=1 - -# cleanup -rndccmd 10.53.0.4 nta -remove bogus.example >rndc.out.ns4.test$n.6 - -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi -status=$((status + ret)) -ret=0 - -# -# check "regular" attribute in NTA file works as expected at named -# startup. -# -n=$((n + 1)) -echo_i "testing loading regular attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 - -echo_i "killing ns4 with SIGTERM" -kill -TERM "$(cat ns4/named.pid)" -rm -f ns4/named.pid - -echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" -sleep 4 - -# -# ns4 has now shutdown. add NTA for secure.example. directly into the -# _default.nta file with the regular attribute and some future timestamp. -# -future="$(($(date +%Y) + 20))0101010000" -echo "secure.example. regular $future" >ns4/_default.nta -# shellcheck disable=SC2016 -start=$($PERL -e 'print time()."\n";') - -if - start_server --noclean --restart --port "$PORT" ns4 -then - echo_i "restarted server ns4" -else - echo_i "could not restart server ns4" - exit 1 -fi - -# nta-recheck is configured as 9s, so at t=12 the NTAs for -# secure.example. should be lifted as it is not a forced NTA. -echo_i "waiting till 12s have passed after ns4 was restarted" -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' - -# secure.example. should now return an AD=1 answer (still validates) as -# the NTA has been lifted. -dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 - -# cleanup -rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null - -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi -status=$((status + ret)) -ret=0 - -# -# check "forced" attribute in NTA file works as expected at named -# startup. -# -n=$((n + 1)) -echo_i "testing loading forced attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 - -echo_i "killing ns4 with SIGTERM" -kill -TERM "$(cat ns4/named.pid)" -rm -f named.pid - -echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" -sleep 4 - -# -# ns4 has now shutdown. add NTA for secure.example. directly into the -# _default.nta file with the forced attribute and some future timestamp. -# -echo "secure.example. forced $future" >ns4/_default.nta -start=$($PERL -e 'print time()."\n";') - -if - start_server --noclean --restart --port "$PORT" ns4 -then - echo_i "restarted server ns4" -else - echo_i "could not restart server ns4" - exit 1 -fi - -# nta-recheck is configured as 9s, but even at t=12 the NTAs for -# secure.example. should not be lifted as it is a forced NTA. -echo_i "waiting till 12s have passed after ns4 was restarted" -# shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' - -# secure.example. should now return an AD=0 answer (non-authenticated) -# as the NTA is still there. -dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null && ret=1 - -# cleanup -rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null - -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi -status=$((status + ret)) -ret=0 - -# -# check that NTA lifetime read from file is clamped to 1 week. -# -n=$((n + 1)) -echo_i "testing loading out of bounds lifetime from NTA file ($n)" - -echo_i "killing ns4 with SIGTERM" -kill -TERM "$(cat ns4/named.pid)" -rm -f ns4/named.pid - -echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" -sleep 4 - -# -# ns4 has now shutdown. add NTA for secure.example. directly into the -# _default.nta file with a lifetime well into the future. -# -echo "secure.example. forced $future" >ns4/_default.nta -added=$($PERL -e 'print time()."\n";') - -if - start_server --noclean --restart --port "$PORT" ns4 -then - echo_i "restarted server ns4" -else - echo_i "could not restart server ns4" - exit 1 -fi - -echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" -sleep 4 - -# dump the NTA to a file (omit validate-except entries) -echo_i "testing 'rndc nta -d' with NTA" -rndccmd 10.53.0.4 nta -d | grep -v ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null -# "corp" is configured as a validate-except domain and thus should be -# removed by the grep -v above. only "secure.example" should appear in -# the dump. -lines=$(wc -l /dev/null || ret=1 -ts=$(awk '{print $3" "$4}' rndc.out.ns4.test$n.2 -echo "ts_with_zone=$ts_with_zone" >>rndc.out.ns4.test$n.2 -echo "added=$added" >>rndc.out.ns4.test$n.2 -if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null; then - # ntadiff.pl computes $ts_with_zone - ($added + 1week) - d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") - echo "d=$d" >>rndc.out.ns4.test$n.2 - # diff from $added(now) + 1week to the clamped NTA lifetime should be - # less than a few seconds (handle daylight saving changes by adding 3600). - [ "$d" -lt 3610 ] || ret=1 -else - echo_i "skipped ntadiff test; install PERL module Time::Piece" -fi - -echo_i "testing 'rndc nta' lifetime clamping" -rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null -# "corp" is configured as a validate-except domain and thus should be -# the only entry in the dump. -lines=$(wc -l /dev/null || ret=1 - -# cleanup -rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.3 2>/dev/null - -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "testing 'rndc nta -d' displays validate-except entries" -rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l /dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" -ret=0 -# Sanity check behavior without an NTA in place. -dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.1 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.1 >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.1 >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 >/dev/null && ret=1 -# Add an NTA, expecting that to cause resolution to succeed. -rndccmd 10.53.0.9 nta badds.example >rndc.out.ns9.test$n.1 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.2 || ret=1 -grep "NOERROR" dig.out.ns9.test$n.2 >/dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns9.test$n.2 >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 >/dev/null && ret=1 -# Remove the NTA, expecting that to cause resolution to fail again. -rndccmd 10.53.0.9 nta -remove badds.example >rndc.out.ns9.test$n.2 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.3 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.3 >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.3 >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 >/dev/null && ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "completed NTA tests" - # Run a minimal update test if possible. This is really just # a regression test for RT #2399; more tests should be added. diff --git a/bin/tests/system/nta/ns1/named.conf.j2 b/bin/tests/system/nta/ns1/named.conf.j2 new file mode 100644 index 0000000000..bd1ccc4081 --- /dev/null +++ b/bin/tests/system/nta/ns1/named.conf.j2 @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; + /* test that we can turn off trust-anchor-telemetry */ + trust-anchor-telemetry no; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/nta/ns1/root.db.in b/bin/tests/system/nta/ns1/root.db.in new file mode 100644 index 0000000000..34f777330d --- /dev/null +++ b/bin/tests/system/nta/ns1/root.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/nta/ns1/sign.sh b/bin/tests/system/nta/ns1/sign.sh new file mode 100644 index 0000000000..243503d85d --- /dev/null +++ b/bin/tests/system/nta/ns1/sign.sh @@ -0,0 +1,37 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL sign.sh) + +cp "../ns2/dsset-example." . + +ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$ksk" >trusted.conf +cp trusted.conf ../ns4/trusted.conf +cp trusted.conf ../ns9/trusted.conf diff --git a/bin/tests/system/dnssec/ns2/corp.db b/bin/tests/system/nta/ns2/corp.db similarity index 100% rename from bin/tests/system/dnssec/ns2/corp.db rename to bin/tests/system/nta/ns2/corp.db diff --git a/bin/tests/system/nta/ns2/example.db.in b/bin/tests/system/nta/ns2/example.db.in new file mode 100644 index 0000000000..f72258f63c --- /dev/null +++ b/bin/tests/system/nta/ns2/example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +; A secure subdomain +secure NS ns3.secure +ns3.secure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A subdomain with a corrupt DS +badds NS ns.badds +ns.badds A 10.53.0.3 diff --git a/bin/tests/system/nta/ns2/named.conf.j2 b/bin/tests/system/nta/ns2/named.conf.j2 new file mode 100644 index 0000000000..9bfbcde9d2 --- /dev/null +++ b/bin/tests/system/nta/ns2/named.conf.j2 @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + notify yes; + notify-delay 1; + dnssec-validation no; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type primary; + file "example.db.signed"; + allow-update { any; }; +}; + +zone "corp" { + type primary; + file "corp.db"; +}; diff --git a/bin/tests/system/nta/ns2/sign.sh b/bin/tests/system/nta/ns2/sign.sh new file mode 100644 index 0000000000..5eb698e842 --- /dev/null +++ b/bin/tests/system/nta/ns2/sign.sh @@ -0,0 +1,38 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +# Sign child zones (served by ns3). +(cd ../ns3 && $SHELL sign.sh) + +# The "example." zone. +zone=example. +infile=example.db.in +zonefile=example.db + +# Get the DS records for the "example." zone. +for subdomain in bogus badds secure; do + cp "../ns3/dsset-$subdomain.example." . +done + +# Sign the "example." zone. +keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" + +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 diff --git a/bin/tests/system/nta/ns3/bogus.example.db.in b/bin/tests/system/nta/ns3/bogus.example.db.in new file mode 100644 index 0000000000..0feb441cdd --- /dev/null +++ b/bin/tests/system/nta/ns3/bogus.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/nta/ns3/named.conf.j2 b/bin/tests/system/nta/ns3/named.conf.j2 new file mode 100644 index 0000000000..3c3f256ca4 --- /dev/null +++ b/bin/tests/system/nta/ns3/named.conf.j2 @@ -0,0 +1,62 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + notify yes; + dnssec-validation no; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.2; }; + file "example.bk"; +}; + +zone "secure.example" { + type primary; + file "secure.example.db.signed"; + allow-update { any; }; +}; + +zone "bogus.example" { + type primary; + file "bogus.example.db.signed"; + allow-update { any; }; +}; + +zone "badds.example" { + type primary; + file "badds.example.db.signed"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nta/ns3/secure.example.db.in b/bin/tests/system/nta/ns3/secure.example.db.in new file mode 100644 index 0000000000..182329bf42 --- /dev/null +++ b/bin/tests/system/nta/ns3/secure.example.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 +e A 10.0.0.5 +f A 10.0.0.6 +g A 10.0.0.7 +z A 10.0.0.26 diff --git a/bin/tests/system/nta/ns3/sign.sh b/bin/tests/system/nta/ns3/sign.sh new file mode 100644 index 0000000000..5e5405abed --- /dev/null +++ b/bin/tests/system/nta/ns3/sign.sh @@ -0,0 +1,62 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +# a validly signed zone +zone=secure.example. +infile=secure.example.db.in +zonefile=secure.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null +cat "$zonefile" "$zonefile".signed >"$zonefile".tmp +mv "$zonefile".tmp "$zonefile".signed + +# a zone that we'll add bogus data to +zone=bogus.example. +infile=bogus.example.db.in +zonefile=bogus.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + +{ + echo "a.bogus.example. A 10.0.0.22" + echo "b.bogus.example. A 10.0.0.23" + echo "c.bogus.example. A 10.0.0.23" +} >>bogus.example.db.signed + +# +# A zone with a bad DS in the parent +# (sourced from bogus.example.db.in) +# +zone=badds.example. +infile=bogus.example.db.in +zonefile=badds.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null +sed -e 's/bogus/badds/g' dsset-badds.example. diff --git a/bin/tests/system/nta/ns4/named.conf.j2 b/bin/tests/system/nta/ns4/named.conf.j2 new file mode 100644 index 0000000000..87f70e2f21 --- /dev/null +++ b/bin/tests/system/nta/ns4/named.conf.j2 @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + minimal-responses no; + + nta-lifetime 12s; + nta-recheck 9s; + validate-except { corp; }; + + dnssec-validation yes; +}; + +include "trusted.conf"; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +zone "corp" { + type static-stub; + server-addresses { 10.53.0.2; }; +}; diff --git a/bin/tests/system/nta/ns9/named.conf.j2 b/bin/tests/system/nta/ns9/named.conf.j2 new file mode 100644 index 0000000000..cdbe7ec8ea --- /dev/null +++ b/bin/tests/system/nta/ns9/named.conf.j2 @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS9 + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + forward only; + forwarders { 10.53.0.4; }; + servfail-ttl 0; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ntadiff.pl b/bin/tests/system/nta/setup.sh old mode 100755 new mode 100644 similarity index 58% rename from bin/tests/system/dnssec/ntadiff.pl rename to bin/tests/system/nta/setup.sh index ca80eac9b8..4a4db2dd0d --- a/bin/tests/system/dnssec/ntadiff.pl +++ b/bin/tests/system/nta/setup.sh @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/bin/sh -e # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # @@ -11,14 +11,12 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -use strict; -use Time::Piece; -use Time::Seconds; +# shellcheck source=conf.sh +. ../conf.sh -exit 1 if (scalar(@ARGV) != 2); +set -e -my $actual = Time::Piece->strptime($ARGV[0], '%d-%b-%Y %H:%M:%S.000 %z'); -my $expected = Time::Piece->strptime($ARGV[1], '%s') + ONE_WEEK; -my $diff = abs($actual - $expected); - -print($diff . "\n"); +( + cd ns1 + $SHELL sign.sh +) diff --git a/bin/tests/system/nta/tests_nta.py b/bin/tests/system/nta/tests_nta.py new file mode 100644 index 0000000000..088a3c5a1d --- /dev/null +++ b/bin/tests/system/nta/tests_nta.py @@ -0,0 +1,430 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re +import time + +import pytest + +import isctest + + +# helper functions +def hasmatch(regex, blob): + return re.search(regex, blob, flags=re.MULTILINE) + + +def active(blob): + return len([x for x in blob.splitlines() if " expiry" in x]) + + +# global start-time variable +# pylint: disable=global-statement +# pylint: disable=global-variable-not-assigned +start = 0 + + +def test_initial(): + m = isctest.query.create("a.bogus.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + + m = isctest.query.create("badds.example.", "SOA") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + + m = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + +def test_nta_validate_except(servers): + ns4 = servers["ns4"] + response = ns4.rndc("secroots -", log=False) + assert hasmatch("^corp: permanent", response) + + # check insecure local domain works with validate-except + m = isctest.query.create("www.corp", "NS") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + +def test_nta_bogus_lifetimes(servers): + ns4 = servers["ns4"] + + # no nta lifetime specified: + response = ns4.rndc("nta -l '' foo", ignore_errors=True, log=False) + assert "'nta' failed: bad ttl" in response + + # bad nta lifetime: + response = ns4.rndc("nta -l garbage foo", ignore_errors=True, log=False) + assert "'nta' failed: bad ttl" in response + + # excessive nta lifetime: + response = ns4.rndc("nta -l 7d1h foo", ignore_errors=True, log=False) + assert "'nta' failed: out of range" in response + + +def test_nta_install(servers): + global start + + ns4 = servers["ns4"] + ns4.rndc("nta -f -l 20s bogus.example", log=False) + ns4.rndc("nta badds.example", log=False) + + # NTAs should persist after reconfig + with ns4.watch_log_from_here() as watcher: + ns4.reconfigure(log=False) + watcher.wait_for_line("any newly configured zones are now loaded") + + response = ns4.rndc("nta -d", log=False) + assert len(response.splitlines()) == 3 + + ns4.rndc("nta secure.example", log=False) + ns4.rndc("nta fakenode.secure.example", log=False) + with ns4.watch_log_from_here() as watcher: + ns4.rndc("reload", log=False) + watcher.wait_for_line("all zones loaded") + + response = ns4.rndc("nta -d", log=False) + assert len(response.splitlines()) == 5 + + start = time.time() + + +def test_nta_behavior(servers): + global start + assert start, "test_nta_behavior must be run as part of the full NTA test" + + m = isctest.query.create("a.bogus.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + m = isctest.query.create("badds.example.", "SOA") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + m = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + m = isctest.query.create("a.fakenode.secure.example.", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noadflag(res) + + ns4 = servers["ns4"] + response = ns4.rndc("secroots -", log=False) + assert hasmatch("^bogus.example: expiry", response) + assert hasmatch("^badds.example: expiry", response) + assert hasmatch("^secure.example: expiry", response) + assert hasmatch("^fakenode.secure.example: expiry", response) + + # secure.example and badds.example used the default nta-duration + # (configured as 12s in ns4/named1.conf), but the nta recheck interval + # is configured to 9s, so at t=10 the NTAs for secure.example and + # fakenode.secure.example should both be lifted, while badds.example + # should still be going. + delay = start + 10 - time.time() + if delay > 0: + time.sleep(delay) + + m = isctest.query.create("b.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + m = isctest.query.create("b.fakenode.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.nxdomain(res) + isctest.check.adflag(res) + + m = isctest.query.create("badds.example.", "SOA") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + # bogus.example was set to expire in 20s, so at t=13 + # it should still be NTA'd, but badds.example used the default + # lifetime of 12s, so it should revert to SERVFAIL now. + delay = start + 13 - time.time() + if delay > 0: + time.sleep(delay) + + response = ns4.rndc("nta -d", log=False) + assert active(response) <= 2 + + response = ns4.rndc("secroots -", log=False) + assert hasmatch("bogus.example: expiry", response) + assert not hasmatch("badds.example: expiry", response) + + m = isctest.query.create("b.bogus.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + + m = isctest.query.create("a.badds.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + + m = isctest.query.create("c.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # at t=21, all the NTAs should have expired. + delay = start + 21 - time.time() + if delay > 0: + time.sleep(delay) + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + m = isctest.query.create("d.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + m = isctest.query.create("c.bogus.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + + +def test_nta_removals(servers): + ns4 = servers["ns4"] + ns4.rndc("nta badds.example", log=False) + + response = ns4.rndc("nta -d", log=False) + assert hasmatch("^badds.example/_default: expiry", response) + + m = isctest.query.create("a.badds.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + response = ns4.rndc("nta -remove badds.example", log=False) + assert "Negative trust anchor removed: badds.example" in response + + response = ns4.rndc("nta -d", log=False) + assert not hasmatch("^badds.example/_default: expiry", response) + + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + + # remove non-existent NTA three times + ns4.rndc("nta -r foo", log=False) + ns4.rndc("nta -remove foo", log=False) + response = ns4.rndc("nta -r foo", log=False) + assert "not found" in response + + +def test_nta_restarts(servers): + global start + assert start, "test_nta_restarts must be run as part of the full NTA test" + + # test NTA persistence across restarts + ns4 = servers["ns4"] + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + start = time.time() + ns4.rndc("nta -f -l 30s bogus.example", log=False) + ns4.rndc("nta -f -l 10s badds.example", log=False) + response = ns4.rndc("nta -d", log=False) + assert active(response) == 2 + + # stop the server + ns4.stop() + + # wait 14s before restarting. badds.example's NTA (lifetime=10s) should + # have expired, and bogus.example should still be running. + delay = start + 14 - time.time() + if delay > 0: + time.sleep(delay) + ns4.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 1 + assert hasmatch("^bogus.example/_default: expiry", response) + + m = isctest.query.create("a.badds.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.servfail(res) + + m = isctest.query.create("a.bogus.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + ns4.rndc("nta -r bogus.example", log=False) + + +def test_nta_regular(servers): + global start + assert start, "test_nta_regular must be run as part of the full NTA test" + + # check "regular" attribute in NTA file + ns4 = servers["ns4"] + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + # secure.example validates with AD=1 + m = isctest.query.create("a.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # stop the server, update _default.nta, restart + ns4.stop() + now = time.localtime() + future = str(now.tm_year + 20) + "0101010000" + with open("ns4/_default.nta", "w", encoding="utf-8") as f: + f.write(f"secure.example. regular {future}") + + ns4.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + + # NTA active; secure.example. should now return an AD=0 answer. + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + # nta-recheck is configured as 9s, so at t=12 the NTA for + # secure.example. should be lifted as it is not a "forced" NTA. + start = time.mktime(now) + delay = start + 12 - time.time() + if delay > 0: + time.sleep(delay) + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + # NTA lifted; secure.example. flush the cache to trigger a new query, + # and it should now return an AD=1 answer. + ns4.rndc("flushtree secure.example", log=False) + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + +def test_nta_forced(servers): + global start + assert start, "test_nta_regular must be run as part of the full NTA test" + + # check "forced" attribute in NTA file + ns4 = servers["ns4"] + + # just to be certain, clean up any existing NTA first + ns4.rndc("nta -r secure.example", log=False) + + response = ns4.rndc("nta -d", log=False) + assert active(response) == 0 + + # secure.example validates with AD=1 + m = isctest.query.create("a.secure.example", "A") + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # stop the server, update _default.nta, restart + ns4.stop() + now = time.localtime() + future = str(now.tm_year + 20) + "0101010000" + with open("ns4/_default.nta", "w", encoding="utf-8") as f: + f.write(f"secure.example. forced {future}") + + ns4.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + + # NTA active; secure.example. should now return an AD=0 answer + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + # nta-recheck is configured as 9s. at t=12 the NTA for + # secure.example. should NOT be lifted as it is "forced". + start = time.mktime(now) + delay = start + 12 - time.time() + if delay > 0: + time.sleep(delay) + + # NTA lifted; secure.example. should still return an AD=0 answer + ns4.rndc("flushtree secure.example", log=False) + res = isctest.query.tcp(m, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + + +def test_nta_clamping(servers): + ns4 = servers["ns4"] + + # clean up any existing NTA + ns4.rndc("nta -r secure.example", log=False) + + # stop the server, update _default.nta, restart + ns4.stop() + now = time.localtime() + future = str(now.tm_year + 20) + "0101010000" + with open("ns4/_default.nta", "w", encoding="utf-8") as f: + f.write(f"secure.example. forced {future}") + + ns4.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + + # check that NTA lifetime read from file is clamped to 1 week. + response = ns4.rndc("nta -d", log=False) + assert active(response) == 1 + + nta = next((s for s in response.splitlines() if " expiry" in s), None) + assert nta is not None + + nta = nta.split(" ") + expiry = f"{nta[2]} {nta[3]}" + then = time.mktime(time.strptime(expiry, "%d-%b-%Y %H:%M:%S.000")) + nextweek = time.mktime(now) + (86400 * 7) + + # normally there's no more than a few seconds difference between the + # clamped expiration date and the calculated date for next week, + # but add a 3600 second fudge factor to allow for daylight savings + # changes. + assert abs(nextweek - then < 3610) + + # remove the NTA + ns4.rndc("nta -r secure.example", log=False) + + +def test_nta_forward(servers): + ns9 = servers["ns9"] + + m = isctest.query.create("badds.example", "SOA") + res = isctest.query.tcp(m, "10.53.0.9") + isctest.check.servfail(res) + isctest.check.empty_answer(res) + isctest.check.noadflag(res) + + # add NTA and expect resolution to succeed + ns9.rndc("nta badds.example", log=False) + res = isctest.query.tcp(m, "10.53.0.9") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 2) + isctest.check.noadflag(res) + + # remove NTA and expect resolution to fail again + ns9.rndc("nta -remove badds.example", log=False) + res = isctest.query.tcp(m, "10.53.0.9") + isctest.check.servfail(res) + isctest.check.empty_answer(res) + isctest.check.noadflag(res) From e1fa6f089b422d686b5a1c56709ed3f487036638 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 27 Jun 2025 15:35:11 -0700 Subject: [PATCH 03/14] move some test cases to different system tests - dnssec tool tests (i.e., dnssec-signzone, dnssec-keygen, etc) that don't require interaction with a running server have been moved to a new 'dnssectools' system test directory. - a dig formatting test has been moved to digdelv. - a named-rrchecker test has been moved to rrchecker --- bin/tests/system/digdelv/tests.sh | 12 + bin/tests/system/dnssec/tests.sh | 996 ---------------- bin/tests/system/dnssec/tests_sh_dnssec.py | 19 - bin/tests/system/dnssectools/algroll.dnskey | 30 + bin/tests/system/dnssectools/dsset-algroll. | 12 + bin/tests/system/dnssectools/revkey.dnskey | 29 + .../system/dnssectools/signer/example.db.in | 17 + .../signer/general/K.+013+23640.key | 6 + .../signer/general/K.+013+23640.private | 7 + .../signer/general/K.+013+23768.key | 5 + .../general/Kexample.com.+005+19857.key | 5 + .../general/Kexample.com.+005+19857.private | 13 + .../general/Kexample.com.+005+45884.key | 5 + .../general/Kexample.com.+005+45884.private | 13 + .../general/Kexample.com.+008+15002.key | 5 + .../general/Kexample.com.+008+15002.private | 13 + .../general/Kexample.com.+008+63613.key | 5 + .../general/Kexample.com.+008+63613.private | 13 + .../general/Kexample.com.+010+18240.key | 5 + .../general/Kexample.com.+010+18240.private | 13 + .../general/Kexample.com.+010+28633.key | 5 + .../general/Kexample.com.+010+28633.private | 13 + .../dnssectools/signer/general/bogus-ksk.key | 6 + .../dnssectools/signer/general/bogus-zsk.key | 6 + .../dnssectools/signer/general/test1.zone | 19 + .../dnssectools/signer/general/test10.zone | 20 + .../dnssectools/signer/general/test11.zone | 19 + .../dnssectools/signer/general/test12.zone | 37 + .../dnssectools/signer/general/test2.zone | 18 + .../dnssectools/signer/general/test3.zone | 18 + .../dnssectools/signer/general/test4.zone | 20 + .../dnssectools/signer/general/test5.zone | 19 + .../dnssectools/signer/general/test6.zone | 21 + .../dnssectools/signer/general/test7.zone | 19 + .../dnssectools/signer/general/test8.zone | 19 + .../dnssectools/signer/general/test9.zone | 19 + .../system/dnssectools/signer/prepub.db.in | 17 + .../system/dnssectools/signer/remove.db.in | 18 + .../system/dnssectools/signer/remove2.db.in | 16 + bin/tests/system/dnssectools/tests.sh | 1022 +++++++++++++++++ .../dnssectools/tests_sh_dnssectools.py | 47 + bin/tests/system/rrchecker/tests_rrchecker.py | 8 + 42 files changed, 1614 insertions(+), 1015 deletions(-) create mode 100644 bin/tests/system/dnssectools/algroll.dnskey create mode 100644 bin/tests/system/dnssectools/dsset-algroll. create mode 100644 bin/tests/system/dnssectools/revkey.dnskey create mode 100644 bin/tests/system/dnssectools/signer/example.db.in create mode 100644 bin/tests/system/dnssectools/signer/general/K.+013+23640.key create mode 100644 bin/tests/system/dnssectools/signer/general/K.+013+23640.private create mode 100644 bin/tests/system/dnssectools/signer/general/K.+013+23768.key create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key create mode 100644 bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private create mode 100644 bin/tests/system/dnssectools/signer/general/bogus-ksk.key create mode 100644 bin/tests/system/dnssectools/signer/general/bogus-zsk.key create mode 100644 bin/tests/system/dnssectools/signer/general/test1.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test10.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test11.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test12.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test2.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test3.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test4.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test5.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test6.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test7.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test8.zone create mode 100644 bin/tests/system/dnssectools/signer/general/test9.zone create mode 100644 bin/tests/system/dnssectools/signer/prepub.db.in create mode 100644 bin/tests/system/dnssectools/signer/remove.db.in create mode 100644 bin/tests/system/dnssectools/signer/remove2.db.in create mode 100644 bin/tests/system/dnssectools/tests.sh create mode 100644 bin/tests/system/dnssectools/tests_sh_dnssectools.py diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index c8d060161b..4f97c62106 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -1430,6 +1430,18 @@ if [ -x "$DIG" ]; then grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) + + n=$((n + 1)) + echo_i "check dig's +nocrypto flag ($n)" + ret=0 + dig_with_opts +dnssec +norec +nocrypto DNSKEY . @10.53.0.1 >dig.out.dnskey.test$n || ret=1 + grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.test$n >/dev/null || ret=1 + grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.test$n >/dev/null || ret=1 + dig_with_opts +norec +nocrypto DS example \ + @10.53.0.1 >dig.out.ds.test$n || ret=1 + grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.test$n >/dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else echo_i "$DIG is needed, so skipping these dig tests" fi diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index d61dbcc736..6bfd910da7 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -79,24 +79,6 @@ checkprivate() { return 1 } -# check that a zone file is raw format, version 0 -israw0() { - # shellcheck disable=SC2016 - $PERL <"$1" -e 'binmode STDIN; - read(STDIN, $input, 8); - ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version != 0);' || return $? -} - -# check that a zone file is raw format, version 1 -israw1() { - # shellcheck disable=SC2016 - $PERL <"$1" -e 'binmode STDIN; - read(STDIN, $input, 8); - ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version != 1);' || return $? -} - # strip NS and RRSIG NS from input stripns() { awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" @@ -1382,770 +1364,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "basic dnssec-signzone checks:" -echo_ic "two DNSKEYs ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)" -ret=0 -( - cd signer/general || exit 1 - cp signed.zone signed.expect - grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1 - mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline - $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n - mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private - grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1 -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "one non-KSK DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "one KSK DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "three DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "three DNSKEY, one private key missing ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "four DNSKEY ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEY, both private keys missing ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "two DNSKEY, one private key missing ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)" -ret=0 -if $FEATURETEST --fips-provider; then - ( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -F -f signed.zone -o example.com. test1.zone >signer.out.$n - test -f signed.zone - ) || ret=1 -else - echo_i "skipped no FIPS provider available" -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)" -ret=0 -if ! $FEATURETEST --fips-provider; then - echo_i "skipped no FIPS provider available" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - ( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -F -f signed.zone -o example.com. test11.zone >signer.out.$n 2>&1 && exit 1 - grep -F -e "fatal: No signing keys specified or found" \ - -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n >/dev/null - ) || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "revoked KSK ID collides with ZSK ($n)" -ret=0 -# signing should fail, but should not coredump -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -S -f signed.zone -o . test12.zone >signer.out.$n -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n - test -f signed.zone -) && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone -J loads journal files ($n)" -ret=0 -( - cd signer/general || exit 0 - rm -f signed.zone - $MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl - $SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone >signer.out.$n - grep -q extra signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" -ret=0 -( - cd signer/general || exit 1 - rm -f signed.zone - $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n - test -f signed.zone -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -get_default_algorithm_key_ids_from_sigs() { - zone=$1 - - awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' - NF < 8 { next } - $(NF-5) != "RRSIG" { next } - $(NF-3) != alg { next } - $NF != "(" { next } - { - getline; - print $3; - } - ' signer/$zone.db.signed | sort -u -} - -# Test dnssec-signzone ZSK prepublish smooth rollover. -echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)" -ret=0 -zone=prepub -# Generate keys. -ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone") -zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") -zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") -zskid1=$(keyfile_to_key_id "$zsk1") -zskid2=$(keyfile_to_key_id "$zsk2") -( - cd signer || exit 1 - # Set times such that the current set of keys are introduced 60 days ago and - # start signing now. The successor key is prepublished now and will be active - # next day. - $SETTIME -P now-60d -A now $ksk >/dev/null - $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null - $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null - $SETTIME -P now -A now+1d $zsk2.key >/dev/null - # Sign the zone with initial keys and prepublish successor. The zone signatures - # are valid for 30 days and the DNSKEY signature is valid for 60 days. - cp -f $zone.db.in $zone.db - $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null - echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" -status=$((status + ret)) - -echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" -ret=0 -zone=prepub -( - cd signer || exit 1 - # Roll the ZSK. The predecessor is inactive from now on and the successor is - # activated. The zone signatures are valid for 30 days and the DNSKEY - # signature is valid for 60 days. Because of the predecessor/successor - # relationship, the signatures of the predecessor are retained and no new - # signatures with the successor should be generated. - $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null - $SETTIME -A now $zsk2 >/dev/null - $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" -ret=0 -zone=prepub -( - cd signer || exit 1 - # After some time the signatures should be replaced. When signing, set the - # interval to 30 days plus one second, meaning all predecessor signatures - # are within the refresh interval and should be replaced with successor - # signatures. - $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null - $SETTIME -A now-20d $zsk2 >/dev/null - $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null -) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" -ret=0 -zone=example -# If dnssec-keygen fails, the test script will exit immediately. Prevent that -# from happening, and also trigger a test failure if dnssec-keygen unexpectedly -# succeeds, by using "&& ret=1". -$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" -ret=0 -zone=example -# Fake an unsupported algorithm key -unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp -mv ${unsupportedkey}.tmp ${unsupportedkey}.key -# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent -# that from happening, and also trigger a test failure if dnssec-dsfromkey -# unexpectedly succeeds, by using "&& ret=1". -$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" -ret=0 -ret=0 -cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db -# If dnssec-signzone fails, the test script will exit immediately. Prevent that -# from happening, and also trigger a test failure if dnssec-signzone -# unexpectedly succeeds, by using "&& ret=1". -$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 -grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can sign a zone with out-of-zone records ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -o example -f example.db example.db >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null - awk '/^IQF9LQTLK/ { - printf("%s", $0); - while (!index($0, ")")) { - if (getline <= 0) - break; - printf (" %s", $0); - } - printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out - - grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example3.db - echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db - $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null - awk '/^IQF9LQTLK/ { - printf("%s", $0); - while (!index($0, ")")) { - if (getline <= 0) - break; - printf (" %s", $0); - } - printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out - - grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null -) || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -o example -f example.db.before example.db >/dev/null - sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed - $SIGNER -o example -f example.db.after example.db.changed >/dev/null -) -grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" -ret=0 -zone=example -key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) -key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -keyid2=$(keyfile_to_key_id "$key2") -key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) -keyid3=$(keyfile_to_key_id "$key3") -( - cd signer || exit 1 - cat example.db.in "$key1.key" "$key2.key" >example.db - $SIGNER -D -o example example.db >/dev/null - - # now switch out key2 for key3 and resign the zone - cat example.db.in "$key1.key" "$key3.key" >example.db - echo "\$INCLUDE \"example.db.signed\"" >>example.db - $SIGNER -D -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -RD -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" -ret=0 -zone=example -( - cd signer || exit 1 - cp -f example.db.in example.db - $SIGNER -SD -o example example.db >/dev/null - echo "\$INCLUDE \"example.db.signed\"" >>example.db - # now retire key2 and resign the zone - $SETTIME -I now "$key2" >/dev/null 2>&1 - $SIGNER -SD -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -SDQ -o example example.db >/dev/null -) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone retains unexpired signatures ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -Sxt -o example example.db >signer.out.1 - $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 -) || ret=1 -gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) -retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) -gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) -retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) -drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) -[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 -[ "$gen2" -eq 0 ] || ret=1 -[ "$drop2" -eq 0 ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" -ret=0 -( - cd signer || exit 1 - # remove NSEC-only keys - rm -f Kexample.+005* - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN A 10.53.0.1 -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - touch example2.db.signed - $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -( - cd signer || exit 1 - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN NS sub1.example. -sub1.example. IN A 10.53.0.1 -sub2.example. IN NS ns.sub2.example. -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" -ret=0 -( - cd signer || exit 1 - rm -f example2.db.signed - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN A 10.53.0.1 -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - touch example2.db.signed - $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 -( - cd signer || exit 1 - cp -f example.db.in example2.db - cat <>example2.db -sub1.example. IN NS sub1.example. -sub1.example. IN A 10.53.0.1 -sub2.example. IN NS ns.sub2.example. -ns.sub2.example. IN A 10.53.0.2 -EOF - echo "\$INCLUDE \"example2.db.signed\"" >>example2.db - $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null -) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone output format ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null - $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null - $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null - $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null - $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null -) || ret=1 -awk 'BEGIN { found = 0; } - $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } - END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 -awk 'BEGIN { found = 0; } - $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } - END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 -israw1 signer/signer.out.5 || ret=1 -israw0 signer/signer.out.6 || ret=1 -israw1 signer/signer.out.7 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null -) || ret=1 -awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -N date ($n)" -ret=0 -( - cd signer || exit 1 - TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null -) || ret=1 -# shellcheck disable=SC2016 -now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') -serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) -[ "$now" -eq "$serial" ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G ($n)" -ret=0 -( - cd signer || exit 1 - $SETTIME -P ds now -P sync now "$key1" >/dev/null - $SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (default) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (empty) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (no CDS) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null -) || ret=1 -test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 -test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad argument) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "digest must specify cds:algorithm ('foobar')" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad digest - name) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "bad digest 'cds:foobar'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (bad digest - number) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "bad digest 'cds:256': out of range" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "unsupported digest 'cds:gost'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)" -ret=0 -( - cd signer || exit 1 - $SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 - grep "unsupported digest 'cds:200'" signer.err.$n >/dev/null || ret=1 -) -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking validated data are not cached longer than originalttl ($n)" -ret=0 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "3600.IN" dig.out.ns3.test$n >/dev/null || ret=1 -grep "300.IN" dig.out.ns3.test$n >/dev/null && ret=1 -grep "300.IN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "3600.IN" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - # Test that "rndc secroots" is able to dump trusted keys echo_i "checking rndc secroots ($n)" ret=0 @@ -2842,19 +2060,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check dig's +nocrypto flag ($n)" -ret=0 -dig_with_opts +norec +nocrypto DNSKEY . \ - @10.53.0.1 >dig.out.dnskey.ns1.test$n || ret=1 -grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 -grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 -dig_with_opts +norec +nocrypto DS example \ - @10.53.0.1 >dig.out.ds.ns1.test$n || ret=1 -grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)" ret=0 before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) @@ -2918,18 +2123,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check the acceptance of seconds as inception and expiration times ($n)" -ret=0 -in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo=" - -exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo=" - -out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') -[ "$out" = "$exp" ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check the correct resigning time is reported in zonestatus ($n)" ret=0 rndccmd 10.53.0.3 \ @@ -2967,95 +2160,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" -ret=0 -alg=1 -until test $alg -eq 258; do - zone="keygen-$alg." - case $alg in - 2) # Diffie Helman - alg=$((alg + 1)) - continue - ;; - 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard - alg=$((alg + 1)) - continue - ;; - 1 | 5 | 7 | 8 | 10) # RSA algorithms - key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true) - ;; - 15 | 16) - key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) - ;; - 256) - key1=$($KEYGEN -a "RSASHA256OID" "$zone" 2>"keygen-$alg.err" || true) - ;; - 257) - key1=$($KEYGEN -a "RSASHA512OID" "$zone" 2>"keygen-$alg.err" || true) - ;; - *) - key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) - ;; - esac - if grep "unknown algorithm" "keygen-$alg.err" >/dev/null; then - alg=$((alg + 1)) - continue - fi - if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then - alg=$((alg + 1)) - continue - fi - if test -z "$key1"; then - echo_i "'$KEYGEN -a $alg': failed" - cat "keygen-$alg.err" - ret=1 - alg=$((alg + 1)) - continue - fi - $SETTIME -I now+4d "$key1.private" >/dev/null - key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) - test -f "$key2.key" -a -f "$key2.private" || { - ret=1 - echo_i "'dnssec-keygen -S' failed for algorithm: $alg" - } - alg=$((alg + 1)) -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)" -ret=0 -if $FEATURETEST --have-fips-mode; then - echo_i "skipped: already in FIPS mode" -elif ! $FEATURETEST --fips-provider; then - echo_i "skipped no FIPS provider available" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - $KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true - grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" >/dev/null || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)" -ret=0 -if $FEATURETEST --have-fips-mode; then - echo_i "skipped: already in FIPS mode" -elif ! $FEATURETEST --fips-provider; then - echo_i "skipped: cannot switch to FIPS mode" -elif [ $RSASHA1_SUPPORTED = 0 ]; then - echo_i "skipped: RSASHA1 is not supported" -else - $KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true - grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" >/dev/null || ret=1 -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n @@ -3397,58 +2501,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" -ret=0 -# generate signed zone with MX and AAAA records at apex. -( - cd signer || exit 1 - $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null - $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null - echo >remove.db.signed - $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null || { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.pre$n -} -# re-generate signed zone without MX and AAAA records at apex. -( - cd signer || exit 1 - $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null && { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.post$n -} -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" -ret=0 -# generate signed zone with MX and AAAA records at apex. -( - cd signer || exit 1 - echo >remove.db.signed - $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null || { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.pre$n -} -# re-generate signed zone without MX and AAAA records at apex. -( - cd signer || exit 1 - $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n -) -grep "RRSIG MX" signer/remove.db.signed >/dev/null && { - ret=1 - cp signer/remove.db.signed signer/remove.db.signed.post$n -} -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" ret=0 dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 @@ -4103,25 +3155,6 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "check that dnssec-keygen honours key tag ranges ($n)" -ret=0 -zone=settagrange -ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone") -zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone") -kid=$(keyfile_to_key_id "$ksk") -zid=$(keyfile_to_key_id "$zsk") -[ $kid -ge 0 -a $kid -le 32767 ] || ret=1 -[ $zid -ge 32768 -a $zid -le 65535 ] || ret=1 -rksk=$($REVOKE -R $ksk) -rzsk=$($REVOKE -R $zsk) -krid=$(keyfile_to_key_id "$rksk") -zrid=$(keyfile_to_key_id "$rzsk") -[ $krid -ge 0 -a $krid -le 32767 ] || ret=1 -[ $zrid -ge 32768 -a $zrid -le 65535 ] || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "checking NSEC3 nxdomain response closest encloser with 0 ENT ($n)" ret=0 dig_with_opts @10.53.0.4 b.b.b.b.b.a.nsec3.example. >dig.out.ns4.test$n @@ -4173,35 +3206,6 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)" -ret=0 -( - cd signer || exit 0 - key1=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) - key2=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) - key3=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" revoke.example) - rkey=$(${REVOKE} "$key2") - cat >>revoke.example.db <>revoke.example.db - "${SIGNER}" -o revoke.example revoke.example.db >signer.out.$n -) || ret=1 -keycount=$(grep -c "RRSIG.DNSKEY ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -cdscount=$(grep -c "RRSIG.CDS ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -soacount=$(grep -c "RRSIG.SOA ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) -[ $keycount -eq 3 ] || ret=1 -[ $cdscount -eq 2 ] || ret=1 -[ $soacount -eq 1 ] || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "checking validator behavior with mismatching NS ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index bf1108518e..854c15424d 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -18,9 +18,7 @@ pytestmark = pytest.mark.extra_artifacts( "canonical*", "delv.out*", "dig.out.*", - "dnssectools.out.*", "dsfromkey.out.*", - "keygen*.err*", "named.secroots.*", "nsupdate.out.*", "python.out.*", @@ -171,23 +169,6 @@ pytestmark = pytest.mark.extra_artifacts( "ns7/split-rrsig.db", "ns7/split-rrsig.db.unsplit", "ns9/trusted-localkey.conf", - "signer/example.db", - "signer/example.db.after", - "signer/example.db.before", - "signer/example.db.changed", - "signer/example2.db", - "signer/example3.db", - "signer/general/*.jnl", - "signer/general/dnskey.expect", - "signer/general/dsset-*", - "signer/general/signed.expect", - "signer/general/signed.zone", - "signer/general/signer.out.*", - "signer/nsec3param.out", - "signer/prepub.db", - "signer/revoke.example.db", - "signer/signer.err.*", - "signer/signer.out.*", ] ) diff --git a/bin/tests/system/dnssectools/algroll.dnskey b/bin/tests/system/dnssectools/algroll.dnskey new file mode 100644 index 0000000000..a249180bb9 --- /dev/null +++ b/bin/tests/system/dnssectools/algroll.dnskey @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12263 +;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 +;; WARNING: recursion requested but not available + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags: do; udp: 1232 +; COOKIE: d70bfeeee608e7490100000068630120672a49b90d12287f (good) +;; QUESTION SECTION: +;algroll. IN DNSKEY + +;; ANSWER SECTION: +algroll. 30 IN DNSKEY 257 3 13 8ZsRCWjcBidh4U5O2xldz97ZODaXz9FzeNxQVcpf2bOlKE6QOSEgkvuG IYNnOuHwekp4wpC4x8aqEsULsO1p4w== +algroll. 30 IN DNSKEY 256 3 13 w6cJYtYydN0OL+N64KM75NtWtl+KUzPCqGD9TE9vO+cCtb5qILojunGr jjxT3LzGVjgwhyLReJwVJkIDMWvHXw== +algroll. 30 IN RRSIG DNSKEY 8 1 30 20250730202512 20250630202512 47525 algroll. vDuABgFYmjaw9ehT+lb4KDDnOiFu/Ts3LqAFLLRDU9CpPGIY0eH5c00P seEpRaapEF8N55t8/MRQpMxWaQCd67ERenUn3DFuSDACYoftyAdXsFvi 56giRNDziVhWJXKaQDQ/DIfLJ3W7F8BFSVZCFKq5Gv4MiS92+uvdQUkl 7cIgmJEWpcZ7PQB55r0vQizBP8rXrpcMXMtsojTFXQjF0uomW7/o1RIv KOQTcUnqfT1X4nRkQghhJQNJMftVrjVRkxPu+zq2AST+s2XQD9DBntA3 LFd1Yy1+X3OypjY9ZuD6Y5tC+5e1+IEY2CG/fbrqywMo/4pQ3DZ4ZbWC KATW1g== +algroll. 30 IN RRSIG DNSKEY 8 1 30 20250730202512 20250630202512 60676 algroll. fMZaKG2IwwFMoglH5UxZBVjtT0XGwGokdmO+mA6EJxnBBpKXwhBpv24r Mn61ZXN+pmpn4yUDIsMc1Mb6Irwnak7REfsVO/CKmhNmx/hjmoC2y6B5 +xkoUxCDml8hn/nAFftNVpaFq//1UcPyaXvvALN73hgyuE/Cnrl8DTLL kXfqPzHi7sbEgJf2Fkk0crc+gb4E+Wdrz3D354ogRZ2sguvnOfBZvzA/ uQ5UqKtVx2/44C/nW9Wbnkdi+Z1RuRKJOOoJBHIE0f1dTYnbyUOEMEIW AOAUzoKStDnNom0aWfDs6CGQmPcc9vHp2j63D+h2PkfzmyvHI2K3T9ep HbDCMw== +algroll. 30 IN RRSIG DNSKEY 13 1 30 20250730202512 20250630202512 13162 algroll. otMMLO7OiYbMvZsYDKBzJrJKsN5E5WCfQLP2KWo5/V0c88U/PJHY9kEa ysChyPRLDM5VN5WnRzzPxgT/KMnqWw== +algroll. 30 IN RRSIG DNSKEY 13 1 30 20250730202512 20250630202512 54661 algroll. nHj9WTm112HMVGpcg3BsBb4s12R3pLl/mVYnz8snFDBuLrRS0dERMQSp PuNmd3D9WDbLyFBClrjzG+BDHBSILQ== + diff --git a/bin/tests/system/dnssectools/dsset-algroll. b/bin/tests/system/dnssectools/dsset-algroll. new file mode 100644 index 0000000000..f5480969bf --- /dev/null +++ b/bin/tests/system/dnssectools/dsset-algroll. @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +algroll. IN DS 54661 13 2 56CE829B928999965B985F77B8725A553B87FDB4B5241AAA1B306959 5621764F diff --git a/bin/tests/system/dnssectools/revkey.dnskey b/bin/tests/system/dnssectools/revkey.dnskey new file mode 100644 index 0000000000..36f660a8b5 --- /dev/null +++ b/bin/tests/system/dnssectools/revkey.dnskey @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51808 +;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags: do; udp: 1232 +; COOKIE: e2c7e750ed266cde0100000068630121f863ce122f5ef67e (good) +;; QUESTION SECTION: +;revkey.example. IN DNSKEY + +;; ANSWER SECTION: +revkey.example. 300 IN DNSKEY 385 3 13 8dtsAwGIpEVKQMxW/Oyf+aoUU6keQ3+q7jeKcXc1GZf9O/wb5a93ghI9 mnmJSMKNPOXUZlz8XuwNu0kuIU/f+g== +revkey.example. 300 IN DNSKEY 256 3 13 E+r2vT9F+V/dV2RALkjYSFyZGSv2FMjzNSgscold+M6tT7HRlWU5dOSF BhJfHF1AwyzWjsn2AjdhU15VZQxb7g== +revkey.example. 300 IN DNSKEY 257 3 13 utSQOEBp4zNV8AnNC+aEU+Pf+zXcutD863bKWhWQRVB/+yBUmtS/q26H ke68j35nLAywm+7/OS+x7Iryhlnh/w== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 25492 revkey.example. p+D2U3RHcdklSeehdbPP1aoZSRYD0rjbQW1cR8PqygCFaWX3M88D5aKS m8L2t6kl5w6ks529zWkpZWsBSj2Vnw== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 54617 revkey.example. fCB4AYrdcceLW5MeDpGim5ItqGOCyw0/M1WYNsbj5D0G4P7lACRISJng plg/H3n1EZUN69H7suKcYo/fn+VT0Q== +revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 57467 revkey.example. lZLA4ik9SoF4+nyQlBoA/Haj8OO/sBpYQ3e597StgSKX2Cq3apfXGcB2 jLIu0raNQ6OjqI2WtwHhKauPlJZloA== + diff --git a/bin/tests/system/dnssectools/signer/example.db.in b/bin/tests/system/dnssectools/signer/example.db.in new file mode 100644 index 0000000000..3ab6aa2fc5 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/example.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +example. 60 IN SOA example. . 0 0 0 0 0 +example. 60 IN NS example. +example. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23640.key b/bin/tests/system/dnssectools/signer/general/K.+013+23640.key new file mode 100644 index 0000000000..df4ff32c11 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23640.key @@ -0,0 +1,6 @@ +; This is a key-signing key, keyid 23640, for . +; Created: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Publish: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Activate: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Revoke: 20250310185208 (Mon Mar 10 18:52:08 2025) +. IN DNSKEY 257 3 13 uKwpRtMH+9iuUk/Xj6LciIP5ZckaBtXaUqxUxzJYexXjvxGZGX4470Jv hq2NCI3HBZQNaCCP/h9sluhIzRGPTA== diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23640.private b/bin/tests/system/dnssectools/signer/general/K.+013+23640.private new file mode 100644 index 0000000000..36f932fd3c --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23640.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: m5udfGNSijISQ8Tfp4kx09O1em4PErLUw/mCj3SKmqw= +Created: 20250310185208 +Publish: 20250310185208 +Activate: 20250310185208 +Revoke: 20250310185208 diff --git a/bin/tests/system/dnssectools/signer/general/K.+013+23768.key b/bin/tests/system/dnssectools/signer/general/K.+013+23768.key new file mode 100644 index 0000000000..85e460a5bc --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/K.+013+23768.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 23768, for . +; Created: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Publish: 20250310185208 (Mon Mar 10 18:52:08 2025) +; Activate: 20250310185208 (Mon Mar 10 18:52:08 2025) +. IN DNSKEY 256 3 13 TFelYtTRBWeA9A307vvuWIcaNwW4txW4RgSELtsi46ZQs24ncRxmxtFf uJuPyVXePNiE4HNI9CIowGUsn5WuBw== diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key new file mode 100644 index 0000000000..104face02c --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 19857, for example.com. +; Created: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Publish: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Activate: 20220902075244 (Fri Sep 2 17:52:44 2022) +example.com. IN DNSKEY 256 3 5 AwEAAaUr14RTAa2dr/JPoMv5QM32IbLMNUZFPAM9M2Zm6Ef9S3/UsRk9 W+P08Dx5Xte/PMuZK8ejWUyou37LowmVbahkP2kcS7Z552btsLnGK2+5 me5Y/GgnodhMVN7phkEQNPRKSUQQyLdQC6Ltzt0JVp48q4PmgCta22et rgq1YEoj2E8Po53bn5eQXCUsnkBFhkql9/17Ls2ckWNBkHWiItMDaWk7 qkM4ZJu7C/jq3ybBjn0bi4Svlt7PNiuuo3h5WaJYJHXd2M7PIN14rUDE cas/b+iy4eF7VC3CRUgt1spFinW/G4wSro55e6phstc3I1BE6B+pC4pq eGlAfQqWWcs= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private new file mode 100644 index 0000000000..91171b032b --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+19857.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: pSvXhFMBrZ2v8k+gy/lAzfYhssw1RkU8Az0zZmboR/1Lf9SxGT1b4/TwPHle1788y5krx6NZTKi7fsujCZVtqGQ/aRxLtnnnZu2wucYrb7mZ7lj8aCeh2ExU3umGQRA09EpJRBDIt1ALou3O3QlWnjyrg+aAK1rbZ62uCrVgSiPYTw+jndufl5BcJSyeQEWGSqX3/XsuzZyRY0GQdaIi0wNpaTuqQzhkm7sL+OrfJsGOfRuLhK+W3s82K66jeHlZolgkdd3Yzs8g3XitQMRxqz9v6LLh4XtULcJFSC3WykWKdb8bjBKujnl7qmGy1zcjUEToH6kLimp4aUB9CpZZyw== +PublicExponent: AQAB +PrivateExponent: HzQaIgCAd6krnS5X5VDwYjiWgy26/syDmuUL+dOFHFyIz9yBnJAP9Q/H9tTDCyUwuhH0yGFetHHIAhs8cMoPDlnp9NSIpS+AfNx4n5AFkrTQlMuw24hpNfCts/MQDuid6GzETJyTHrZ7jEs64l0qRPiXOnLoUch3XK3eDF3ZlAfFkoPBFA5KIbiK8dcCahUmV4WReyE80X2N2dUloE8vLzy/j7yY2z1/HjhAu74S264wQMxNmJ0MsHeu78y7n8SKEJxncbgAciCNoamiQFiBGYYrs72B6BGHc19fhD5G7ldjpXukes9bHJSgj5ohseRJ27hkK7sKnqzOx/5Se6F5EQ== +Prime1: vNcFqw4Gu/gsEcte00YXSGGkOWlsEAOEARMy+l7yYVC9GMR41YuINydu42Bj+D/Qq1ifYk9ok26VnXsJ6GFWK9DdFFtSElCzq1Crb7/7yuRR86cM9UBr3045g9tvlH6sL+yeH1ESr8vNZtmlytDifw2Xp2kg0xoJnlnV0ZXphOk= +Prime2: 3+nmSodd/lDzVvn3uGMKux2B1mI2iApKM6bbwMwrzobN5bFkLkW1y1PuOYJytX1Sm39ecLCPYEmSf56kCitAquj7B98sblg05Y1QKvTTyX4uUsKFx3YAjvgp+acuI0Rq5J5GeSFCvdttgqAWdvvjoI8ic44K3sT1XTexaoLByJM= +Exponent1: jUmr2gHSlAzonB+3QQfuH5++iZ4Q1iJrP4qn15/2ZU1NThyh89REBFAirUjPQ0wryieyiJG1Qqm4k20dSpqZKItK/hIdY8qxwvnGawQPVgxiLJTOIykiDJ+wdLFX2Ji2J903qWK1QoaPleY+H3MOI9V9pCoJ/yg6DhpU2kz5vRE= +Exponent2: 04rLQ0Y4ivg3rchjPRR1Iupxq/UFx+jQyZOusaszB99bztGU8BJz+jDFNBgF/2jzDm1678Qe8L0RZvidye2rHs0VvQ4fj/BNqUGkp7C+FfLcGNwmP5dAV9Ik9fP4JuGQi4Ts16uQvoX8JBjSoH7BQwN3bOyZYHV7yiG/v/zgz3k= +Coefficient: l8vCrMMiS8eWYQNM/SPa4/swn1/EZtcgPcBqMa3zia+9rOJ4/mzRcQTKz6B7c7Z9BVoTzMWGlgd94PTDeLN9fbTNmRs/8JwwgzJ8FeJeisvZquvarFtq2PdVVZQSxTwt7N6DUMVcA8Vbdq+uGjJghs22/sJ23MS3key+PUHtwFI= +Created: 20220902075244 +Publish: 20220902075244 +Activate: 20220902075244 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key new file mode 100644 index 0000000000..717d65f256 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 45884, for example.com. +; Created: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Publish: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Activate: 20220902075336 (Fri Sep 2 17:53:36 2022) +example.com. IN DNSKEY 257 3 5 AwEAAZ6aTwNhgMDJ8AObT38LEX4nZe0CFXKkFv8fzBhEJEWgJRplhEhx laqGc47NoXChBiz5qdX2qAC0zi4CRydmV8TdG9shpED9kapIl7KVM3wj +irX36R9TpFT7Otmvsh7/RbRfpKz4I0pCC01hRHyj7EodMC4j3LMF9sc GWNmiOTQI1PTxbvIEDeDfoTUDMFzvOwVmH1Bq+SzA9Ikm2VADZO4vIIO J/07lWT+LDQ/g1qiCNaSDyNhGfNVf8xYvmB8OXomGFLqDuSpUkwdL5kB 2gGmnUbIH+Pn+pcN9fxVniKH3mzYEGCxIspePbhvwDfB30gTmE8uaFMa 7McouGKW3Ps= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private new file mode 100644 index 0000000000..891c6c3831 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+005+45884.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: nppPA2GAwMnwA5tPfwsRfidl7QIVcqQW/x/MGEQkRaAlGmWESHGVqoZzjs2hcKEGLPmp1faoALTOLgJHJ2ZXxN0b2yGkQP2RqkiXspUzfCP6KtffpH1OkVPs62a+yHv9FtF+krPgjSkILTWFEfKPsSh0wLiPcswX2xwZY2aI5NAjU9PFu8gQN4N+hNQMwXO87BWYfUGr5LMD0iSbZUANk7i8gg4n/TuVZP4sND+DWqII1pIPI2EZ81V/zFi+YHw5eiYYUuoO5KlSTB0vmQHaAaadRsgf4+f6lw31/FWeIofebNgQYLEiyl49uG/AN8HfSBOYTy5oUxrsxyi4Ypbc+w== +PublicExponent: AQAB +PrivateExponent: SSWu0kbaPFAGH4u2NsgSicW+5vfCj4xpRMHT/c8TkX8CDbILN+QW3D5FNnPVBJ5nPD/rGdC3/BdnTeXkDiJP0W4Ohlp2KDkqQMhZGlZgl9z56F+GeBUIstLrnkfVLp6sg6UcBKnsIv5tFHiuBjCCH/kiG64jDpVdXUMQ3HyyHyC67sB1gIqpZdhQxFliVIaebwXHlv4uWi31DxTUj0mmutmpTD1r4z+43DlU3JL07WBBpIoOmG/GoFoDr+JNWWwArnhHDZFl6XL1Z2u5ojdIOcgLTXcU1SdvFwBHIAH9PIwvow0gVcZTIHwDYJ41CL6YExXF8ymVpIPspZPaFwSxvQ== +Prime1: 2iWvbJTRrJuceM1CgOTMMoi/qMN/GtthmbL5V0w+hyFE6UzCWYQXED5YTPtoXk9tZ/YpnD7i5i7ru8VbLx0DAIrLkAFP3Xpxa7dvdRGzyPGuYARsjgNnj57M5Sl1tTTsZpkXaKEeiONCA6+vcSuc2l1NxqdDbhC/TwlpjOAbPRc= +Prime2: uh+ZuRel3T3qvD7acXm2UyF2BdeEEwwIvzqZVi3uxwUTd/TxFA7+3xuX6LNM+HK5fNxuB3exVC8OzALFzUOOJECVFUfhKi/1+VrVfBuJnyLlqQ14RncbZvsn+ScfGZpgYuacvq0zWiP2scxmXSQxchxcFVRCKFRCCVGVuOLzNb0= +Exponent1: coA7TrPiRkY7YBDk6kCtiYzLhKpwaclitkkBpTeozkbBI++dR10UufrvYCDJzE7Gbz3+4zsC360bIKjbTqRcsgkoBcMah3bAV7ilsP4EruFkFJPd4sCYuAKzK0mStfU8bDHI3qtLGrCmMschQDaTEu7MZwveUcRKlhKrqzzqLys= +Exponent2: jlnU7KeViBzvB4La96crN3GEHvuyXA78MaXT2QHQeg770OdZ6wl9DY7BJIzd9bdo/oJo9PUqf0RugMIuHsvoTvnGDDypjeaYrlo2pXE6VKgQFrfioaI/Jwg4jmrJcn+L8JiIkZ1OhUa0S1AVim9AEhJ2qymCX+3xg8cOSBXsBdE= +Coefficient: xotWVi9P/9Xr1FlKANoKVviBZaoT0xqbrVJLdmSLvyca+OipgxDilaPq+To7nAujkwtH/qdR14CHbkFSjxzzEp3jhOOSeh1HysCDlk5N7dCz2X+FHv977IYeC9vuGPG75Vbz18D7FUEy0huXgq003zJdd0e7djNca9a/GAp3gvc= +Created: 20220902075336 +Publish: 20220902075336 +Activate: 20220902075336 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key new file mode 100644 index 0000000000..d4b8efbe61 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 15002, for example.com. +; Created: 20210423012926 (Fri Apr 23 11:29:26 2021) +; Publish: 20210423012926 (Fri Apr 23 11:29:26 2021) +; Activate: 20210423012926 (Fri Apr 23 11:29:26 2021) +example.com. IN DNSKEY 257 3 8 AwEAAdp+oCXl7vpKA3Mmyndx6/iA+wLrtxeMUiWL7uWJ9ZF24EdS8Dye 63p0lGlyvjvM9T5dTiyEpTAdutEBr79H0MlDqIBqpadrCdJRI2S4kC+0 nq5+Aj2CEyiAamPGujwWeXwtfLAvVPfBqs42PBr6wPQIJOByFYDaZBU3 enUEWgHYy/7OnJDrt0QlswKphR6SvYtyuixiUR8J/WouWXglUY5qlC7Z vVDxs9E4q7B1mfKCyoqcFMKPh9lzEBH+IfUZ543xXEYf2BEztKB1SZ2R QnpYedjATGDcgPis46uA2gHMfvDYJTQ5UqTBtveGb3Wsqc0oRXVPMEoY 3WnWhaKDzkk= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private new file mode 100644 index 0000000000..72b8e2e0c1 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+15002.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 2n6gJeXu+koDcybKd3Hr+ID7Auu3F4xSJYvu5Yn1kXbgR1LwPJ7renSUaXK+O8z1Pl1OLISlMB260QGvv0fQyUOogGqlp2sJ0lEjZLiQL7Sern4CPYITKIBqY8a6PBZ5fC18sC9U98GqzjY8GvrA9Agk4HIVgNpkFTd6dQRaAdjL/s6ckOu3RCWzAqmFHpK9i3K6LGJRHwn9ai5ZeCVRjmqULtm9UPGz0TirsHWZ8oLKipwUwo+H2XMQEf4h9RnnjfFcRh/YETO0oHVJnZFCelh52MBMYNyA+Kzjq4DaAcx+8NglNDlSpMG294ZvdaypzShFdU8wShjdadaFooPOSQ== +PublicExponent: AQAB +PrivateExponent: SD4X64/0DTONonRP+2Biej8DP7r6RcHyo1F6QtDzrg4VJ+AHaLPO/iUvsRHsTk99QwqMv3F4QMmDrHmXR3KSWQmS3Crm7M0aaTzErBfOLMfWs7EcQoQQm5KiGq1phFaWAnXzxTlRKb4SIK6T/wOr6sQKlV+DNqB++Pjn92rh67vLM8kZBUzWI14Vl9N0ib+xOOFH1oYFo7ynDgMfJhpnQSkuRfyQls3aD1eKQsNazRtZ7lFi2S0HR/V0AKYH2AQi7SdL5wH6hYba5cHfpKSw7PebI0lYkUJ4PAg3Xw7DPMkg8O0hkpLICpU8x7MPqQQ74eKDaEY+fjbL0KLL0Dy9UQ== +Prime1: /IDRb7WzMY6wp14LqDORULoUnmiQOqkRjOQnCoEXT2KVpYwPmGMG+GR40hrMFgqqAZFVmi56VBoasWpYbSBEqM4aJv1JVimMPREk23v5i+TY93kxICO/ee9/v0hXgLmrKUkS1Kwu4a1PxLX5U/LAzXPR6zF+EHP9OKFjDRWHqN0= +Prime2: 3YU9QdtsXofjNmlDETRwemKv45pa0oVNPmNvS1vtzIpQ3m/QSuhJxzyTgSP9x1XMiIsg63er3LOCtkRifXVE1IBrfIUgchp8YD5LsyesRl2ielE8Hw8PwSA1YjUVu90yRHcVfbZJ8lm2KyRKHgDWXz94t2Xnm/9M5XjUGuNW7l0= +Exponent1: 7KIkpJYZyvW4ZAFk10sMgiUBMbs4f2D2i509YUC9ga4YJD7wVpVncN1nxS9L19RCopl7KbUo+yxDm8TX/dzhu3j7VVLFqbPiM1Cfw/mZUhszoii3ezFFPpbOl4rKRl66I0TSGvEKNoDfYrBPavby7Rf/wHRveifZRXspgpeMvRk= +Exponent2: yvvtjuxW2CRiopg/+YL40lyd2cy2DpRRnKqW8BHzzGquAbWpwwopmOS8MSjewgqv2irK5pmJJTpku0nciiOsB6EJXVfLzGLSt4o96ZOf+/aPDNBla/xsLkaqRCxqlvPwvOX2DnS8O9PS5qNhOy7/QNYzcrJxUfPV7awTh/Pr040= +Coefficient: PHxU1tqPKTpI/8nABvso0SRerc1m+RPWGRk7s/SVcADSBvEW7fUDcwiZeRfK9MdlwPvLiVozbYnRbgRQl8GuKSqAD1+Cnvn2yOQk81AgNKbuKPwF7UvKIdq/c/xnhj2bvZUVSavJ91ux/RlZNP50378Ks8bj5HJl1xzAMVHXB5o= +Created: 20210423012926 +Publish: 20210423012926 +Activate: 20210423012926 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key new file mode 100644 index 0000000000..990b837003 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 63613, for example.com. +; Created: 20210423012810 (Fri Apr 23 11:28:10 2021) +; Publish: 20210423012810 (Fri Apr 23 11:28:10 2021) +; Activate: 20210423012810 (Fri Apr 23 11:28:10 2021) +example.com. IN DNSKEY 256 3 8 AwEAAZzun7bYfjmGDwUEn4pyJG34vsiawRMW6pEdoNMH87ozxriOzgG6 /4zTjEv8JyYjGQz2k2vcoWWcD+86xD5IUqfa1pdXXUU8bdhG9DBtW/K1 mc4P6g8heU+0f++mq/L4TPlWVZUG8lVH4H8mD6r8PsVK7v/QR7wMeg9b JpCYyxon2A9rZ4zS0J9kX9bfciQVh6ODGVENctwEK5FNp5u0VonPEIx3 5Kj+IVn/mHpfbz4LaC02s7C6Kgvn3ToFFSJczwbOaexl/d+/ai8FLJi7 8UgiAq5/178bcVLItMeY6aD5eQGkRtr2c3JZ/JR4Nf+TQAWFBnl9NSDa RH4Qa55ZNqs= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private new file mode 100644 index 0000000000..1765d3f0f6 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+008+63613.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: nO6ftth+OYYPBQSfinIkbfi+yJrBExbqkR2g0wfzujPGuI7OAbr/jNOMS/wnJiMZDPaTa9yhZZwP7zrEPkhSp9rWl1ddRTxt2Eb0MG1b8rWZzg/qDyF5T7R/76ar8vhM+VZVlQbyVUfgfyYPqvw+xUru/9BHvAx6D1smkJjLGifYD2tnjNLQn2Rf1t9yJBWHo4MZUQ1y3AQrkU2nm7RWic8QjHfkqP4hWf+Yel9vPgtoLTazsLoqC+fdOgUVIlzPBs5p7GX9379qLwUsmLvxSCICrn/XvxtxUsi0x5jpoPl5AaRG2vZzcln8lHg1/5NABYUGeX01INpEfhBrnlk2qw== +PublicExponent: AQAB +PrivateExponent: N4egcDzO/V/YdLgcFAsrpNY9/BH2e+DCA7NuMv4/WgX0LV4quyYGQzigDksdNzt4I8Qkiig53BCK+uXahwdkaAzhng/F6zfkzoDc6z3nKUzlLasn8U6w9Gk0VAKwGXuPETNheShKG68hWxyGssQrGfjX9SEoIPxxPHnOfZ/zTj95KAnVV5qPz90xVAb0+FUrLXAt72KuRwepOTlsETsMFDKe17uUCqCCdX98Ko0u14wrO6zGRQtNhUsfvNB/pY8fvbHD1GcCTbFSx4FxsUsZMrNtMsvMe3HN9ggC0Y9htbH9HV0hS0w9SKCUyoeOVwf/JZL4hlfoe8+jglsyJpAgoQ== +Prime1: zeXvO3PT4iXv9GlGeebl39pF1sXs8tXY4B9VHUJGGSYlyOlyCEy4URQJIPfuL6VjFKCErSxUJSrGz0HyQuKr8l9qP/0MGxGRH7wxvUR7YTmai84yyQ4fFENRmn8bzxGwj0MVHIW7cKC59j7nWT24gseT21/NP5m8EnPsjz/K40M= +Prime2: wx5vVFSydUfr8HtOHNS1kRrTjhnQOfjmj8SxGi72Hk+mgi9fBCTC5fRLifd80wGbgyFk1vZOXeStOC8L3IlnBGLX0O9MNip+vVX3hRzIRhLwHhL1ygN3xEd04qwVH0XJ8+4A0XCzh/FJgW59F62geN6gwedo7GmZAOSZUBAyRHk= +Exponent1: IlkqeLuQ7Fgx2I87b5iiXp62Keco6TXdkT4I3/GvagCgKw0utc2+rd/uye4ycQZhKg7BM3aCrxScx/STaq8PykY6nmQjgdyDXkzx60YiYwzOCGakuD+/1YyJb4Gm7PthffTN780rgNV/UGIcDBoszrxmoSExR1vpMRbfruIQgas= +Exponent2: or0Os/KUibc79W6Snv9WlLkgPAQRpViQzNaLtD/47R0Xzrs975HNsMgJ/P+bb86Ga1994MC8ahmh1BuBNCax8nmScWQ1V3QoEzjRYoe4DqIa/aposF4mFWJX/fry/wtRPo+CxSzPwJGh8j86PHaHQmjFAhVFcPE+OP1xVdK8alk= +Coefficient: r5wPmPXUF5pVC0Y7La3jVkL4w/3wvq9LBz91tH9gA8OUNLpDDBuFZISiJdhOZ4JVw+qSSoHcEa+3Phd+BqxmXzwZDU1Fqta9mLDDGCqCWjVQOopeeJgrvkv9P0TIzEuoGmW50cQhyqHYCtuUxjOnHfiQSc53p7rfD4Vom1VQ3Ok= +Created: 20210423012810 +Publish: 20210423012810 +Activate: 20210423012810 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key new file mode 100644 index 0000000000..47003a44c2 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 18240, for example.com. +; Created: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Publish: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Activate: 20211221062121 (Tue Dec 21 17:21:21 2021) +example.com. IN DNSKEY 256 3 10 AwEAAe5GunnuJFyzmKiGUknSQY3aPtR5UR8vNLLyMCJswffRzoYwY14/ 60ZTsqzh7N+lJV3KAOraocFSsTnmWIM7D7DPpqtaJMQw90ypBG0cnUP1 wKX9L/gdOH/ITlluBiZpCv9Aux3FRECHBO4Gx8Rse8ST2Vag3UuOPW+q HkLsWQt22K/hYuDhEtUWWx2dTIaXUVXNSNbk2zPL+lhC9PaRV+//1Fjo UX4qXCUuUN4TiqlkK2v4UkcIyld1n2R7qTQAkoN9amGFtPu8z5Zw7CxC San03yUSNuKub3fGys11gQRFuEHRX7FxKxvJjmcngG9qCh8AyfHZ8zYb VstTy1unFoM= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private new file mode 100644 index 0000000000..f16b62708a --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+18240.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: 7ka6ee4kXLOYqIZSSdJBjdo+1HlRHy80svIwImzB99HOhjBjXj/rRlOyrOHs36UlXcoA6tqhwVKxOeZYgzsPsM+mq1okxDD3TKkEbRydQ/XApf0v+B04f8hOWW4GJmkK/0C7HcVEQIcE7gbHxGx7xJPZVqDdS449b6oeQuxZC3bYr+Fi4OES1RZbHZ1MhpdRVc1I1uTbM8v6WEL09pFX7//UWOhRfipcJS5Q3hOKqWQra/hSRwjKV3WfZHupNACSg31qYYW0+7zPlnDsLEJJqfTfJRI24q5vd8bKzXWBBEW4QdFfsXErG8mOZyeAb2oKHwDJ8dnzNhtWy1PLW6cWgw== +PublicExponent: AQAB +PrivateExponent: U/ipDv9V4TWJvxpXNZzbbVpUehym8g54y/d97yPU17kgxzmWS0jLaWVluneEOuzAVmUyHZIfHzo9KuJ6nwTZar5DRm/mNR3siR+nZ6yF38VjtxubJB1oI+A7fFjB4hdywLHXP46dlv/+RMQu8pIorAZOubDHTDE8hXW2ZG9WkisJ5P7KoaL4KFHHHXi5vsXAMph4Zphd/zPxVL2tHD3l5c3QXRpQWfTNZNQcZ1f/4yVCuMRibg5LCvpia0ZwRrlygfZdAHUUd0VJDfRO45J5nlIJSAHQtjYtVTL+xNISWOHXovVlInkVyluACqfX94I7qPXTu41yg3SxrrtHE6RTwQ== +Prime1: +/YsRxmUxgvHKUh4SxdjzqNDDEi8b2BtM5IpctjVG3oYsL6J9xJB3U5/lbrGEPgl/1ndBUSXMQ6zQ5WcDE1qBAdW8t0eyniyuiexcgQ9f04Ds7p7oUiSHGLRn8YqQOzmiASXoZmkzfJZ+42pGhT3RZ+aYKtWQGMHqXabwV3zZl0= +Prime2: 8hhnKzPzExy6wv/MV0aYKo1g4azrRjug6743/ctTC7zjnMmDW7RMFTXmq5Tu3pFaIL4N4C4m1b7P3abfTrjm+DwHnrlRIvLWS3zJnvUEM22i4BwqqTLRiJpoT5Bfp4pVsdOPT7Iyx1q5UsJZ7Q4qMpg2TFpGiQyieRB5Xwpu4l8= +Exponent1: ZFPx7Z3SD8pA0793pu75Xx7DY/DSl8bdtNtOhdyxfu9vRXGZnjg24diQFR76H2ewOa2exKo7Sd2ApDi+mmd4/4Gsrag+yoClKlsD3VKy6i42ayqmb+Jly8fNkMFnsdKjOSYa+s4jQZ5vFiuiWjBfBeo3nqabAahtNJ12B9lRQkE= +Exponent2: tNz4TnVsFo4zFLVHsrghvECM7WxjBMBNc3FToT6CV1WRcjO1+A/Ve08eenc0kYBjpex2r1GrX6pC3uPpFoXav/8Q7kqiTArBf/nFIwUHU2iH8wf38xntIjHA1hgU7jTR2p0kBrUpbHfh1esuhYQ8kDnY7ufOpFqVEv70vcUsm98= +Coefficient: 3acDCJ9jCnHAP1km7jRO388mOpiI8U6SMv0PBD8l2UoB4CYwujrFxy6PhgUa486bbm5xZEaOwhYZcbw/g1qyC6Qt5kYOb2fVWOob/lEQmyqbDvHMQWTJoIbqaDTKQN/szI4xVdb/xZ6QR4Bq7JgbJpUACgweS540Y7Lf8Dry8C0= +Created: 20211221062121 +Publish: 20211221062121 +Activate: 20211221062121 diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key new file mode 100644 index 0000000000..37bd259f6b --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 28633, for example.com. +; Created: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Publish: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Activate: 20211221062130 (Tue Dec 21 17:21:30 2021) +example.com. IN DNSKEY 257 3 10 AwEAAc4lt8fDsdCzMCLHxXm8Ok/dw6XDiqx06Rf47LTeLmo6b64xm1Fs 0zloNMrcZDgwS5IxjQ3Breqc5aEc+jehueqCXa/fJXMdIt1VpUG0H7GP 4B+1IVmEiziHfmOozktdkuAyLqcsNhsf+J1+bCoHJSffgz6KbjBks/jR 12uyUnZCDrKGE/KfiR0gpT3watqGqqChO0KXq2N2PsnYfyRDea5FMUjM oPgOOyAT8LIMsM8x4f+EbU6m9Zc3Esafek9iLCS9R1333Pm1EEh5ghQT BsZ7omc5aSvrKUaIneojU3RdofceZouCliIDXmqscfY0y6bivGcmCQI/ LM4XUh7GWlM= diff --git a/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private new file mode 100644 index 0000000000..6d7f72e48b --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/Kexample.com.+010+28633.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: ziW3x8Ox0LMwIsfFebw6T93DpcOKrHTpF/jstN4uajpvrjGbUWzTOWg0ytxkODBLkjGNDcGt6pzloRz6N6G56oJdr98lcx0i3VWlQbQfsY/gH7UhWYSLOId+Y6jOS12S4DIupyw2Gx/4nX5sKgclJ9+DPopuMGSz+NHXa7JSdkIOsoYT8p+JHSClPfBq2oaqoKE7QperY3Y+ydh/JEN5rkUxSMyg+A47IBPwsgywzzHh/4RtTqb1lzcSxp96T2IsJL1HXffc+bUQSHmCFBMGxnuiZzlpK+spRoid6iNTdF2h9x5mi4KWIgNeaqxx9jTLpuK8ZyYJAj8szhdSHsZaUw== +PublicExponent: AQAB +PrivateExponent: Wr3fl99cdjFqDuVA18UzJdTIOj9I24Da2eKIz1S9uaTfZB4R8FWm5K4qDuHUe6dGnKOTI2sN0ygdLD5FJhfabo/UDYZ8RZ+dqS/5/mH7UX2zekGQ3Iargcaiq9uycxpNfMKaJpwfdPEtzqXHlvhuMo8AhpcIyeSKFAzKdm2YPtUqIrum4RARHyfRLfLyWlkIotPdyiaKCVGQxiRbFsTcmIB2Bizmt7zRjlB+Hxf8MooXmaKUFRQtMCLnFGK0ecFI1CWAxmLSanvYVKQ0HxcFkFKzRiZAz1au7ZfMgYDZj0jF72WAGU3Edcmdc0QIQRTWjb/3wcBfwlr9s6lKoF3ngQ== +Prime1: 1EIziKhz7dF41rb/hckdr2qeY8eM7tLrT5jIMPLISHCCuKm5IK2u7PY6m6NjMdhx1ilm7K2RGTt+TTFZaqDIEd8qpzRCxAGcfTVOmB9iHwmi9i9RoPSlY6o+iShft68ZnvPiGJWUF2huRYVK2F0cIWErwSqaBGsFd79mXmlkn98= +Prime2: +KEdNtZj9JyCCR2xbLAw3tnAYxHvJ3skVMjxV3cyUupMWi12NWxGhHH1nnetXxDR2LBBuqIl4pE/4MeXe3sClMHTL3Z9XG+pzQAsHS7yvsfZERdyuWZYYy0ya/7XY2auvRVO6LxN7d47VWjYxAGfoCsbCEivgDxmt1dTZhAtRA0= +Exponent1: d5TcZ69PsLoEtCLhDkRh/wO4PEqeMaaOf4d5sWn2QCly3Apyi+CN3l5SYoDIT7q7V4Z3v/uA9ZA49dBJqfLvBHKQGycsPjUSLtAreTSlGQtazguWl3F9BAtTs/4U/u0dKBoKVQNgLVfeWDhiFEdQo9WUyvzvTHHm4LHqQGJsGE0= +Exponent2: EU2dK+DVygNOZXYEkAzfCdNbuUlZPIUsbR4i9bRc8zpNIAWD8YncioEn1+R6U2BnSk5R9LwuKMt1B568YyKXdmTa3rW/WbyHs7WsXEeVK0PbTn40RMTjp9tQZAWzVb6isJQYDsh0H/bUaEhItbNrOYlmczgjxqftehsAudysWc0= +Coefficient: sl2u/8vttxpiTbspGV4SsaDmKUNdzQH7BgJ5rl3mXPp/aUpLw0Sr7FuARy8W8tq3yVNi9qCOnvGwVl6aQzZP7b8N04KiH8gewlAVdSfxG24yFKJIQNbWGKFZYZFYyjtLVlpK6NYF0f0I1KpAjn58XR0qIBvRFZYWBAkggU9C7ro= +Created: 20211221062130 +Publish: 20211221062130 +Activate: 20211221062130 diff --git a/bin/tests/system/dnssectools/signer/general/bogus-ksk.key b/bin/tests/system/dnssectools/signer/general/bogus-ksk.key new file mode 100644 index 0000000000..e4685741ff --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/bogus-ksk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 23221 +; +example.com. IN DNSKEY 257 3 10 AwEAAbcyptpM++pVjhpYQW2fVtyOw04IBSw4X0SYi/Ke4wVkmDNW2vBm AFkgiVVKmmNbb0IHDYQiIY7seXk0fjEwjzeY2bmeOAZxDdv2KT9VQpoY Matk2y4NTi6F/V04x0lL/CBvyifTeNbZKvY+S1eKFuWHeS5Ss8tiagz9 zdYWUe/msvmin+Hbs2tlLwXVl4hOmABCL9uK9H8R6GPL5VdEXYyFOh/v 71CNhRU5ufrARti69YYkfzH6NpWhlJWyJvDjqAdt2L3H8V71C2vcXbBu S5NscEYl+8JQfwUvOTN553I5IQrG+NQEusW36UM/Rkad8mMnUVM9Vzqk GH86GHKtLMc= diff --git a/bin/tests/system/dnssectools/signer/general/bogus-zsk.key b/bin/tests/system/dnssectools/signer/general/bogus-zsk.key new file mode 100644 index 0000000000..aa45938426 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/bogus-zsk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 48930 +; +example.com. IN DNSKEY 256 3 10 AwEAAa/0IcnbGutPVkrz04tw5ZIYx6rU+FprB2rlKS8cTK/wiBOqbOC6 QIDdegDpZG1fOdj04ZQGa3pIizqC2CnlIWfxpfR6W+qSLRBuQ8gmwTmS c/Jy/0vAGB3fv3oVIqKslLNqIXZb3CKNiA2kGcut3aUgfeOW970Jga6z PAGKqPpPZTelW1Qy9N5BO4cRTuYo4uvbZveJv1W/2n5RN+UaeqU0f+AE DP0+wqSWNUfZsi6HygLwk08x3eO8PzTBlqBlAMfvNAygrmXqccMREyyH KEc5dVJ1qOXfj8BAdJUPmunyJhIwC9PxzOW7mn1lW7mZO2D5U/Jaxw2k eX2KblmVk8s= diff --git a/bin/tests/system/dnssectools/signer/general/test1.zone b/bin/tests/system/dnssectools/signer/general/test1.zone new file mode 100644 index 0000000000..98c9f0233c --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test1.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssectools/signer/general/test10.zone b/bin/tests/system/dnssectools/signer/general/test10.zone new file mode 100644 index 0000000000..10a8bc97e1 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test10.zone @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00100000 1200 3600 604800 300 +extra.example.com. IN A 1.2.3.4 +$include Kexample.com.+008+63613.key +$include Kexample.com.+008+15002.key diff --git a/bin/tests/system/dnssectools/signer/general/test11.zone b/bin/tests/system/dnssectools/signer/general/test11.zone new file mode 100644 index 0000000000..538305fc14 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test11.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+19857.key +$include Kexample.com.+005+45884.key diff --git a/bin/tests/system/dnssectools/signer/general/test12.zone b/bin/tests/system/dnssectools/signer/general/test12.zone new file mode 100644 index 0000000000..4e4c9baef6 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test12.zone @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 30 ; 30 seconds +. IN SOA a.root.servers.nil. each.isc.org. ( + 2000042101 ; serial + 600 ; refresh (10 minutes) + 600 ; retry (10 minutes) + 1200 ; expire (20 minutes) + 600 ; minimum (10 minutes) + ) + NS a.root-servers.nil. + DNSKEY 256 3 13 ( + TFelYtTRBWeA9A307vvuWIcaNwW4txW4RgSELtsi46ZQ + s24ncRxmxtFfuJuPyVXePNiE4HNI9CIowGUsn5WuBw== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 23768 + DNSKEY 257 3 13 ( + OSmhpULEDCUzHCBeDU5uJXzkCcGuW2qrkQznKRPGhRZN + j7ZUIGInGzM5Um5m02ULWt8tKbi55NJUeifKWegQ0g== + ) ; KSK; alg = ECDSAP256SHA256 ; key id = 22255 + DNSKEY 385 3 13 ( + uKwpRtMH+9iuUk/Xj6LciIP5ZckaBtXaUqxUxzJYexXj + vxGZGX4470Jvhq2NCI3HBZQNaCCP/h9sluhIzRGPTA== + ) ; revoked KSK; alg = ECDSAP256SHA256 ; key id = 23768 +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/dnssectools/signer/general/test2.zone b/bin/tests/system/dnssectools/signer/general/test2.zone new file mode 100644 index 0000000000..97c0d3d8dc --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test2.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one non-KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically and the zone +; correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key diff --git a/bin/tests/system/dnssectools/signer/general/test3.zone b/bin/tests/system/dnssectools/signer/general/test3.zone new file mode 100644 index 0000000000..bf9bc66c56 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test3.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically. As there +; is no non-KSK DNSKEY the resulting zone should be rejected. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssectools/signer/general/test4.zone b/bin/tests/system/dnssectools/signer/general/test4.zone new file mode 100644 index 0000000000..9f05de50fb --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test4.zone @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK + ZSK) of +; which have existing private key files available. The third is a +; pre-published ZSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test5.zone b/bin/tests/system/dnssectools/signer/general/test5.zone new file mode 100644 index 0000000000..d61504fbf9 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test5.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which +; have existing private key files available. The third is a KSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-ksk.key diff --git a/bin/tests/system/dnssectools/signer/general/test6.zone b/bin/tests/system/dnssectools/signer/general/test6.zone new file mode 100644 index 0000000000..fcfb1ec260 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test6.zone @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has four DNSKEY records, two (KK + ZSK) of which +; have existing private key files available. There are also a KSK and ZSK +; for which there will be no signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test7.zone b/bin/tests/system/dnssectools/signer/general/test7.zone new file mode 100644 index 0000000000..e52c535527 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test7.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, none of which have +; existing private key files available. The resulting zone should fail +; the consistency tests. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test8.zone b/bin/tests/system/dnssectools/signer/general/test8.zone new file mode 100644 index 0000000000..893d32da10 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test8.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, one of which, +; the KSK, has a private key. The resulting zone should be rejected as +; it has no ZSK signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+28633.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssectools/signer/general/test9.zone b/bin/tests/system/dnssectools/signer/general/test9.zone new file mode 100644 index 0000000000..14c47d040c --- /dev/null +++ b/bin/tests/system/dnssectools/signer/general/test9.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+008+63613.key +$include Kexample.com.+008+15002.key diff --git a/bin/tests/system/dnssectools/signer/prepub.db.in b/bin/tests/system/dnssectools/signer/prepub.db.in new file mode 100644 index 0000000000..946aac1bf5 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/prepub.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +prepub. 60 IN SOA prepub. . 0 0 0 0 0 +prepub. 60 IN NS prepub. +prepub. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssectools/signer/remove.db.in b/bin/tests/system/dnssectools/signer/remove.db.in new file mode 100644 index 0000000000..5629a426ae --- /dev/null +++ b/bin/tests/system/dnssectools/signer/remove.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +remove. 60 IN AAAA ::ffff:1.2.3.4 +remove. 60 IN MX 0 remove. +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssectools/signer/remove2.db.in b/bin/tests/system/dnssectools/signer/remove2.db.in new file mode 100644 index 0000000000..b2962b9ff1 --- /dev/null +++ b/bin/tests/system/dnssectools/signer/remove2.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssectools/tests.sh b/bin/tests/system/dnssectools/tests.sh new file mode 100644 index 0000000000..85cd1ac2a6 --- /dev/null +++ b/bin/tests/system/dnssectools/tests.sh @@ -0,0 +1,1022 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# shellcheck source=conf.sh +. ../conf.sh + +status=0 +n=1 + +# check that a zone file is raw format, version 0 +israw0() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 0);' || return $? +} + +# check that a zone file is raw format, version 1 +israw1() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 1);' || return $? +} + +echo_i "basic dnssec-signzone checks:" +echo_ic "two DNSKEYs ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)" +ret=0 +( + cd signer/general || exit 1 + cp signed.zone signed.expect + grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1 + mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline + $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n 2>/dev/null + mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private + grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1 +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "one non-KSK DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "one KSK DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "three DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "three DNSKEY, one private key missing ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "four DNSKEY ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEY, both private keys missing ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "two DNSKEY, one private key missing ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n 2>/dev/null + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)" +ret=0 +if $FEATURETEST --fips-provider; then + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone + ) || ret=1 +else + echo_i "skipped no FIPS provider available" +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)" +ret=0 +if ! $FEATURETEST --fips-provider; then + echo_i "skipped no FIPS provider available" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test11.zone >signer.out.$n 2>&1 && exit 1 + grep -F -e "fatal: No signing keys specified or found" \ + -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n >/dev/null + ) || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "revoked KSK ID collides with ZSK ($n)" +ret=0 +# signing should fail, but should not coredump +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -S -f signed.zone -o . test12.zone >signer.out.$n 2>/dev/null +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n + test -f signed.zone +) && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone -J loads journal files ($n)" +ret=0 +( + cd signer/general || exit 0 + rm -f signed.zone + $MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl + $SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone >signer.out.$n + grep -q extra signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" +ret=0 +( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n + test -f signed.zone +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +get_default_algorithm_key_ids_from_sigs() { + zone=$1 + + awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + NF < 8 { next } + $(NF-5) != "RRSIG" { next } + $(NF-3) != alg { next } + $NF != "(" { next } + { + getline; + print $3; + } + ' signer/$zone.db.signed | sort -u +} + +# Test dnssec-signzone ZSK prepublish smooth rollover. +echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)" +ret=0 +zone=prepub +# Generate keys. +ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone") +zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") +zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone") +zskid1=$(keyfile_to_key_id "$zsk1") +zskid2=$(keyfile_to_key_id "$zsk2") +( + cd signer || exit 1 + # Set times such that the current set of keys are introduced 60 days ago and + # start signing now. The successor key is prepublished now and will be active + # next day. + $SETTIME -P now-60d -A now $ksk >/dev/null + $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null + $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null + $SETTIME -P now -A now+1d $zsk2.key >/dev/null + # Sign the zone with initial keys and prepublish successor. The zone signatures + # are valid for 30 days and the DNSKEY signature is valid for 60 days. + cp -f $zone.db.in $zone.db + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null + echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" +status=$((status + ret)) + +echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" +ret=0 +zone=prepub +( + cd signer || exit 1 + # Roll the ZSK. The predecessor is inactive from now on and the successor is + # activated. The zone signatures are valid for 30 days and the DNSKEY + # signature is valid for 60 days. Because of the predecessor/successor + # relationship, the signatures of the predecessor are retained and no new + # signatures with the successor should be generated. + $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null + $SETTIME -A now $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" +ret=0 +zone=prepub +( + cd signer || exit 1 + # After some time the signatures should be replaced. When signing, set the + # interval to 30 days plus one second, meaning all predecessor signatures + # are within the refresh interval and should be replaced with successor + # signatures. + $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null + $SETTIME -A now-20d $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" +ret=0 +zone=example +# If dnssec-keygen fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-keygen unexpectedly +# succeeds, by using "&& ret=1". +$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" +ret=0 +zone=example +# Fake an unsupported algorithm key +unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp +mv ${unsupportedkey}.tmp ${unsupportedkey}.key +# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent +# that from happening, and also trigger a test failure if dnssec-dsfromkey +# unexpectedly succeeds, by using "&& ret=1". +$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" +ret=0 +ret=0 +cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db +# If dnssec-signzone fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-signzone +# unexpectedly succeeds, by using "&& ret=1". +$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that we can sign a zone with out-of-zone records ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db example.db >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null + awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out + + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example3.db + echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db + $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null + awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out + + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null +) || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db.before example.db >/dev/null + sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed + $SIGNER -o example -f example.db.after example.db.changed >/dev/null +) +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +keyid2=$(keyfile_to_key_id "$key2") +key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone) +keyid3=$(keyfile_to_key_id "$key3") +( + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -D -o example example.db >/dev/null + + # now switch out key2 for key3 and resign the zone + cat example.db.in "$key1.key" "$key3.key" >example.db + echo "\$INCLUDE \"example.db.signed\"" >>example.db + $SIGNER -D -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -RD -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" +ret=0 +zone=example +( + cd signer || exit 1 + cp -f example.db.in example.db + $SIGNER -SD -o example example.db >/dev/null + echo "\$INCLUDE \"example.db.signed\"" >>example.db + # now retire key2 and resign the zone + $SETTIME -I now "$key2" >/dev/null 2>&1 + $SIGNER -SD -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -SDQ -o example example.db >/dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone retains unexpired signatures ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -Sxt -o example example.db >signer.out.1 + $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 +) || ret=1 +gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) +retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) +gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) +retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) +drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) +[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 +[ "$gen2" -eq 0 ] || ret=1 +[ "$drop2" -eq 0 ] || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" +ret=0 +( + cd signer || exit 1 + # remove NSEC-only keys + rm -f Kexample.+005* + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +( + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" +ret=0 +( + cd signer || exit 1 + rm -f example2.db.signed + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +( + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone output format ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null + $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null + $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null + $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null + $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null +) || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 +israw1 signer/signer.out.5 || ret=1 +israw0 signer/signer.out.6 || ret=1 +israw1 signer/signer.out.7 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null +) || ret=1 +awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -N date ($n)" +ret=0 +( + cd signer || exit 1 + TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null +) || ret=1 +# shellcheck disable=SC2016 +now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') +serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) +[ "$now" -eq "$serial" ] || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G ($n)" +ret=0 +( + cd signer || exit 1 + $SETTIME -P ds now -P sync now "$key1" >/dev/null + $SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (default) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (empty) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (no CDS) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad argument) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "digest must specify cds:algorithm ('foobar')" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad digest - name) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "bad digest 'cds:foobar'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (bad digest - number) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "bad digest 'cds:256': out of range" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "unsupported digest 'cds:gost'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)" +ret=0 +( + cd signer || exit 1 + $SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1 + grep "unsupported digest 'cds:200'" signer.err.$n >/dev/null || ret=1 +) +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( + cd signer || exit 1 + $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null + $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null + echo >remove.db.signed + $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n +} +# re-generate signed zone without MX and AAAA records at apex. +( + cd signer || exit 1 + $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n +} +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( + cd signer || exit 1 + echo >remove.db.signed + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n +} +# re-generate signed zone without MX and AAAA records at apex. +( + cd signer || exit 1 + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n +) +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n +} +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)" +ret=0 +( + cd signer || exit 0 + key1=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) + key2=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example) + key3=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" revoke.example) + rkey=$(${REVOKE} "$key2") + cat >>revoke.example.db <>revoke.example.db + "${SIGNER}" -o revoke.example revoke.example.db >signer.out.$n +) || ret=1 +keycount=$(grep -c "RRSIG.DNSKEY ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +cdscount=$(grep -c "RRSIG.CDS ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +soacount=$(grep -c "RRSIG.SOA ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed) +[ $keycount -eq 3 ] || ret=1 +[ $cdscount -eq 2 ] || ret=1 +[ $soacount -eq 1 ] || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" +ret=0 +alg=1 +until test $alg -eq 258; do + zone="keygen-$alg." + case $alg in + 2) # Diffie Helman + alg=$((alg + 1)) + continue + ;; + 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard + alg=$((alg + 1)) + continue + ;; + 1 | 5 | 7 | 8 | 10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true) + ;; + 15 | 16) + key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) + ;; + 256) + key1=$($KEYGEN -a "RSASHA256OID" "$zone" 2>"keygen-$alg.err" || true) + ;; + 257) + key1=$($KEYGEN -a "RSASHA512OID" "$zone" 2>"keygen-$alg.err" || true) + ;; + *) + key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true) + ;; + esac + if grep "unknown algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if test -z "$key1"; then + echo_i "'$KEYGEN -a $alg': failed" + cat "keygen-$alg.err" + ret=1 + alg=$((alg + 1)) + continue + fi + $SETTIME -I now+4d "$key1.private" >/dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg + 1)) +done +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)" +ret=0 +if $FEATURETEST --have-fips-mode; then + echo_i "skipped: already in FIPS mode" +elif ! $FEATURETEST --fips-provider; then + echo_i "skipped no FIPS provider available" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + $KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true + grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" >/dev/null || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)" +ret=0 +if $FEATURETEST --have-fips-mode; then + echo_i "skipped: already in FIPS mode" +elif ! $FEATURETEST --fips-provider; then + echo_i "skipped: cannot switch to FIPS mode" +elif [ $RSASHA1_SUPPORTED = 0 ]; then + echo_i "skipped: RSASHA1 is not supported" +else + $KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true + grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" >/dev/null || ret=1 +fi +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that dnssec-keygen honours key tag ranges ($n)" +ret=0 +zone=settagrange +ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone") +zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone") +kid=$(keyfile_to_key_id "$ksk") +zid=$(keyfile_to_key_id "$zsk") +[ $kid -ge 0 -a $kid -le 32767 ] || ret=1 +[ $zid -ge 32768 -a $zid -le 65535 ] || ret=1 +rksk=$($REVOKE -R $ksk) +rzsk=$($REVOKE -R $zsk) +krid=$(keyfile_to_key_id "$rksk") +zrid=$(keyfile_to_key_id "$rzsk") +[ $krid -ge 0 -a $krid -le 32767 ] || ret=1 +[ $zrid -ge 32768 -a $zrid -le 65535 ] || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check dnssec-dsfromkey from stdin ($n)" +ret=0 +cat algroll.dnskey | $DSFROMKEY -f - algroll. >dsfromkey.out.test$n +NF=$(awk '{print NF}' dsfromkey.out.test$n | sort -u) +[ "${NF}" = 7 ] || ret=1 +# make canonical +awk '/^algroll/ { + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' canonical1.$n || ret=1 +awk '/^algroll/ { + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' canonical2.$n || ret=1 +diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +# Intentionally strip ".key" from keyfile name to ensure the error message +# includes it anyway to avoid confusion (RT #21731) +echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" +ret=0 +key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example. 2>/dev/null) || ret=1 +mv "$key.key" "$key" +$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check dnssec-dsfromkey with revoked key ($n)" +ret=0 +$DSFROMKEY -f revkey.dnskey revkey.example. >dsfromkey.out.test$n || ret=1 +test $(wc -l Date: Tue, 1 Jul 2025 21:37:58 -0700 Subject: [PATCH 04/14] convert TAT tests to python the trust-anchor-telemetry tests have been moved to a new python subtest, dnssec/tests_tat.py. --- bin/tests/system/dnssec/tests.sh | 48 ---------------------- bin/tests/system/dnssec/tests_tat.py | 61 ++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 48 deletions(-) create mode 100644 bin/tests/system/dnssec/tests_tat.py diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 6bfd910da7..dc5f77bb74 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2510,54 +2510,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that trust-anchor-telemetry queries are logged ($n)" -ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" -ret=0 -grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" -ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" -ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 >dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" -ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 >dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run >/dev/null || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run >/dev/null && ret=1 -stop_server ns1 || ret=1 -nextpart ns1/named.run >/dev/null -start_server --noclean --restart --port ${PORT} ns1 || ret=1 -n=$(($n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "waiting for root server to finish reloading ($n)" -ret=0 -wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -n=$(($n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 grep "view rec: *validat" ns4/named.run >/dev/null || ret=1 diff --git a/bin/tests/system/dnssec/tests_tat.py b/bin/tests/system/dnssec/tests_tat.py new file mode 100644 index 0000000000..5f527d0964 --- /dev/null +++ b/bin/tests/system/dnssec/tests_tat.py @@ -0,0 +1,61 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re + +from dns import edns + +import isctest + + +def test_tat_queries(servers): + ns1 = servers["ns1"] + ns6 = servers["ns6"] + + # check that trust-anchor-telemetry queries are logged + with ns6.watch_log_from_start() as watcher: + watcher.wait_for_line("sending trust-anchor-telemetry query '_ta-") + + # check that _ta-XXXX trust-anchor-telemetry queries are logged + with ns1.watch_log_from_start() as watcher: + watcher.wait_for_line("trust-anchor-telemetry '_ta-") + + # check that _ta-AAAA trust-anchor-telemetry are not sent when disabled + ns1.log.prohibit("sending trust-anchor-telemetry query '_ta") + + # check that KEY-TAG (ednsopt 14) trust-anchor-telemetry queries are + # logged. this matches "dig . dnskey +ednsopt=KEY-TAG:ffff": + msg = isctest.query.create(".", "DNSKEY") + opt = edns.GenericOption(14, b"\xff\xff") + msg.use_edns(edns=True, options=[opt]) + pattern = re.compile("trust-anchor-telemetry './IN' from .* 65535") + with ns1.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, "10.53.0.1") + watcher.wait_for_line(pattern) + + # check that multiple KEY-TAG trust-anchor-telemetry options don't + # leak memory, by stopping and restarting the server (a memory leak + # would trigger a core dump). + msg = isctest.query.create(".", "DNSKEY") + opt1 = edns.GenericOption(14, b"\xff\xff") + opt2 = edns.GenericOption(14, b"\xff\xfe") + msg.use_edns(edns=True, options=[opt2, opt1]) + pattern = re.compile("trust-anchor-telemetry './IN' from .* 65534") + with ns1.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, "10.53.0.1") + isctest.check.noerror(res) + watcher.wait_for_line(pattern) + + ns1.stop() + with ns1.watch_log_from_here() as watcher: + ns1.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + watcher.wait_for_line("all zones loaded") From 8ddec41987c9f9283800fa0b4a4b302e701d545c Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 27 Jun 2025 17:43:13 -0700 Subject: [PATCH 05/14] convert dnssec-policy tests to python move the signatures-validity tests to tests_policy.py --- bin/tests/system/dnssec/ns3/named.conf.j2 | 29 ++++--- bin/tests/system/dnssec/ns3/siginterval1.conf | 19 ---- bin/tests/system/dnssec/ns3/siginterval2.conf | 19 ---- bin/tests/system/dnssec/setup.sh | 5 -- bin/tests/system/dnssec/tests.sh | 87 ------------------- bin/tests/system/dnssec/tests_policy.py | 86 ++++++++++++++++++ 6 files changed, 101 insertions(+), 144 deletions(-) delete mode 100644 bin/tests/system/dnssec/ns3/siginterval1.conf delete mode 100644 bin/tests/system/dnssec/ns3/siginterval2.conf create mode 100644 bin/tests/system/dnssec/tests_policy.py diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2 index a9a1b207bf..47d0422ad2 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -13,6 +13,8 @@ // NS3 +{% set long_sigs = long_sigs | default(False) %} + options { query-source address 10.53.0.3; notify-source 10.53.0.3; @@ -464,28 +466,27 @@ zone "extended-ds-unknown-oid.example" { file "extended-ds-unknown-oid.example.db.signed"; }; -dnssec-policy "siginterval1" { +dnssec-policy "siginterval" { keys { ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; }; - signatures-validity 1d; - signatures-refresh 21h; + {% if long_sigs %} + signatures-validity 35d; + signatures-refresh 28d; + {% else %} + signatures-validity 1d; + signatures-refresh 21h; + {% endif %} signatures-validity-dnskey 90d; }; -dnssec-policy "siginterval2" { - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - }; - - signatures-validity 35d; - signatures-refresh 28d; - signatures-validity-dnskey 90d; +zone "siginterval.example" { + type primary; + allow-update { any; }; + dnssec-policy siginterval; + file "siginterval.example.db"; }; -include "siginterval.conf"; - include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf deleted file mode 100644 index 1d82f680d1..0000000000 --- a/bin/tests/system/dnssec/ns3/siginterval1.conf +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -zone "siginterval.example" { - type primary; - allow-update { any; }; - dnssec-policy siginterval1; - file "siginterval.example.db"; -}; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf deleted file mode 100644 index fa9c6267fe..0000000000 --- a/bin/tests/system/dnssec/ns3/siginterval2.conf +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -zone "siginterval.example" { - type primary; - allow-update { any; }; - dnssec-policy siginterval2; - file "siginterval.example.db"; -}; diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index c6234f686c..14970719b9 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -28,11 +28,6 @@ copy_setports ns4/named1.conf.in ns4/named.conf } >>../ns3/bogus.example.db.signed ) -( - cd ns3 - cp -f siginterval1.conf siginterval.conf -) - ( cd ns5 $SHELL sign.sh diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index dc5f77bb74..b0033f6127 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -25,10 +25,6 @@ dig_with_opts() { "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } -dig_with_additionalopts() { - "$DIG" +noall +additional +dnssec -p "$PORT" "$@" -} - dig_with_answeropts() { "$DIG" +noall +answer +dnssec -p "$PORT" "$@" } @@ -79,11 +75,6 @@ checkprivate() { return 1 } -# strip NS and RRSIG NS from input -stripns() { - awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" -} - # # Ensure there is not multiple consecutive blank lines. # Ensure there is a blank line before "Start view" and @@ -1616,26 +1607,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking that the NSEC record is properly generated when DNSKEY are added by dnssec-policy ($n)" -ret=0 -dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added by dnssec-policy ($n)" -ret=0 -dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking that signing records have been marked as complete ($n)" ret=0 checkprivate dynamic.example 10.53.0.3 || ret=1 @@ -2060,53 +2031,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)" -ret=0 -before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) -cp ns3/siginterval2.conf ns3/siginterval.conf -rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -i=10 -while [ "$i" -ge 0 ]; do - after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) - test "$before" != "$after" && break - sleep 1 - i=$((i - 1)) -done -n=$((n + 1)) -if test "$before" = "$after"; then - echo_i "failed" - ret=1 -fi -status=$((status + ret)) - -if [ -x "$PYTHON" ]; then - echo_i "check signatures-validity-dnskey sets longer expiry for DNSKEY ($n)" - ret=0 - rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i - # convert expiry date to a comma-separated list of integers python can - # use as input to date(). strip leading 0s in months and days so - # python3 will recognize them as integers. - $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example >dig.out.soa.test$n || ret=1 - soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n \ - | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ - | sed 's/ 0/ /g') - $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example >dig.out.dnskey.test$n || ret=1 - dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n \ - | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ - | sed 's/ 0/ /g') - $PYTHON >python.out.$n <&1 | sed 's/^/ns4 /' | cat_i sleep 3 @@ -3009,17 +2933,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking signatures-validity second field hours vs days ($n)" -ret=0 -# zone configured with 'signatures-validity 500d; signatures-refresh 1d' -# 499 days in the future w/ a 20 minute runtime to now allowance -min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') -dig_with_opts @10.53.0.2 hours-vs-days AXFR >dig.out.ns2.test$n -awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking validation succeeds during transition to signed ($n)" ret=0 dig_with_opts @10.53.0.4 inprogress A >dig.out.ns4.test$n || ret=1 diff --git a/bin/tests/system/dnssec/tests_policy.py b/bin/tests/system/dnssec/tests_policy.py new file mode 100644 index 0000000000..bbeb8189b3 --- /dev/null +++ b/bin/tests/system/dnssec/tests_policy.py @@ -0,0 +1,86 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from datetime import timedelta +import time + +from dns import rdatatype + +import isctest + + +def is_rrsig_soa(rrset): + return rrset.rdtype == rdatatype.RRSIG and rrset.covers == rdatatype.SOA + + +def test_signatures_validity(servers, templates): + # check that increasing signatures-validity triggers resigning + msg = isctest.query.create("siginterval.example.", "AXFR") + res = isctest.query.tcp(msg, "10.53.0.3") + before = next(filter(is_rrsig_soa, res.answer)) + + ns3 = servers["ns3"] + templates.render("ns3/named.conf", {"long_sigs": True}) + with ns3.watch_log_from_here() as watcher: + ns3.reconfigure(log=False) + watcher.wait_for_line("siginterval.example/IN (signed): sending notifies") + + res = isctest.query.tcp(msg, "10.53.0.3") + after = next(filter(is_rrsig_soa, res.answer)) + + assert after != before + + ns3.rndc("sign siginterval.example", log=False) + + msg = isctest.query.create("siginterval.example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.3") + sexp = res.answer[-1][0].expiration + + msg = isctest.query.create("siginterval.example.", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.3") + kexp = res.answer[-1][0].expiration + + delta = timedelta(seconds=kexp - sexp) + assert delta > timedelta(days=54) + + +def test_signatures_validity_hours_vs_days(): + # zone configured with 'signatures-validity 500d; signatures-refresh 1d' + msg = isctest.query.create("hours-vs-days.", "AXFR") + res = isctest.query.tcp(msg, "10.53.0.2") + + # 499 days in the future w/ a 20 minute runtime to now allowance + future = timedelta(days=499) - timedelta(minutes=20) + minimum = time.time() + future.total_seconds() + for rrset in res.answer: + if rrset.rdtype != rdatatype.RRSIG: + continue + assert rrset[0].expiration >= minimum + + +def test_nsec_chain(): + # check that NSEC records are properly generated when DNSKEYs + # are added by dnssec-policy + msg = isctest.query.create("auto-nsec.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + assert [a for a in res.authority if a.rdtype == rdatatype.NSEC] + + +def test_nsec3_chain(): + # check that NSEC3 records are properly generated when DNSKEYs + # are added by dnssec-policy + msg = isctest.query.create("auto-nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + assert [a for a in res.authority if a.rdtype == rdatatype.NSEC3] From 950df056b354bd45cd29c3a709b1b0e1417a84d9 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 26 Jun 2025 20:29:24 -0700 Subject: [PATCH 06/14] convert dnssec validation tests to python begin converting DNSSEC validation tests from shell to python, and simplify the name servers used in the test. ns4, the name server used for validation tests, is now configured using jinja2 templates. ns8, which was previously used for testing unsupported, disabled and revoked keys and trust anchors, has been removed. we now use a jinja2 configuration in ns5 for this purpose. the configurations in ns7 and ns6 didn't conflict with one another, so the two servers have been merged into one. --- bin/tests/system/dnssec/README | 13 +- bin/tests/system/dnssec/ns1/sign.sh | 2 - bin/tests/system/dnssec/ns2/example.db.in | 5 +- .../system/dnssec/ns3/auto-nsec.example.db.in | 2 +- .../dnssec/ns3/auto-nsec3.example.db.in | 2 +- .../system/dnssec/ns3/expired.example.db.in | 4 +- .../system/dnssec/ns3/expiring.example.db.in | 2 +- .../system/dnssec/ns3/secure.example.db.in | 2 +- bin/tests/system/dnssec/ns3/sign.sh | 8 +- .../dnssec/ns3/update-nsec3.example.db.in | 2 +- bin/tests/system/dnssec/ns4/named.conf.j2 | 119 + bin/tests/system/dnssec/ns4/named1.conf.in | 50 - bin/tests/system/dnssec/ns4/named2.conf.in | 43 - bin/tests/system/dnssec/ns4/named3.conf.in | 46 - bin/tests/system/dnssec/ns4/named4.conf.in | 90 - bin/tests/system/dnssec/ns5/named.conf.j2 | 21 +- bin/tests/system/dnssec/ns6/named.args | 1 - bin/tests/system/dnssec/ns6/named.conf.j2 | 11 + bin/tests/system/dnssec/ns6/named.nonearest | 12 + .../system/dnssec/{ns7 => ns6}/named.nosoa | 0 bin/tests/system/dnssec/ns6/named.tat=1 | 12 + .../{ns7 => ns6}/nosoa.secure.example.db | 2 +- bin/tests/system/dnssec/ns6/sign.sh | 25 + .../dnssec/{ns7 => ns6}/split-rrsig.db.in | 0 bin/tests/system/dnssec/ns7/named.conf.j2 | 76 - bin/tests/system/dnssec/ns7/sign.sh | 44 - bin/tests/system/dnssec/ns8/named.conf.j2 | 47 - bin/tests/system/dnssec/setup.sh | 2 - bin/tests/system/dnssec/tests.sh | 2173 +---------------- bin/tests/system/dnssec/tests_sh_dnssec.py | 6 +- bin/tests/system/dnssec/tests_validation.py | 1606 ++++++++++++ bin/tests/system/isctest/mark.py | 9 + bin/tests/system/start.pl | 4 +- 33 files changed, 1845 insertions(+), 2596 deletions(-) create mode 100644 bin/tests/system/dnssec/ns4/named.conf.j2 delete mode 100644 bin/tests/system/dnssec/ns4/named1.conf.in delete mode 100644 bin/tests/system/dnssec/ns4/named2.conf.in delete mode 100644 bin/tests/system/dnssec/ns4/named3.conf.in delete mode 100644 bin/tests/system/dnssec/ns4/named4.conf.in delete mode 100644 bin/tests/system/dnssec/ns6/named.args create mode 100644 bin/tests/system/dnssec/ns6/named.nonearest rename bin/tests/system/dnssec/{ns7 => ns6}/named.nosoa (100%) create mode 100644 bin/tests/system/dnssec/ns6/named.tat=1 rename bin/tests/system/dnssec/{ns7 => ns6}/nosoa.secure.example.db (97%) rename bin/tests/system/dnssec/{ns7 => ns6}/split-rrsig.db.in (100%) delete mode 100644 bin/tests/system/dnssec/ns7/named.conf.j2 delete mode 100644 bin/tests/system/dnssec/ns7/sign.sh delete mode 100644 bin/tests/system/dnssec/ns8/named.conf.j2 create mode 100644 bin/tests/system/dnssec/tests_validation.py diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README index fcaa3b6c80..c72442c61b 100644 --- a/bin/tests/system/dnssec/README +++ b/bin/tests/system/dnssec/README @@ -19,14 +19,11 @@ ns4 is a caching-only server, configured with the correct trusted key for the root. ns5 is a caching-only server, configured with the an incorrect trusted -key for the root. It is used for testing failure cases. +key for the root, or with unsupported and disabled algorithms. It is used +for testing failure cases. -ns6 is an caching and authoritative server used for testing unusual -server behaviors such as disabled DNSSEC algorithms. - -ns7 is used for checking non-cacheable answers. - -ns8 is a caching-only server, configured with unsupported and disabled -algorithms. It is used for testing failure cases. +ns6 is a caching and authoritative server used for testing unusual +server behaviors such as disabled DNSSEC algorithms and non-cacheable +responses. It runs with -T nonearest, -T nosoa, and -T tat=3. ns9 is a forwarding-only server. diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index bd434aeb80..02c9e18320 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -22,7 +22,6 @@ zonefile=root.db (cd ../ns2 && $SHELL sign.sh) (cd ../ns6 && $SHELL sign.sh) -(cd ../ns7 && $SHELL sign.sh) echo_i "ns1/sign.sh" @@ -51,7 +50,6 @@ cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf cp trusted.conf ../ns6/trusted.conf -cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf keyfile_to_static_keys "$ksk" >trusted.keys diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 1efb1755b4..c725132988 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -9,7 +9,7 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 300 ; 5 minutes +$TTL 3600 ; 1 hour @ IN SOA mname1. . ( 2000042407 ; serial 20 ; refresh (20 seconds) @@ -106,6 +106,9 @@ ns.dnskey-unknown A 10.53.0.3 dnskey-unsupported NS ns.dnskey-unsupported ns.dnskey-unsupported A 10.53.0.3 +dnskey-unsupported-2 NS ns.dnskey-unsupported +ns.dnskey-unsupported-2 A 10.53.0.3 + ds-unsupported NS ns.ds-unsupported ns.ds-unsupported A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in index a7792fd3b8..34006877b3 100644 --- a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in +++ b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in @@ -34,7 +34,7 @@ insecure NS ns.insecure ns.insecure A 10.53.0.2 nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 +ns.nosoa A 10.53.0.6 normalthenrrsig A 10.0.0.28 rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in index a7792fd3b8..34006877b3 100644 --- a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in @@ -34,7 +34,7 @@ insecure NS ns.insecure ns.insecure A 10.53.0.2 nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 +ns.nosoa A 10.53.0.6 normalthenrrsig A 10.0.0.28 rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/expired.example.db.in b/bin/tests/system/dnssec/ns3/expired.example.db.in index b7706d3c9f..eaee74b765 100644 --- a/bin/tests/system/dnssec/ns3/expired.example.db.in +++ b/bin/tests/system/dnssec/ns3/expired.example.db.in @@ -9,7 +9,7 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 300 ; 5 minutes +$TTL 3600 ; 1 hour @ IN SOA mname1. . ( 2000042407 ; serial 20 ; refresh (20 seconds) @@ -36,7 +36,7 @@ insecure NS ns.insecure ns.insecure A 10.53.0.2 nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 +ns.nosoa A 10.53.0.6 normalthenrrsig A 10.0.0.28 rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bin/tests/system/dnssec/ns3/expiring.example.db.in index 8acf7b121e..be3e680354 100644 --- a/bin/tests/system/dnssec/ns3/expiring.example.db.in +++ b/bin/tests/system/dnssec/ns3/expiring.example.db.in @@ -9,7 +9,7 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 300 ; 5 minutes +$TTL 3600 ; 1 hour @ IN SOA mname1. . ( 2000042407 ; serial 20 ; refresh (20 seconds) diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 9aebd98007..5859ebcdc5 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -39,7 +39,7 @@ insecure NS ns2.insecure ns2.insecure A 10.53.0.2 nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 +ns.nosoa A 10.53.0.6 normalthenrrsig A 10.0.0.28 rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 8cf46a2f06..58da7378f0 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -53,7 +53,7 @@ for tld in managed trusted; do "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed - # Make trusted-keys and managed keys conf sections for ns8. + # Make trusted-keys and managed keys conf sections for ns5/many_anchors. mv ${keyname4}.key ${keyname4}.tmp awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key @@ -67,10 +67,10 @@ for tld in managed trusted; do case $tld in "managed") - keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf + keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns5/many-managed.conf ;; "trusted") - keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf + keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns5/many-trusted.conf ;; esac done @@ -324,7 +324,7 @@ $DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE" # # A zone which is fine by itself (supported algorithm) but that is used -# to mimic unsupported DS digest (see ns8). +# to mimic unsupported DS digest (see ns5/many_anchors). # zone=ds-unsupported.example. infile=ds-unsupported.example.db.in diff --git a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in index a7792fd3b8..34006877b3 100644 --- a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in @@ -34,7 +34,7 @@ insecure NS ns.insecure ns.insecure A 10.53.0.2 nosoa NS ns.nosoa -ns.nosoa A 10.53.0.7 +ns.nosoa A 10.53.0.6 normalthenrrsig A 10.0.0.28 rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 new file mode 100644 index 0000000000..9a67908bde --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -0,0 +1,119 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS11 + + +{% set managed_key = managed_key | default(False) %} +{% set accept_expired = accept_expired | default(False) %} +{% set multi_view = multi_view | default(False) %} + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + minimal-responses no; + + {% if accept_expired %} + dnssec-accept-expired yes; + {% endif %} + + {% if managed_key %} + dnssec-validation auto; + bindkeys-file "managed.conf"; + {% else %} + # Note: We only reference the bind.keys file here to + # confirm that it is *not* being used. It contains the + # real root key, and we're using a local toy root zone for + # the tests, so it wouldn't work. But dnssec-validation + # is set to "yes" not "auto", so that won't matter. + dnssec-validation yes; + bindkeys-file "../../../../../bind.keys"; + {% endif %} + + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; + disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; + disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; + disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; +}; + +{% if not managed_key %} +include "trusted.conf"; +{% endif %} + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +{% if multi_view %} + view rec { + match-recursive-only yes; + recursion yes; + dnssec-accept-expired yes; + minimal-responses no; + dnssec-validation yes; + + include "trusted.conf"; + + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + zone secure.example { + type static-stub; + server-addresses { 10.53.0.4; }; + }; + + zone insecure.secure.example { + type static-stub; + server-addresses { 10.53.0.4; }; + }; + }; + + view auth { + recursion no; + allow-recursion { none; }; + dnssec-validation no; + + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + zone secure.example { + type secondary; + primaries { 10.53.0.3; }; + }; + + zone insecure.secure.example { + type secondary; + primaries { 10.53.0.2; }; + }; + }; +{% else %} + zone "." { + type hint; + file "../../_common/root.hint"; + }; +{% endif %} diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in deleted file mode 100644 index 66975a352a..0000000000 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - minimal-responses no; - - # Note: We only reference the bind.keys file here to confirm that it - # is *not* being used. It contains the real root key, and we're - # using a local toy root zone for the tests, so it wouldn't work. - # But since dnssec-validation is set to "yes" not "auto", that - # won't matter. - dnssec-validation yes; - bindkeys-file "../../../../../bind.keys"; -}; - -include "trusted.conf"; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in deleted file mode 100644 index c8699834f3..0000000000 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - minimal-responses no; - - dnssec-validation auto; - bindkeys-file "managed.conf"; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in deleted file mode 100644 index 24012b38e7..0000000000 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - minimal-responses no; - - dnssec-accept-expired yes; - servfail-ttl 0; - - dnssec-validation auto; - bindkeys-file "managed.conf"; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in deleted file mode 100644 index f5b387d0bd..0000000000 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - minimal-responses no; - - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; - disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -key auth { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -view rec { - match-recursive-only yes; - recursion yes; - dnssec-accept-expired yes; - minimal-responses no; - dnssec-validation yes; - - include "trusted.conf"; - - zone "." { - type hint; - file "../../_common/root.hint"; - }; - - zone secure.example { - type static-stub; - server-addresses { 10.53.0.4; }; - }; - - zone insecure.secure.example { - type static-stub; - server-addresses { 10.53.0.4; }; - }; -}; - -view auth { - recursion no; - allow-recursion { none; }; - dnssec-validation no; - - zone "." { - type hint; - file "../../_common/root.hint"; - }; - - zone secure.example { - type secondary; - primaries { 10.53.0.3; }; - }; - - zone insecure.secure.example { - type secondary; - primaries { 10.53.0.2; }; - }; -}; diff --git a/bin/tests/system/dnssec/ns5/named.conf.j2 b/bin/tests/system/dnssec/ns5/named.conf.j2 index bdbd1f3b30..a0332d9d6f 100644 --- a/bin/tests/system/dnssec/ns5/named.conf.j2 +++ b/bin/tests/system/dnssec/ns5/named.conf.j2 @@ -13,6 +13,9 @@ // NS5 +{% set revoked_key = revoked_key | default(False) %} +{% set broken_key = broken_key | default(False) %} +{% set many_anchors = many_anchors | default(False) %} options { query-source address 10.53.0.5; notify-source 10.53.0.5; @@ -22,6 +25,14 @@ options { listen-on { 10.53.0.5; 127.0.0.1; }; listen-on-v6 { none; }; recursion yes; + minimal-responses no; + servfail-ttl 0; + +{% if many_anchors %} + dnssec-validation yes; + disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; }; + disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; }; +{% endif %} }; key rndc_key { @@ -33,8 +44,6 @@ controls { inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -{% set revoked_key = revoked_key | default(False) %} -{% set broken_key = broken_key | default(False) %} {% if revoked_key %} view root { match-destinations { 127.0.0.1; }; @@ -62,6 +71,14 @@ controls { }; include "broken.conf"; +{% elif many_anchors %} + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + include "many-managed.conf"; + include "many-trusted.conf"; {% else %} zone "." { type hint; diff --git a/bin/tests/system/dnssec/ns6/named.args b/bin/tests/system/dnssec/ns6/named.args deleted file mode 100644 index 04d5d1b50e..0000000000 --- a/bin/tests/system/dnssec/ns6/named.args +++ /dev/null @@ -1 +0,0 @@ --m record -c named.conf -d 99 -D dnssec-ns6 -g -T maxcachesize=2097152 -T nonearest -T tat=1 diff --git a/bin/tests/system/dnssec/ns6/named.conf.j2 b/bin/tests/system/dnssec/ns6/named.conf.j2 index 2818b7958c..c3c0da6e44 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.j2 +++ b/bin/tests/system/dnssec/ns6/named.conf.j2 @@ -37,4 +37,15 @@ zone "optout-tld" { file "optout-tld.db.signed"; }; +zone "nosoa.secure.example" { + type primary; + file "nosoa.secure.example.db"; +}; + +zone "split-rrsig" { + type primary; + file "split-rrsig.db.signed"; + allow-update { any; }; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns6/named.nonearest b/bin/tests/system/dnssec/ns6/named.nonearest new file mode 100644 index 0000000000..ba4c4eb3ab --- /dev/null +++ b/bin/tests/system/dnssec/ns6/named.nonearest @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Add -T nonearest. diff --git a/bin/tests/system/dnssec/ns7/named.nosoa b/bin/tests/system/dnssec/ns6/named.nosoa similarity index 100% rename from bin/tests/system/dnssec/ns7/named.nosoa rename to bin/tests/system/dnssec/ns6/named.nosoa diff --git a/bin/tests/system/dnssec/ns6/named.tat=1 b/bin/tests/system/dnssec/ns6/named.tat=1 new file mode 100644 index 0000000000..c5c93e9991 --- /dev/null +++ b/bin/tests/system/dnssec/ns6/named.tat=1 @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Add -T tat=1. diff --git a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bin/tests/system/dnssec/ns6/nosoa.secure.example.db similarity index 97% rename from bin/tests/system/dnssec/ns7/nosoa.secure.example.db rename to bin/tests/system/dnssec/ns6/nosoa.secure.example.db index d3c98783ea..6b7af12553 100644 --- a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db +++ b/bin/tests/system/dnssec/ns6/nosoa.secure.example.db @@ -18,5 +18,5 @@ $TTL 300 ; 5 minutes 3600 ; minimum (1 hour) ) @ IN NS ns -ns IN A 10.53.0.7 +ns IN A 10.53.0.6 a IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 103baf257e..74ae836f71 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -27,3 +27,28 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$keyname.key" >"$zonefile" "$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1 + +zone=split-rrsig +infile=split-rrsig.db.in +zonefile=split-rrsig.db + +k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$k1.key" "$k2.key" >"$zonefile" + +# The awk script below achieves two goals: +# +# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so +# that these two records (forming a single RRset) are not placed immediately +# next to each other; the test then checks if RRSIG RRsets split this way are +# correctly added to resigning heaps, +# +# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the +# zone apex; the test then checks whether such signatures are automatically +# removed from the zone after it is loaded. +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 +awk 'BEGIN { r = ""; } + $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } + { print } + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns7/split-rrsig.db.in b/bin/tests/system/dnssec/ns6/split-rrsig.db.in similarity index 100% rename from bin/tests/system/dnssec/ns7/split-rrsig.db.in rename to bin/tests/system/dnssec/ns6/split-rrsig.db.in diff --git a/bin/tests/system/dnssec/ns7/named.conf.j2 b/bin/tests/system/dnssec/ns7/named.conf.j2 deleted file mode 100644 index b35284664b..0000000000 --- a/bin/tests/system/dnssec/ns7/named.conf.j2 +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS3 - -options { - query-source address 10.53.0.7; - notify-source 10.53.0.7; - transfer-source 10.53.0.7; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.7; }; - listen-on-v6 { none; }; - recursion no; - notify yes; - dnssec-validation yes; - minimal-responses yes; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -zone "nsec3.example" { - type secondary; - primaries { 10.53.0.3; }; - file "nsec3.example.bk"; -}; - -zone "optout.example" { - type secondary; - primaries { 10.53.0.3; }; - file "optout.example.bk"; -}; - -zone "nsec3-unknown.example" { - type secondary; - primaries { 10.53.0.3; }; - file "nsec3-unknown.example.bk"; -}; - -zone "optout-unknown.example" { - type secondary; - primaries { 10.53.0.3; }; - file "optout-unknown.example.bk"; -}; - -zone "multiple.example" { - type secondary; - primaries { 10.53.0.3; }; - file "multiple.example.bk"; -}; - -zone "nosoa.secure.example" { - type primary; - file "nosoa.secure.example.db"; -}; - -zone "split-rrsig" { - type primary; - file "split-rrsig.db.signed"; - allow-update { any; }; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh deleted file mode 100644 index 7aaceadbb9..0000000000 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh -e - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# shellcheck source=conf.sh -. ../../conf.sh - -set -e - -echo_i "ns7/sign.sh" - -zone=split-rrsig -infile=split-rrsig.db.in -zonefile=split-rrsig.db - -k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") - -cat "$infile" "$k1.key" "$k2.key" >"$zonefile" - -# The awk script below achieves two goals: -# -# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so -# that these two records (forming a single RRset) are not placed immediately -# next to each other; the test then checks if RRSIG RRsets split this way are -# correctly added to resigning heaps, -# -# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the -# zone apex; the test then checks whether such signatures are automatically -# removed from the zone after it is loaded. -"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 -awk 'BEGIN { r = ""; } - $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } - { print } - END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns8/named.conf.j2 b/bin/tests/system/dnssec/ns8/named.conf.j2 deleted file mode 100644 index 2590de1890..0000000000 --- a/bin/tests/system/dnssec/ns8/named.conf.j2 +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS8 - -options { - query-source address 10.53.0.8; - notify-source 10.53.0.8; - transfer-source 10.53.0.8; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.8; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation yes; - minimal-responses no; - disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; }; - disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; }; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -include "managed.conf"; -include "trusted.conf"; - diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 14970719b9..7c895667fc 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -16,8 +16,6 @@ set -e -copy_setports ns4/named1.conf.in ns4/named.conf - ( cd ns1 $SHELL sign.sh diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index b0033f6127..2b4f9c864a 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -75,165 +75,12 @@ checkprivate() { return 1 } -# -# Ensure there is not multiple consecutive blank lines. -# Ensure there is a blank line before "Start view" and -# "Negative trust anchors:". -# Ensure there is not a blank line before "Secure roots:". -# -check_secroots_layout() { - awk '$0 == "" { if (empty) exit(1); empty=1; next } - /Start view/ { if (!empty) exit(1) } - /Secure roots:/ { if (empty) exit(1) } - /Negative trust anchors:/ { if (!empty) exit(1) } - { empty=0 }' $1 || return $? -} - -# Check that for a query against a validating resolver where the -# authoritative zone is unsigned (insecure delegation), glue is returned -# in the additional section -echo_i "checking that additional glue is returned for unsigned delegation ($n)" -ret=0 -$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -# Check the example. domain - -echo_i "checking that zone transfer worked ($n)" -for i in 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 - dig_with_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 -done -digcomp dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# test AD bit: -# - dig +adflag asks for authentication (ad in response) -echo_i "checking AD bit asking for validation ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# test AD bit: -# - dig +noadflag -echo_i "checking that AD is not set without +adflag or +dnssec ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking for AD in authoritative answer ($n)" -ret=0 -dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation NSEC ($n)" -ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking recovery from spoofed server addresses ($n)" -ret=0 -# prime cache with spoofed address records -dig_with_opts +cd target.peer-ns-spoof @10.53.0.4 a >dig.out.prime.ns4.test$n || ret=1 -grep "status: SERVFAIL" dig.out.prime.ns4.test$n >/dev/null || ret=1 -rndccmd 10.53.0.4 dumpdb | sed 's/^/ns4 /' | cat_i -mv ns4/named_dump.db ns4/named_dump.db.test$n >/dev/null || ret=1 -grep "10.53.0.100" ns4/named_dump.db.test$n || ret=1 -# reload server with properly signed zone -cp ns2/peer.peer-ns-spoof.db.next ns2/peer.peer-ns-spoof.db.signed -nextpart ns2/named.run >/dev/null -rndccmd 10.53.0.2 reload peer.peer-ns-spoof | sed 's/^/ns2 /' | cat_i -wait_for_log 5 "zone peer.peer-ns-spoof/IN: loaded serial 2000042408" ns2/named.run || ret=1 -dig_with_opts +noauth test.target.peer-ns-spoof @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags: qr rd ra ad;" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking recovery from stripped DNSKEY RRSIG ($n)" -ret=0 -# prime cache with DNSKEY without RRSIGs -dig_with_opts +noauth +cd dnskey-rrsigs-stripped. @10.53.0.4 dnskey >dig.out.prime.ns4.test$n || ret=1 -grep ";; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "RRSIG.DNSKEY" dig.out.prime.ns4.test$n >/dev/null && ret=1 -# reload server with properly signed zone -cp ns2/dnskey-rrsigs-stripped.db.next ns2/dnskey-rrsigs-stripped.db.signed -nextpart ns2/named.run >/dev/null -rndccmd 10.53.0.2 reload dnskey-rrsigs-stripped | sed 's/^/ns2 /' | cat_i -wait_for_log 5 "zone dnskey-rrsigs-stripped/IN: loaded serial 2000042408" ns2/named.run || ret=1 -dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking recovery from stripped DS RRSIG ($n)" -ret=0 -# prime cache with DS without RRSIGs -dig_with_opts +noauth +cd child.ds-rrsigs-stripped. @10.53.0.4 ds >dig.out.prime.ns4.test$n || ret=1 -grep ";; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "RRSIG.DS" dig.out.prime.ns4.test$n >/dev/null && ret=1 -# reload server with properly signed zone -cp ns2/ds-rrsigs-stripped.db.next ns2/ds-rrsigs-stripped.db.signed -nextpart ns2/named.run >/dev/null -rndccmd 10.53.0.2 reload ds-rrsigs-stripped | sed 's/^/ns2 /' | cat_i -wait_for_log 5 "zone ds-rrsigs-stripped/IN: loaded serial 2000042408" ns2/named.run || ret=1 -dig_with_opts +noauth b.child.ds-rrsigs-stripped. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth b.child.ds-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" -ret=0 -grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1 -grep "fetch: example/DS" ns4/named.run >/dev/null && ret=1 -grep "validating example/DS: starting" ns4/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - if [ -x "${DELV}" ]; then ret=0 echo_i "checking positive validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.example >delv.out$n || ret=1 grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*" delv.out$n >/dev/null || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) @@ -242,50 +89,22 @@ if [ -x "${DELV}" ]; then echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example >delv.out$n || ret=1 grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*" delv.out$n >/dev/null || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking positive validation NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking positive validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300 .*" delv.out$n >/dev/null || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking positive validation OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) + SP="[[:space:]]+" -SP="[[:space:]]+" - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking positive validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.optout.example >delv.out$n || ret=1 @@ -294,66 +113,16 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking positive wildcard validation NSEC ($n)" -ret=0 -dig_with_opts a.wild.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n -digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n >/dev/null || ret=1 -grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking positive wildcard validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.example >delv.out$n || ret=1 grep "a.wild.example..*10.0.0.27" delv.out$n >/dev/null || ret=1 - grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 3600 .*" delv.out$n >/dev/null || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking positive wildcard answer NSEC3 ($n)" -ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive wildcard answer NSEC3 ($n)" -ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive wildcard validation NSEC3 ($n)" -ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n -digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.nsec3.example >delv.out$n || ret=1 @@ -362,24 +131,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking positive wildcard validation OPTOUT ($n)" -ret=0 -dig_with_opts a.wild.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n -digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.optout.example >delv.out$n || ret=1 @@ -388,20 +140,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking negative validation NXDOMAIN NSEC ($n)" -ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a q.example >delv.out$n 2>&1 || ret=1 @@ -409,30 +148,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking RRSIG covered type in negative cache entry ($n)" -ret=0 -rndc_dumpdb ns4 -grep -F '; example. RRSIG NSEC ...' ns4/named_dump.db.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" -ret=0 -dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a q.nsec3.example >delv.out$n 2>&1 || ret=1 @@ -440,23 +156,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" -ret=0 -dig_with_opts +noauth q.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth q.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a q.optout.example >delv.out$n 2>&1 || ret=1 @@ -464,21 +164,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking negative validation NODATA NSEC ($n)" -ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.example >delv.out$n 2>&1 || ret=1 @@ -486,23 +172,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking negative validation NODATA NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.nsec3.example >delv.out$n 2>&1 || ret=1 @@ -510,23 +180,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking negative validation NODATA OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.optout.example >delv.out$n 2>&1 || ret=1 @@ -534,20 +188,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking negative wildcard validation NSEC ($n)" -ret=0 -dig_with_opts b.wild.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 -dig_with_opts b.wild.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative wildcard validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.wild.example >delv.out$n 2>&1 || ret=1 @@ -555,19 +196,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking negative wildcard validation NSEC3 ($n)" -ret=0 -dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 -dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.wild.nsec3.example >delv.out$n 2>&1 || ret=1 @@ -575,23 +204,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking negative wildcard validation OPTOUT ($n)" -ret=0 -dig_with_opts b.wild.optout.example. \ - @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 -dig_with_opts b.wild.optout.example. \ - @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.optout.nsec3.example >delv.out$n 2>&1 || ret=1 @@ -599,23 +212,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -# Check the insecure.example domain - -echo_i "checking 1-server insecurity proof NSEC ($n)" -ret=0 -dig_with_opts +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.example >delv.out$n || ret=1 @@ -623,21 +220,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking 1-server insecurity proof NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.nsec3.example >delv.out$n || ret=1 @@ -645,21 +228,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking 1-server insecurity proof OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.optout.example >delv.out$n || ret=1 @@ -667,23 +236,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking 1-server negative insecurity proof NSEC ($n)" -ret=0 -dig_with_opts q.insecure.example. a @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts q.insecure.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.example >delv.out$n 2>&1 || ret=1 @@ -691,23 +244,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" -ret=0 -dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.nsec3.example >delv.out$n 2>&1 || ret=1 @@ -715,23 +252,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" -ret=0 -dig_with_opts q.insecure.optout.example. a @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts q.insecure.optout.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.optout.example >delv.out$n 2>&1 || ret=1 @@ -739,285 +260,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" -ret=0 -dig_with_opts r.insecure.example. soa @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts r.insecure.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" -ret=0 -dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" -ret=0 -dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check the secure.example domain - -echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" -ret=0 -dig_with_opts +noauth a.secure.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.secure.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking mixed-case positive validation ($n)" -ret=0 -for type in a txt aaaa loc; do - dig_with_opts +noauth mixedcase.secure.example. \ - @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1 - dig_with_opts +noauth mixedcase.secure.example. \ - @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1 - digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1 - grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1 - grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" -ret=0 -dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" -ret=0 -dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking empty NODATA OPTOUT ($n)" -ret=0 -dig_with_opts +noauth empty.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth empty.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation with private algorithm works ($n)" -ret=0 -dig_with_opts +noauth a.rsasha256oid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha256oid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 - grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "checking positive validation with unknown private algorithm works ($n)" -ret=0 -dig_with_opts +noauth a.unknownoid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.unknownoid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation with extra ds for private algorithm ($n)" -ret=0 -dig_with_opts +noauth a.extradsoid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.extradsoid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation with extra ds for unknown private algorithm fails ($n)" -ret=0 -dig_with_opts +noauth a.extradsunknownoid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.extradsunknownoid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -grep 'No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID algorithm, tag [1-9][0-9]*$' ns4/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if $FEATURETEST --extended-ds-digest; then - echo_i "checking positive validation with extra ds using extended digest type for unknown private algorithm succeeds ($n)" - ret=0 - dig_with_opts +noauth a.extended-ds-unknown-oid.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 - dig_with_opts +noauth a.extended-ds-unknown-oid.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 - digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -# Check the bogus domain - -echo_i "checking failed validation ($n)" -ret=0 -dig_with_opts a.bogus.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking failed validation using dns_client ($n)" delv_with_opts +cd @10.53.0.4 a a.bogus.example >delv.out$n 2>&1 || ret=1 @@ -1025,17 +268,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking that validation fails when key record is missing ($n)" -ret=0 -dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking that validation fails when key record is missing using dns_client ($n)" delv_with_opts +cd @10.53.0.4 a a.b.keyless.example >delv.out$n 2>&1 || ret=1 @@ -1043,18 +276,7 @@ if [ -x "${DELV}" ]; then n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -fi -echo_i "checking that validation succeeds when a revoked key is encountered ($n)" -ret=0 -dig_with_opts revkey.example soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags: .* ad" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -if [ -x "${DELV}" ]; then ret=0 echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" delv_with_opts +cd @10.53.0.4 soa revkey.example >delv.out$n 2>&1 || ret=1 @@ -1064,391 +286,6 @@ if [ -x "${DELV}" ]; then status=$((status + ret)) fi -echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" -ret=0 -#prime -dig_with_opts +cd bad-cname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 -#check: requery with +CD. pending data should be returned even if it's bogus -expect="a.example. -10.0.0.1" -ans=$(dig_with_opts +cd +nodnssec +short bad-cname.example. @10.53.0.4) || ret=1 -test "$ans" = "$expect" || ret=1 -test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" -#check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" -ret=0 -#prime -dig_with_opts +cd a.bad-dname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 -#check: requery with +CD. pending data should be returned even if it's bogus -expect="example. -a.example. -10.0.0.1" -ans=$(dig_with_opts +cd +nodnssec +short a.bad-dname.example. @10.53.0.4) || ret=1 -test "$ans" = "$expect" || ret=1 -test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" -#check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check the insecure.secure.example domain (insecurity proof) - -echo_i "checking 2-server insecurity proof ($n)" -ret=0 -dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check a negative response in insecure.secure.example - -echo_i "checking 2-server insecurity proof with a negative answer ($n)" -ret=0 -dig_with_opts q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ - || ret=1 -dig_with_opts q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ - || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" -ret=0 -dig_with_opts r.insecure.secure.example. @10.53.0.2 soa >dig.out.ns2.test$n \ - || ret=1 -dig_with_opts r.insecure.secure.example. @10.53.0.4 soa >dig.out.ns4.test$n \ - || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that the query for a security root is successful and has ad set - -echo_i "checking security root query ($n)" -ret=0 -dig_with_opts . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking insecurity proof works using negative cache ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_opts +cd @10.53.0.4 insecure.example. ds >dig.out.ns4.test$n.1 || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do - dig_with_opts @10.53.0.4 nonexistent.insecure.example. >dig.out.ns4.test$n.2 || ret=1 - if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then - break - fi - sleep 1 -done -grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Should work with FIPS mode as we are only validating -echo_i "checking positive validation RSASHA1 NSEC ($n)" -ret=0 -if $FEATURETEST --rsasha1; then - dig_with_opts +noauth a.rsasha1.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 - dig_with_opts +noauth a.rsasha1.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 - digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -else - echo_i "skip: RSASHA1 not supported by OS" -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Should work with FIPS mode as we are only validating -echo_i "checking positive validation RSASHA1 (1024 bits) NSEC ($n)" -ret=0 -if $FEATURETEST --rsasha1; then - dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 - dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 - digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -else - echo_i "skip: RSASHA1 not supported by OS" -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation RSASHA256 NSEC ($n)" -ret=0 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation RSASHA512 NSEC ($n)" -ret=0 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" -ret=0 -dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of an ANY query works ($n)" -ret=0 -dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.example. any @10.53.0.4 >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# 2 records in the zone, 1 NXT, 3 SIGs -grep "ANSWER: 6" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of a query returning a CNAME works ($n)" -ret=0 -dig_with_opts +noauth cname1.example. txt @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth cname1.example. txt @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# the CNAME & its sig, the TXT and its SIG -grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of a query returning a DNAME works ($n)" -ret=0 -dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. -# It would be nice to test that the CNAME is being synthesized by the -# recursive server and not cached, but I don't know how. -grep "ANSWER: 5" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of an ANY query returning a CNAME works ($n)" -ret=0 -dig_with_opts +noauth cname2.example. any @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth cname2.example. any @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# The CNAME, NXT, and their SIGs -grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that validation of an ANY query returning a DNAME works ($n)" -ret=0 -dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that lookups succeed after disabling an algorithm ($n)" -ret=0 -dig_with_opts +noauth example. SOA @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth example. SOA @10.53.0.6 \ - >dig.out.ns6.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns6.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking a non-cachable NODATA works ($n)" -ret=0 -dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ - >dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 -dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking a non-cachable NXDOMAIN works ($n)" -ret=0 -dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \ - >dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 -dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can load a rfc2535 signed zone ($n)" -ret=0 -dig_with_opts rfc2535.example. SOA @10.53.0.2 \ - >dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that we can transfer a rfc2535 signed zone ($n)" -ret=0 -dig_with_opts rfc2535.example. SOA @10.53.0.3 \ - >dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Test that "rndc secroots" is able to dump trusted keys -echo_i "checking rndc secroots ($n)" -ret=0 -keyid=$(cat ns1/managed.key.id) -rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i -cp ns4/named.secroots named.secroots.test$n -check_secroots_layout named.secroots.test$n || ret=1 -linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) -[ "$linecount" -eq 1 ] || ret=1 -linecount=$(wc /dev/null || ret=1 -ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1 -expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep -E '^(A|NSEC)') || ret=1 -test "$ans" = "$expect" || ret=1 -# also check that RA is set -dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check direct query for RRSIG: If it's not cached with other records, -# it should result in an empty response. -echo_i "checking RRSIG query not in cache ($n)" -ret=0 -ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1 -test -z "$ans" || ret=1 -# also check that RA is cleared -dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# -# RT21868 regression test. -# -echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" -ret=0 -dig_with_opts non-exist.badparam. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# -# RT22007 regression test. -# -echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" -ret=0 -dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" -ret=0 -dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" - -status=$((status + ret)) -echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" -ret=0 -dig_with_opts +norec single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)" -ret=0 -dig_with_opts ns algroll. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - # Run a minimal update test if possible. This is really just # a regression test for RT #2399; more tests should be added. @@ -1466,128 +303,6 @@ else echo_i "The DNSSEC update test requires the Net::DNS library." >&2 fi -n=$((n + 1)) -echo_i "checking managed key maintenance has not started yet ($n)" -ret=0 -[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Reconfigure caching server to use "dnssec-validation auto", and repeat -# some of the DNSSEC validation tests to ensure that it works correctly. -# Also setup a placeholder managed-keys zone to check if named can process it -# correctly. -echo_i "switching to automatic root key configuration" -cp ns4/managed-keys.bind.in ns4/managed-keys.bind -copy_setports ns4/named2.conf.in ns4/named.conf -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 5 - -echo_i "checking managed key maintenance timer has now started ($n)" -ret=0 -[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation NSEC ($n)" -ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation NSEC3 ($n)" -ret=0 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking positive validation OPTOUT ($n)" -ret=0 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking negative validation ($n)" -ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that root DS queries validate ($n)" -ret=0 -dig_with_opts +noauth . @10.53.0.1 ds >dig.out.ns1.test$n || ret=1 -dig_with_opts +noauth . @10.53.0.4 ds >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" -ret=0 -dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 -grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" -ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 -grep "RRSIG.SOA" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" - -status=$((status + ret)) -echo_i "checking expired signatures do not validate ($n)" -ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1 -grep "; EDE: 7 (Signature Expired): (expired.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -status=$((status + ret)) -echo_i "checking signatures in the future do not validate ($n)" -ret=0 -dig_with_opts +noauth future.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "future.example/.*: RRSIG validity period has not begun" ns4/named.run >/dev/null || ret=1 -grep "; EDE: 8 (Signature Not Yet Valid): (future.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( @@ -1660,46 +375,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking that a insecure zone beneath a cname resolves ($n)" -ret=0 -dig_with_opts soa insecure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a secure zone beneath a cname resolves ($n)" -ret=0 -dig_with_opts soa secure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -my_dig() { - "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" -} - -echo_i "checking DNSKEY query with no data still gets put in cache ($n)" -ret=0 -firstVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') -sleep 1 -secondVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') -if [ "${firstVal:-0}" -eq "${secondVal:-0}" ]; then - sleep 1 - thirdVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') - if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ]; then - echo_i "cannot confirm query answer still in cache" - ret=1 - fi -fi -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that a split dnssec dnssec-signzone work ($n)" ret=0 dig_with_opts soa split-dnssec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 @@ -1720,52 +395,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check dnssec-dsfromkey from stdin ($n)" -ret=0 -dig_with_opts dnskey algroll. @10.53.0.2 \ - | $DSFROMKEY -f - algroll. >dig.out.ns2.test$n || ret=1 -NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) -[ "${NF}" = 7 ] || ret=1 -# make canonical -awk '{ - for (i=1;i<7;i++) printf("%s ", $i); - for (i=7;i<=NF;i++) printf("%s", $i); - printf("\n"); -}' canonical1.$n || ret=1 -awk '{ - for (i=1;i<7;i++) printf("%s ", $i); - for (i=7;i<=NF;i++) printf("%s", $i); - printf("\n"); -}' canonical2.$n || ret=1 -diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Intentionally strip ".key" from keyfile name to ensure the error message -# includes it anyway to avoid confusion (RT #21731) -echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" -ret=0 -key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1 -mv "$key.key" "$key" -$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 -grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check dnssec-dsfromkey with revoked key ($n)" -ret=0 -dig_with_opts revkey.example dnskey @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "DNSKEY.256 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # ZSK -grep "DNSKEY.385 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # revoked KSK -grep "DNSKEY.257 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # KSK -test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 -$DSFROMKEY -f dig.out.ns4.test$n revkey.example. >dsfromkey.out.test$n || ret=1 -test $(wc -l dig.out.ns3.test$n 2>&1 @@ -1775,209 +404,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "testing legacy upper case signer name validation ($n)" -ret=0 -$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ - >dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing that we lower case signer name ($n)" -ret=0 -$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ - >dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL is capped at RRSIG expiry time ($n)" -ret=0 -rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i -( - cd ns3 || exit 1 - for file in K*.moved; do - mv "$file" "$(basename "$file" .moved)" - done - $SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db >/dev/null -) || ret=1 -rndc_reload ns3 10.53.0.3 expiring.example - -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-0}; do - [ "${ttl}" -eq 300 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "${ttl}" -le 60 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 1 -dig_with_additionalopts +cd expiring.example ns @10.53.0.4 >dig.out.ns4.1.$n -dig_with_additionalopts expiring.example ns @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 1 -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -copy_setports ns4/named3.conf.in ns4/named.conf -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 3 - -echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" -ret=0 -dig_with_answeropts +cd expired.example soa @10.53.0.4 >dig.out.ns4.1.$n -dig_with_answeropts expired.example soa @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n -ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) -ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) -for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 -done -for ttl in ${ttls2:-0}; do - [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing DNSKEY lookup via CNAME ($n)" -ret=0 -dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing KEY lookup at CNAME (present) ($n)" -ret=0 -dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 key >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 key >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing KEY lookup at CNAME (not present) ($n)" -ret=0 -dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.3 key >dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.4 key >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing DNSKEY lookup via DNAME ($n)" -ret=0 -dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 -dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing KEY lookup via DNAME ($n)" -ret=0 -dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.3 key >dig.out.ns3.test$n || ret=1 -dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.4 key >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that named doesn't loop when all private keys are not available ($n)" ret=0 lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true) @@ -1986,67 +412,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check against against missing nearest provable proof ($n)" -dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 ds >dig.out.ds.ns6.test$n || ret=1 -nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true) -[ "$nsec3" -eq 2 ] || ret=1 -dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 A >dig.out.ns6.test$n || ret=1 -nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true) -[ "$nsec3" -eq 1 ] || ret=1 -dig_with_opts optout-tld. \ - @10.53.0.4 SOA >dig.out.soa.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n >/dev/null || ret=1 -dig_with_opts b.c.d.optout-tld. \ - @10.53.0.4 A >dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that key id are logged when dumping the cache ($n)" -ret=0 -rndc_dumpdb ns4 -grep "; key id = " ns4/named_dump.db.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" -# force the managed-keys zone to be written out -rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9; do - ret=0 - if test -f ns4/managed-keys.bind; then - grep KEYDATA ns4/managed-keys.bind >/dev/null \ - && grep "next refresh:" ns4/managed-keys.bind >/dev/null \ - && break - fi - ret=1 - sleep 1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -copy_setports ns4/named4.conf.in ns4/named.conf -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 3 - -echo_i "check insecure delegation between static-stub zones ($n)" -ret=0 -dig_with_opts ns insecure.secure.example \ - @10.53.0.4 >dig.out.ns4.1.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.1.test$n >/dev/null && ret=1 -dig_with_opts ns secure.example \ - @10.53.0.4 >dig.out.ns4.2.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.2.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check the correct resigning time is reported in zonestatus ($n)" ret=0 rndccmd 10.53.0.3 \ @@ -2068,22 +433,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that split rrsigs are handled ($n)" -ret=0 -dig_with_opts split-rrsig soa @10.53.0.7 >dig.out.test$n || ret=1 -awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)" -ret=0 -dig_with_opts split-rrsig AXFR @10.53.0.7 >dig.out.test$n || ret=1 -grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n @@ -2102,18 +451,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that CDS records are signed using KSK by with dnssec-policy ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure >dig.out.test$n @@ -2189,18 +526,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" ret=0 ( @@ -2227,16 +552,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure >dig.out.test$n @@ -2255,16 +570,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure >dig.out.test$n @@ -2274,78 +579,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 dnskey-unsupported.example/SOA)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking EDE code 2 for unsupported DS digest ($n)" -ret=0 -dig_with_opts @10.53.0.4 a.ds-unsupported.example >dig.out.ns4.test$n || ret=1 -grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-256 ds-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking EDE code 1 for bad alg mnemonic ($n)" -ret=0 -dig_with_opts @10.53.0.4 badalg.secure.example >dig.out.ns4.test$n || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP256SHA256 badalg.secure.example/NSEC)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking both EDE code 1 and 2 for unsupported digest on one DNSKEY and alg on the other ($n)" -ret=0 -dig_with_opts @10.53.0.4 a.digest-alg-unsupported.example >dig.out.ns4.test$n || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP384SHA384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY >dig.out.test$n -grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 -grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that a query for a domain that has a KSK that is not actively signing -# the DNSKEY RRset. This should not result in a broken trust chain if there is -# another KSK that is signing the DNSKEY RRset. -echo_i "checking that a secure chain with one active and one inactive KSK validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.4 a.lazy-ksk A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - # TODO: test case for GL #1689. # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) # we could write a test that signs a zone with supported and unsupported @@ -2371,17 +604,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" -ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A >dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A >dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that CDNSKEY records are signed using KSK only when added by nsupdate ($n)" ret=0 keyid=$(cat ns2/cdnskey-update.secure.id) @@ -2425,22 +647,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" -ret=0 -dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that the view is logged in messages from the validator when using views ($n)" -ret=0 -grep "view rec: *validat" ns4/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" ret=0 dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 @@ -2472,164 +678,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -# -# DNSSEC tests related to unsupported, disabled and revoked trust anchors. -# - -# This nameserver (ns8) is loaded with a bunch of trust anchors. Some of -# them are good (enabled.managed, enabled.trusted, secure.managed, -# secure.trusted), and some of them are bad (disabled.managed, -# revoked.managed, unsupported.managed, disabled.trusted, revoked.trusted, -# unsupported.trusted). Make sure that the bad trust anchors are ignored. -# This is tested by looking for the corresponding lines in the logfile. -echo_i "checking that keys with unsupported algorithms and disabled algorithms are ignored ($n)" -ret=0 -grep -q "ignoring static-key for 'disabled\.trusted\.': algorithm is disabled" ns8/named.run || ret=1 -grep -q "ignoring static-key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run || ret=1 -grep -q "ignoring static-key for 'revoked\.trusted\.': bad key type" ns8/named.run || ret=1 -grep -q "ignoring initial-key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1 -grep -q "ignoring initial-key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1 -grep -q "ignoring initial-key for 'revoked\.managed\.': bad key type" ns8/named.run || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# The next two tests are fairly normal DNSSEC queries to signed zones with a -# default algorithm. First, a query is made against the server that is -# authoritative for the given zone (ns3). Second, a query is made against a -# resolver with trust anchors for the given zone (ns8). Both are expected to -# return an authentic data positive response. -echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.secure.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 -grep "; EDE: " dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key using a supported algorithm validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.secure.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 -grep "; EDE: " dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# The next two queries ensure that a zone signed with a DNSKEY with an unsupported -# algorithm will yield insecure positive responses. These trust anchors in ns8 are -# ignored and so this domain is treated as insecure. The AD bit should not be set -# in the response. -echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.unsupported.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 ns3.unsupported.trusted (cached))" dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.unsupported.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 ns3.unsupported.managed (cached))" dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# The next two queries ensure that a zone signed with a DNSKEY that the nameserver -# has a disabled algorithm match for will yield insecure positive responses. -# These trust anchors in ns8 are ignored and so this domain is treated as insecure. -# The AD bit should not be set in the response. -echo_i "checking that a trusted key using a disabled algorithm validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.disabled.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key using a disabled algorithm validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.disabled.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# The next two queries ensure that a zone signed with a DNSKEY that the -# nameserver has a disabled algorithm for, but for a different domain, will -# yield secure positive responses. Since "enabled.trusted." and -# "enabled.managed." do not match the "disable-algorithms" option, no -# special rules apply and these zones should validate as secure, with the AD -# bit set. -echo_i "checking that a trusted key using an algorithm disabled for another domain validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.enabled.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key using an algorithm disabled for another domain validates as secure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.enabled.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# A configured revoked trust anchor is ignored and thus the two queries below -# should result in insecure responses, since no trust points for the -# "revoked.trusted." and "revoked.managed." zones are created. -echo_i "checking that a trusted key that is revoked validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.revoked.trusted A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.trusted A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that a managed key that is revoked validates as insecure ($n)" -ret=0 -dig_with_opts @10.53.0.3 a.revoked.managed A >dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.managed A >dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - ### ### Additional checks for when the KSK is offline. ### @@ -2924,216 +972,5 @@ for qtype in "SOA" "TXT"; do status=$((status + ret)) done -echo_i "checking secroots output with multiple views ($n)" -ret=0 -rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i -cp ns4/named.secroots named.secroots.test$n -check_secroots_layout named.secroots.test$n || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking validation succeeds during transition to signed ($n)" -ret=0 -dig_with_opts @10.53.0.4 inprogress A >dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)" -ret=0 -grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 50" ns2/named.run >/dev/null 2>&1 || ret=1 -grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 50" ns3/named.run >/dev/null 2>&1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that the validating resolver will fallback to insecure if the answer -# contains NSEC3 records with high iteration count. -echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)" -ret=0 -dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations >dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)" -ret=0 -dig_with_opts @10.53.0.2 a.too-many-iterations txt >dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 a.too-many-iterations txt >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)" -ret=0 -dig_with_opts @10.53.0.2 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)" -ret=0 -dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Check that a query against a validating resolver succeeds when there is -# a negative cache entry with trust level "pending" for the DS. Prime -# with a +cd DS query to produce the negative cache entry, then send a -# query that uses that entry as part of the validation process. [GL #3279] -echo_i "check that pending negative DS cache entry validates ($n)" -ret=0 -dig_with_opts @10.53.0.4 +cd insecure2.example. ds >dig.out.prime.ns4.test$n || ret=1 -grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n >/dev/null || ret=1 -dig_with_opts @10.53.0.4 a.insecure2.example. a >dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking NSEC3 nxdomain response closest encloser with 0 ENT ($n)" -ret=0 -dig_with_opts @10.53.0.4 b.b.b.b.b.a.nsec3.example. >dig.out.ns4.test$n -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# closest encloser (a.nsec3.example) -pat1="^6OVDUHTN094ML2PV8AN90U0DPU823GH2\.nsec3\.example\..*NSEC3 1 0 0 - 7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4 A RRSIG\$" -grep "$pat1" dig.out.ns4.test$n >/dev/null || ret=1 -# no QNAME proof (b.a.nsec3.example / DSPF4R9UKOEPJ9O34E1H4539LSOTL14E) -pat2="^CG2DVCNE20EKU1PDRLMI2L4DGC2FO1H3\.nsec3\.example\..*NSEC3 1 0 0 - EF2S05SGK1IR2K5SKMFIRERGQCLMR18M A RRSIG\$" -grep "$pat2" dig.out.ns4.test$n >/dev/null || ret=1 -# no WILDCARD proof (*.a.nsec3.example / TFGQ60S97BS31IT1EBEDO63ETM0T5JFA) -pat3="^R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\.nsec3\.example\..*NSEC3 1 0 0 - VH656EQUD4J02OFVSO4GKOK5D02MS1TL NS DS RRSIG\$" -grep "$pat3" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking NSEC3 nxdomain response closest encloser with 1 ENTs ($n)" -ret=0 -dig_with_opts @10.53.0.4 b.b.b.b.b.a.a.nsec3.example. >dig.out.ns4.test$n -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# closest encloser (a.a.nsec3.example) -pat1="^NGCJFSOLJUUE27PFNQNJIME4TQ0OU2DH\.nsec3\.example\..*NSEC3 1 0 0 - R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\$" -grep "$pat1" dig.out.ns4.test$n >/dev/null || ret=1 -# no QNAME proof (b.a.a.nsec3.example / V8I8SAIIVC3HOVMOVENSDRA6ATDCEMJI) -pat2="^R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\.nsec3\.example\..*NSEC3 1 0 0 - VH656EQUD4J02OFVSO4GKOK5D02MS1TL NS DS RRSIG\$" -grep "$pat2" dig.out.ns4.test$n >/dev/null || ret=1 -# no WILDCARD proof (*.a.a.nsec3.example / V7JNNDJ4NLRIU195FRB7DLUCSLU4LLFM) -pat3="^R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\.nsec3\.example\..*NSEC3 1 0 0 - VH656EQUD4J02OFVSO4GKOK5D02MS1TL NS DS RRSIG\$" -grep "$pat3" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking NSEC3 nxdomain response closest encloser with 2 ENTs ($n)" -ret=0 -dig_with_opts @10.53.0.4 b.b.b.b.b.a.a.a.nsec3.example. >dig.out.ns4.test$n -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# closest encloser (a.a.a.nsec3.example) -pat1="^H7RHPDCHSVVRAND332F878C8AB6IBJQV\.nsec3\.example\..*NSEC3 1 0 0 - K8IG76R2UPQ13IKFO49L7IB9JRVB6QJI\$" -grep "$pat1" dig.out.ns4.test$n >/dev/null || ret=1 -# no QNAME proof (b.a.a.a.nsec3.example / 18Q8D89RM8GGRSSOPFRB05QS6VEGB1P4) -pat2="^VH656EQUD4J02OFVSO4GKOK5D02MS1TL\.nsec3\.example\..*NSEC3 1 0 0 - 1HARMGSKJH0EBU2EI2OJIKTDPIQA6KBI NS DS RRSIG\$" -grep "$pat2" dig.out.ns4.test$n >/dev/null || ret=1 -# no WILDCARD proof (*.a.a.a.nsec3.example / 8113LDMSEFPUAG4VGFF1C8KLOUT4Q6PH) -pat3="^7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4\.nsec3\.example\..*NSEC3 1 0 0 - BEJ5GMQA872JF4DAGQ0R3O5Q7A2O5S9L A RRSIG\$" -grep "$pat3" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking validator behavior with mismatching NS ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -$DIG +tcp +cd -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2" dig.out.ns4.test$n.1 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.1 >/dev/null && ret=1 -$DIG +tcp +cd +dnssec -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2" dig.out.ns4.test$n.2 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.2 >/dev/null && ret=1 -$DIG +tcp +dnssec -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 -grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns4.test$n.3 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.3 >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking that a insecure negative response where there is a NSEC without a RRSIG succeeds ($n)" -ret=0 -# check server preconditions -dig_with_opts +notcp @10.53.0.10 nsec-rrsigs-stripped. TXT +dnssec >dig.out.ns10.test$n -grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 -grep "QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1" dig.out.ns10.test$n >/dev/null || ret=1 -grep "IN.RRSIG.NSEC" dig.out.ns10.test$n >/dev/null && ret=1 -# check resolver succeeds -dig_with_opts @10.53.0.4 nsec-rrsigs-stripped. TXT +dnssec >dig.out.ns4.test$n -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1" dig.out.ns4.test$n >/dev/null || ret=1 -grep "IN.RRSIG.NSEC" dig.out.ns4.test$n >/dev/null && ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking validating forwarder behavior with mismatching NS ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -$DIG +tcp +cd -p "$PORT" -t ns inconsistent @10.53.0.9 >dig.out.ns9.test$n.1 || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns9.test$n.1 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n.1 >/dev/null && ret=1 -$DIG +tcp +cd +dnssec -p "$PORT" -t ns inconsistent @10.53.0.9 >dig.out.ns9.test$n.2 || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns9.test$n.2 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n.2 >/dev/null && ret=1 -$DIG +tcp +dnssec -p "$PORT" -t ns inconsistent @10.53.0.9 >dig.out.ns9.test$n.3 || ret=1 -grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns9.test$n.3 >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n.3 >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking forwarder CD behavior (DS mismatch and local trust anchor) ($n)" -ret=0 -rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -# confirm invalid DS produces SERVFAIL in resolver -$DIG +tcp +dnssec -p "$PORT" @10.53.0.4 localkey.example soa >dig.out.ns4.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -# check that lookup using forwarder succeeds and that SERVFAIL was received -nextpart ns9/named.run >/dev/null -$DIG +tcp +dnssec -p "$PORT" @10.53.0.9 localkey.example soa >dig.out.ns9.test$n || ret=1 -grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n >/dev/null || ret=1 -nextpart ns9/named.run | grep 'status: SERVFAIL' >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index 854c15424d..9f9cc76bf6 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -165,9 +165,11 @@ pytestmark = pytest.mark.extra_artifacts( "ns4/named_dump.db.*", "ns5/broken.conf", "ns5/revoked.conf", + "ns5/many-trusted.conf", + "ns5/many-managed.conf", "ns6/optout-tld.db", - "ns7/split-rrsig.db", - "ns7/split-rrsig.db.unsplit", + "ns6/split-rrsig.db", + "ns6/split-rrsig.db.unsplit", "ns9/trusted-localkey.conf", ] ) diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py new file mode 100644 index 0000000000..f0d132b9dc --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation.py @@ -0,0 +1,1606 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re +import shutil +import time + +from dns import edns, flags, name, rcode, rdataclass, rdatatype + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import isctest +import isctest.mark +from isctest.util import param + + +# helper functions +def grep_q(regex, filename): + with open(filename, "r", encoding="utf-8") as f: + blob = f.read().splitlines() + results = [x for x in blob if re.search(regex, x)] + return len(results) != 0 + + +def getfrom(file): + with open(file, encoding="utf-8") as f: + return f.read().strip() + + +@pytest.mark.requires_zones_loaded("ns2", "ns3") +@pytest.mark.parametrize( + "qname, qtype", + [ + param("a.example.", "A"), + param("rfc2535.example.", "SOA"), + ], +) +def test_load_transfer(qname, qtype): + # check that we can load and transfer zone + msg = isctest.query.create(qname, qtype) + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res1) + + +def test_insecure_glue(): + # check that for a query against a validating resolver where the + # authoritative zone is unsigned (insecure delegation), glue is returned + # in the additional section + msg = isctest.query.create("a.insecure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.authority, 1) + isctest.check.rr_count_eq(res.additional, 1) + assert str(res.additional[0].name) == "ns.insecure.example." + addrs = [str(a) for a in res.additional[0]] + assert "10.53.0.3" in addrs + + +def test_adflag(): + # compare auth and recursive answers + msg = isctest.query.create("a.example", "A", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + + # check no AD flag in authoritative response + isctest.check.noadflag(res1) + + # check validating resolver sends AD=1 if the client sent AD=1 + isctest.check.adflag(res2) + + # check that AD=0 unless the client sent AD=1 + msg = isctest.query.create("a.example", "A", dnssec=False, ad=False) + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res2) + + +def test_secure_root(servers): + # check that a query for a secure root validates + msg = isctest.query.create(".", "KEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check that "rndc secroots" dumps the trusted keys + ns4 = servers["ns4"] + key = int(getfrom("ns1/managed.key.id")) + alg = os.environ["DEFAULT_ALGORITHM"] + expected = f"./{alg}/{key} ; static" + response = ns4.rndc("secroots -", log=False).splitlines() + assert expected in response + assert len(response) == 10 + + +def test_positive_validation_nsec(): + # positive answer + msg = isctest.query.create("a.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # wildcard + msg = isctest.query.create("a.wild.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + assert str(res2.authority[0].name) == "*.wild.example." + assert res2.authority[0].rdtype == rdatatype.NSEC + nsecs = [str(a).split(" ", maxsplit=1)[0] for a in res2.authority[0]] + assert "z.example." in nsecs + assert res2.authority[1].rdtype == rdatatype.RRSIG + assert res2.authority[1].covers == rdatatype.NSEC + + # mixed case + for rrtype in ["a", "txt", "aaaa", "loc"]: + msg = isctest.query.create("mixedcase.secure.example", rrtype) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_positive_validation_nsec3(): + # positive answer + msg = isctest.query.create("a.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + # wildcard + msg = isctest.query.create("a.wild.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + isctest.check.rr_count_eq(res2.authority, 4) + + # unknown NSEC3 hash algorithm + msg = isctest.query.create("nsec3-unknown.example", "SOA", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + isctest.check.rr_count_eq(res2.answer, 1) + + +def test_positive_validation_optout(): + # positive answer + msg = isctest.query.create("a.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # wildcard + msg = isctest.query.create("a.wild.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # unknown NSEC3 hash algorithm + msg = isctest.query.create("optout-unknown.example", "SOA", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + isctest.check.rr_count_eq(res2.answer, 1) + + +def answer_has(r, rdtype): + return bool([r for r in r.answer if r.rdtype == rdtype]) + + +def test_chain_validation(): + # check validation of ANY response + msg = isctest.query.create("foo.example", "ANY") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 6) # 2 records, 1 NSEC, 3 RRSIGs + + # check validation of CNAME response + msg = isctest.query.create("cname1.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 4) # CNAME, TXT, 2 RRSIGs + + # check validation of DNAME response + msg = isctest.query.create("foo.dname1.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 5) # DNAME, TXT, 2 RRSIGs, synth CNAME + + # check validation of CNAME response to ANY query + msg = isctest.query.create("cname2.example", "ANY") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 4) # CNAME, NSEC, 2 RRSIGs + + # check validation of DNAME response to ANY query + msg = isctest.query.create("foo.dname2.example", "ANY") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 3) # DNAME, RSRIG, synth CNAME + + # check bad CNAME signature is caught after +CD query + msg = isctest.query.create("bad-cname.example", "A", dnssec=False, cd=True) + # query once with CD to prime the cache + res = isctest.query.tcp(msg, "10.53.0.4") + # query again with CD, bogus pending data should be returned + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + assert "a.example." in str(res.answer[0]) + assert "10.0.0.1" in str(res.answer[1]) + # query again without CD, bogus data should be rejected + msg = isctest.query.create("bad-cname.example", "A", dnssec=False) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + # check bad DNAME signature is caught after +CD query + msg = isctest.query.create("a.bad-dname.example", "A", dnssec=False, cd=True) + # query once with CD to prime the cache + res = isctest.query.tcp(msg, "10.53.0.4") + # query again with CD, bogus pending data should be returned + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + assert "example." in str(res.answer[0]) + assert "a.example." in str(res.answer[1]) + assert "10.0.0.1" in str(res.answer[2]) + # query again without CD, bogus data should be rejected + msg = isctest.query.create("a.bad-dname.example", "A", dnssec=False) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + # check DNSKEY lookup via CNAME + msg = isctest.query.create("cnameandkey.secure.example", "DNSKEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert answer_has(res2, rdatatype.CNAME) + + # check KEY lookup via CNAME + msg = isctest.query.create("cnameandkey.secure.example", "KEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert not answer_has(res2, rdatatype.CNAME) + + # check KEY lookup via CNAME (not present) + msg = isctest.query.create("cnamenokey.secure.example", "KEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert not answer_has(res2, rdatatype.CNAME) + + # check DNSKEY lookup via DNAME + msg = isctest.query.create("a.dnameandkey.secure.example", "DNSKEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert answer_has(res2, rdatatype.DNAME) + + # check KEY lookup via DNAME + msg = isctest.query.create("a.dnameandkey.secure.example", "KEY") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + assert answer_has(res2, rdatatype.DNAME) + + +@isctest.mark.rsasha1 +def test_signing_algorithms_rsasha1(): + # rsasha1 (should work with FIPS mode we're as only validating) + msg = isctest.query.create("a.rsasha1.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # rsasha1 (1024 bits) NSEC + msg = isctest.query.create("a.rsasha1-1024.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_signing_algorithms(): + # rsasha256 + msg = isctest.query.create("a.rsasha256.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # rsasha512 + msg = isctest.query.create("a.rsasha512.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # KSK-only DNSKEY + msg = isctest.query.create("a.kskonly.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_private_algorithms(servers): + # positive answer, private algorithm + msg = isctest.query.create("a.rsasha256oid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # positive answer, unknown private algorithm + msg = isctest.query.create("a.unknownoid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noadflag(res2) + + # positive answer, extra ds for private algorithm + msg = isctest.query.create("a.extradsoid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # positive anwer, extra ds for unknown private algorithm + ns4 = servers["ns4"] + with ns4.watch_log_from_here() as watcher: + msg = isctest.query.create("a.extradsunknownoid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.servfail(res2) + watcher.wait_for_line( + "No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID" + ) + + +@isctest.mark.extended_ds_digest +def test_private_algorithms_extended_ds(): + # check positive validation with extra ds using extended digest + # type for unknown private algorithm + msg = isctest.query.create("a.extended-ds-unknown-oid.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_negative_validation_nsec(): + # nxdomain + msg = isctest.query.create("q.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.adflag(res2) + + # nodata + msg = isctest.query.create("a.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.empty_answer(res2) + isctest.check.adflag(res2) + + # negative wildcard + msg = isctest.query.create("b.wild.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_negative_validation_nsec3(): + # nxdomain + msg = isctest.query.create("q.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.adflag(res2) + + # nodata + msg = isctest.query.create("a.nsec3.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.empty_answer(res2) + isctest.check.adflag(res2) + + # negative wildcard + msg = isctest.query.create("b.wild.nsec3.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + # check NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters + msg = isctest.query.create("non-exist.badparam", "A") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.nxdomain(res) + + # check negative unknown NSEC3 hash algorithm does not validate + msg = isctest.query.create("nsec3-unknown.example", "A", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.servfail(res2) + + +def test_excessive_nsec3_iterations(): + assert grep_q( + "zone too-many-iterations/IN: excessive NSEC3PARAM iterations", "ns2/named.run" + ) + assert grep_q( + "zone too-many-iterations/IN: excessive NSEC3PARAM iterations", "ns3/named.run" + ) + + # check fallback to insecure with NSEC3 iterations is too high + msg = isctest.query.create("does-not-exist.too-many-iterations", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + isctest.check.rr_count_eq(res2.answer, 0) + isctest.check.rr_count_eq(res2.authority, 8) + + # check fallback to insecure with NSEC3 iterations is too high (nodata) + msg = isctest.query.create("a.too-many-iterations", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + isctest.check.rr_count_eq(res2.answer, 0) + isctest.check.rr_count_eq(res2.authority, 4) + + # check fallback to insecure with NSEC3 iterations is too high (wildcard) + msg = isctest.query.create("wild.a.too-many-iterations", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + isctest.check.rr_count_eq(res2.answer, 2) + isctest.check.rr_count_eq(res2.authority, 4) + a, _ = res2.answer + assert str(a.name) == "wild.a.too-many-iterations." + assert str(a[0]) == "10.0.0.3" + + # check fallback to insecure with high NSEC3 iterations (wildcard nodata) + msg = isctest.query.create("wild.a.too-many-iterations", 100) + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + isctest.check.rr_count_eq(res2.authority, 8) + + +def test_auth_nsec3(): + # nxdomain response, closest encloser with 0 empty non-terminals + msg = isctest.query.create("b.b.b.b.b.a.nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + # closest encloser (a.nsec3.example): + rrset = res.get_rrset( + res.authority, + name.from_text("6OVDUHTN094ML2PV8AN90U0DPU823GH2.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "NSEC3 missing from AUTHORITY: " + str(res) + assert "7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4" in str(rrset[0]).upper() + # no QNAME (b.a.nsec3.example/DSPF4R9UKOEPJ9O34E1H4539LSOTL14E) + rrset = res.get_rrset( + res.authority, + name.from_text("BEJ5GMQA872JF4DAGQ0R3O5Q7A2O5S9L.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "EF2S05SGK1IR2K5SKMFIRERGQCLMR18M" in str(rrset[0]).upper() + # no WILDCARD (*.a.nsec3.example/TFGQ60S97BS31IT1EBEDO63ETM0T5JFA) + rrset = res.get_rrset( + res.authority, + name.from_text("R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "VH656EQUD4J02OFVSO4GKOK5D02MS1TL" in str(rrset[0]).upper() + + # nxdomain response, closest encloser with 1 ENT + msg = isctest.query.create("b.b.b.b.b.a.a.nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + # closest encloser (a.a.nsec3.example): + rrset = res.get_rrset( + res.authority, + name.from_text("NGCJFSOLJUUE27PFNQNJIME4TQ0OU2DH.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q" in str(rrset[0]).upper() + # noqname (b.a.a.nsec3.example): + rrset = res.get_rrset( + res.authority, + name.from_text("R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "VH656EQUD4J02OFVSO4GKOK5D02MS1TL" in str(rrset[0]).upper() + # no wildcard (*.a.a.nsec3.example/V7JNNDJ4NLRIU195FRB7DLUCSLU4LLFM) + # is covered by the noqname proof in this case + + # nxdomain response, closest encloser with 2 ENTs + msg = isctest.query.create("b.b.b.b.b.a.a.a.nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + # closest encloser (a.a.a.nsec3.example): + rrset = res.get_rrset( + res.authority, + name.from_text("H7RHPDCHSVVRAND332F878C8AB6IBJQV.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "K8IG76R2UPQ13IKFO49L7IB9JRVB6QJI" in str(rrset[0]).upper() + # noqname (b.a.a.a.nsec3.example/18Q8D89RM8GGRSSOPFRB05QS6VEGB1P4) + rrset = res.get_rrset( + res.authority, + name.from_text("0T7VH688AEK0612T69V8692OCMJD50M4.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "1HARMGSKJH0EBU2EI2OJIKTDPIQA6KBI" in str(rrset[0]).upper() + # no WILDCARD (*.a.a.a.nsec3.example/8113LDMSEFPUAG4VGFF1C8KLOUT4Q6PH) + rrset = res.get_rrset( + res.authority, + name.from_text("7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4.nsec3.example."), + rdataclass.IN, + rdatatype.NSEC3, + ) + assert rrset, "expected NSEC3 missing from AUTHORITY: " + str(res) + assert "BEJ5GMQA872JF4DAGQ0R3O5Q7A2O5S9L" in str(rrset[0]).upper() + + +def test_negative_validation_optout(): + # nxdomain + msg = isctest.query.create("q.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # nodata + msg = isctest.query.create("a.optout.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.empty_answer(res2) + isctest.check.adflag(res2) + + # negative wildcard + msg = isctest.query.create("b.wild.optout.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # empty NODATA + msg = isctest.query.create("empty.optout.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # (rt22007 regression tests:) + # check optout NSEC3 referral with only insecure delegatons + msg = isctest.query.create("delegation.single-nsec3", "A") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res) + for rrset in res.authority: + if ( + rrset.rdtype != rdatatype.NSEC3 + or "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" not in rrset.name + ): + continue + assert "1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" in str(rrset[0]) + + # check optout NSEC3 NXDOMAIN with only insecure delegatons + msg = isctest.query.create("nonexist.single-nsec3", "A") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.nxdomain(res) + for rrset in res.authority: + if ( + rrset.rdtype != rdatatype.NSEC3 + or "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" not in rrset.name + ): + continue + assert "1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" in str(rrset[0]) + + # check optout NSEC3 NODATA with only insecure delegatons + msg = isctest.query.create("single-nsec3", "A") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res) + for rrset in res.authority: + if ( + rrset.rdtype != rdatatype.NSEC3 + or "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" not in rrset.name + ): + continue + assert "1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" in str(rrset[0]) + + # check negative unknown NSEC3-OPTOUT hash algorithm does not validate + msg = isctest.query.create("optout-unknown.example", "A", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.servfail(res2) + + +def test_cache(servers): + ns4 = servers["ns4"] + + # check that key id's are logged when dumping the cache + ns4.rndc("dumpdb -cache", log=False) + assert grep_q("; key id = ", "ns4/named_dump.db") + + # check for RRSIG covered type in negative cache + assert grep_q("; example. RRSIG NSEC ", "ns4/named_dump.db") + + # check validated data are not cached longer than originalttl + msg = isctest.query.create("a.ttlpatch.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.rr_count_eq(res1.answer, 2) + isctest.check.rr_count_eq(res2.answer, 2) + for rrset in res1.answer: + assert rrset.ttl <= 3600 + for rrset in res2.answer: + assert rrset.ttl <= 300 + + # query for a record, then follow it with a query for the + # corresponding RRSIG, check that it's answered from the cache + msg = isctest.query.create("normalthenrrsig.secure.example", "A") + isctest.query.tcp(msg, "10.53.0.4") + + msg = isctest.query.create("normalthenrrsig.secure.example", "RRSIG") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.raflag(res2) + + # check direct query for RRSIG: if it's not cached with other records, + # it should result in an empty response. + msg = isctest.query.create("rrsigonly.secure.example", "RRSIG") + res1 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.empty_answer(res1) + isctest.check.noraflag(res1) + + # check that a DNSKEY query with no data still gets cached + msg = isctest.query.create("insecure.example", "DNSKEY") + res1 = isctest.query.tcp(msg, "10.53.0.4") + time.sleep(1) # give the TTL time to change + res2 = isctest.query.tcp(msg, "10.53.0.4") + if res1.authority[0].ttl == res2.authority[0].ttl: + time.sleep(1) + res2 = isctest.query.tcp(msg, "10.53.0.4") + assert res1.authority[0].ttl != res2.authority[0].ttl + + +def test_insecure_proof_nsec(servers): + # 1-server positive + msg = isctest.query.create("a.insecure.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # 1-server negative + msg = isctest.query.create("q.insecure.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # 1-server negative with SOA hack + msg = isctest.query.create("r.insecure.example", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + assert res2.authority[0].rdtype == rdatatype.SOA + assert res2.authority[0].ttl == 0 + + # 2-server positive + msg = isctest.query.create("a.insecure.secure.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # 2-server negative + msg = isctest.query.create("q.insecure.secure.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # 2-server negative with SOA hack + msg = isctest.query.create("r.insecure.secure.example", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # insecurity proof using negative cache + ns4 = servers["ns4"] + ns4.rndc("flush", log=False) + msg = isctest.query.create("insecure.example", "DS", cd=True) + isctest.query.tcp(msg, "10.53.0.4") + + def query_and_check_nxdomain(): + msg = isctest.query.create("nonexistent.insecure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + return True + + isctest.run.retry_with_timeout(query_and_check_nxdomain, 20) + + # check insecure negative response with an unsigned NSEC + # first try the auth server... + msg = isctest.query.create("nsec-rrsigs-stripped", "TXT") + res1 = isctest.query.udp(msg, "10.53.0.10") + isctest.check.noerror(res1) + isctest.check.empty_answer(res1) + isctest.check.rr_count_eq(res1.authority, 2) + isctest.check.rr_count_eq(res1.additional, 0) + # make sure there's no RRSIG(NSEC) + for rrset in res1.authority: + assert rrset.rdtype != rdatatype.RRSIG or rrset.covers != rdatatype.NSEC + # now try the resolver + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noadflag(res2) + + +def test_insecure_proof_nsec3(): + # 1-server + msg = isctest.query.create("a.insecure.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # 1-server negative + msg = isctest.query.create("q.insecure.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # 1-server negative with SOA hack + msg = isctest.query.create("r.insecure.nsec3.example", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + assert res2.authority[0].rdtype == rdatatype.SOA + assert res2.authority[0].ttl == 0 + + +def test_insecure_proof_optout(): + # 1-server + msg = isctest.query.create("a.insecure.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # 1-server negative + msg = isctest.query.create("q.insecure.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + + # 1-server negative with SOA hack + msg = isctest.query.create("r.insecure.optout.example", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.noadflag(res2) + assert res2.authority[0].rdtype == rdatatype.SOA + assert res2.authority[0].ttl == 0 + + +def test_below_cname(): + # check insecure zone below a cname resolves + msg = isctest.query.create("insecure.below-cname.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + isctest.check.rr_count_eq(res.answer, 1) + + # check secure zone below a cname resolves and validates + msg = isctest.query.create("secure.below-cname.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + isctest.check.rr_count_eq(res.answer, 2) + + +@pytest.mark.parametrize( + "qname", + [ + "a.secure.example", # NSEC/NSEC + "a.nsec3.example", # NSEC/NSEC3 + "a.optout.example", # NSEC/OPTOUT + "a.secure.nsec3.example", # NSEC3/NSEC + "a.nsec3.nsec3.example", # NSEC3/NSEC3 + "a.optout.nsec3.example", # NSEC3/OPTOUT + "a.secure.optout.example", # OPTOUT/NSEC + "a.nsec3.optout.example", # OPTOUT/NSEC3 + "a.optout.optout.example", # OPTOUT/OPTOUT + ], +) +def test_positive_validation_multistage(qname): + msg = isctest.query.create(qname, "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_validation_recovery(servers): + ns2 = servers["ns2"] + ns4 = servers["ns4"] + + # check recovery from spoofed server address. + # prime cache with spoofed address records... + msg = isctest.query.create("target.peer-ns-spoof", "A", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + ns4.rndc("dumpdb", log=False) + grep_q("10.53.0.100", "ns4/named_dump.db") + + # then reload server with properly signed zone + shutil.copyfile( + "ns2/peer.peer-ns-spoof.db.next", "ns2/peer.peer-ns-spoof.db.signed" + ) + with ns2.watch_log_from_here() as watcher: + ns2.rndc("reload peer.peer-ns-spoof", log=False) + watcher.wait_for_line("zone peer.peer-ns-spoof/IN: loaded serial 2000042408") + + # and check we can resolve with the correct server address + msg = isctest.query.create("test.target.peer-ns-spoof", "TXT") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + isctest.check.adflag(res) + + # check recovery from stripped DNSKEY RRSIG. + # prime cache with spoofed address records... + msg = isctest.query.create("dnskey-rrsigs-stripped", "DNSKEY", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 2) + + # then reload server with properly signed zone + shutil.copyfile( + "ns2/dnskey-rrsigs-stripped.db.next", "ns2/dnskey-rrsigs-stripped.db.signed" + ) + with ns2.watch_log_from_here() as watcher: + ns2.rndc("reload dnskey-rrsigs-stripped", log=False) + watcher.wait_for_line( + "zone dnskey-rrsigs-stripped/IN: loaded serial 2000042408" + ) + + # and check we can now resolve with the correct server address + msg = isctest.query.create("b.dnskey-rrsigs-stripped", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # check recovery from stripped DS RRSIG. + # prime cache with spoofed address records... + msg = isctest.query.create("child.ds-rrsigs-stripped", "DS", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 1) + + # then reload server with properly signed zone + shutil.copyfile( + "ns2/ds-rrsigs-stripped.db.next", "ns2/ds-rrsigs-stripped.db.signed" + ) + with ns2.watch_log_from_here() as watcher: + ns2.rndc("reload ds-rrsigs-stripped", log=False) + watcher.wait_for_line("zone ds-rrsigs-stripped/IN: loaded serial 2000042408") + + # and check we can now resolve with the correct server address + msg = isctest.query.create("b.child.ds-rrsigs-stripped", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + # check recovery with mismatching NS + ns4.rndc("flush", log=False) + msg = isctest.query.create("inconsistent", "NS", dnssec=False, cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.additional, 1) + + msg = isctest.query.create("inconsistent", "NS", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.additional, 1) + + msg = isctest.query.create("inconsistent", "NS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.adflag(res) + isctest.check.rr_count_eq(res.answer, 3) + isctest.check.rr_count_eq(res.additional, 0) + + +def test_failed_validation(): + # bogus zone + msg = isctest.query.create("a.bogus.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + # missing key record + msg = isctest.query.create("a.b.keyless.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + +def test_revoked_key(): + # validation should succeed if a revoked key is encountered + msg = isctest.query.create("revkey.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + +def test_standby_key(): + # check that a secure chain with one active and one inactive KSK + # validates as secure + msg = isctest.query.create("a.lazy-ksk", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + +def test_transitions(): + # check that a zone finishing transitioning from one algorithm + # to another validates secure + msg = isctest.query.create("algroll", "NS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check that validation yields insecure during transition to signed + msg = isctest.query.create("inprogress", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + a, _ = res.answer + assert str(a[0]) == "10.53.0.10" + + +def test_validating_forwarder(servers): + ns9 = servers["ns9"] + ns4 = servers["ns4"] + + # check validating forwarder behavior with mismatching NS + ns4.rndc("flush", log=False) + msg = isctest.query.create("inconsistent", "NS", dnssec=False, cd=True) + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.additional, 0) + isctest.check.noadflag(res) + + msg = isctest.query.create("inconsistent", "NS", cd=True) + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.rr_count_eq(res.additional, 0) + isctest.check.noadflag(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.authority, 0) + isctest.check.rr_count_eq(res.additional, 0) + + msg.flags &= ~flags.CD + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.rr_count_eq(res.answer, 3) + isctest.check.rr_count_eq(res.authority, 0) + isctest.check.rr_count_eq(res.additional, 0) + isctest.check.adflag(res) + + # check validating forwarder sends CD to validate with a local trust anchor + ns4.rndc("flush", log=False) + msg = isctest.query.create("localkey.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + + with ns9.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + isctest.check.adflag(res) + watcher.wait_for_line("status: SERVFAIL") + + +def test_expired_signatures(servers): + # check expired signatures are still in place when updates are disabled + msg = isctest.query.create("expired.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.3") + soa, sigs = res.answer + assert sigs + + # check expired signatures do not validate + msg = isctest.query.create("expired.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.3") + rrsig = res.get_rrset( + res.answer, + name.from_text("expired.example."), + rdataclass.IN, + rdatatype.RRSIG, + rdatatype.SOA, + ) + assert rrsig, "expected RRSIG(SOA) missing from AUTHORITY: " + str(rrsig) + isctest.check.rr_count_eq(res.answer, 2) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert res.extended_errors()[0].code == edns.EDECode.SIGNATURE_EXPIRED + assert grep_q("expired.example/.*: RRSIG has expired", "ns4/named.run") + + # check future signatures do not validate + msg = isctest.query.create("future.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.servfail(res) + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert res.extended_errors()[0].code == edns.EDECode.SIGNATURE_NOT_YET_VALID + assert grep_q( + "future.example/.*: RRSIG validity period has not begun", "ns4/named.run" + ) + + # check that a dynamic zone with future signatures is re-signed on load + msg = isctest.query.create("managed-future.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.adflag(res) + isctest.check.noerror(res) + + ns4 = servers["ns4"] + + # test TTL is capped at RRSIG expiry time + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "SOA", cd=True) + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "SOA") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.answer: + assert rrset.ttl <= 3600 + for rrset in res2.answer: + assert rrset.ttl <= 60 + + # test TTL is capped at RRSIG expiry time in the additional section (NS) + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "NS", cd=True) + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "NS") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert rrset.ttl <= 3600 + for rrset in res2.additional: + assert rrset.ttl <= 60 + + # test TTL is capped at RRSIG expiry time in the additional section (MX) + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "MX", cd=True) + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "MX") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert rrset.ttl <= 3600 + for rrset in res2.additional: + assert rrset.ttl <= 60 + + +def test_accept_expired(servers, templates): + ns4 = servers["ns4"] + templates.render("ns4/named.conf", {"accept_expired": True}) + ns4.reconfigure(log=False) + + # test TTL of about-to-expire rrsets with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "SOA") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "SOA") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.answer: + assert rrset.ttl <= 3600 + for rrset in res2.answer: + assert rrset.ttl <= 120 + + # test TTL is capped at RRSIG expiry time in the additional section + # with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "MX") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "MX") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert rrset.ttl <= 3600 + for rrset in res2.additional: + assert rrset.ttl <= 120 + + # test TTL of expired rrsets with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expired.example", "SOA") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expired.example", "SOA") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert rrset.ttl <= 3600 + for rrset in res2.additional: + assert rrset.ttl <= 120 + + +def test_casing(): + # test legacy upper-case signer name validation + msg = isctest.query.create("upper.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.adflag(res) + _, sig = res.answer + assert sig.rdtype == rdatatype.RRSIG + assert sig.covers == rdatatype.SOA + assert "UPPER.EXAMPLE." in str(sig[0]) + + # test that we lower-case signer name + msg = isctest.query.create("LOWER.EXAMPLE", "SOA") + res = isctest.query.tcp(msg, "10.53.0.4") + _, sig = res.answer + assert sig.rdtype == rdatatype.RRSIG + assert sig.covers == rdatatype.SOA + assert "lower.example." in str(sig[0]) + + +def test_broken_servers(): + # check that a non-cacheable NODATA works + msg = isctest.query.create("a.nosoa.secure.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.6") + isctest.check.rr_count_eq(res1.authority, 0) + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res2) + + # check that a non-cacheable NXDOMAIN works + msg = isctest.query.create("b.nosoa.secure.example", "TXT") + res1 = isctest.query.tcp(msg, "10.53.0.6") + isctest.check.rr_count_eq(res1.authority, 0) + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res2) + + # check that split RRSIGs are handled + msg = isctest.query.create("split-rrsig", "SOA") + res = isctest.query.tcp(msg, "10.53.0.6") + soa, _ = res.answer + assert soa[0].serial > 1 + + # check that not-at-zone-apex RRSIG(SOA) rrsets are removed + msg = isctest.query.create("split-rrsig", "AXFR") + res = isctest.query.tcp(msg, "10.53.0.6") + + nza = [ + r + for r in res.answer + if str(r.name) == "not-at-zone-apex.split-rrsig." + and r.rdtype == rdatatype.RRSIG + and r.covers == rdatatype.SOA + ] + assert not nza + + # check validation with missing nearest encloser proof + msg = isctest.query.create("b.c.d.optout-tld", "DS") + res = isctest.query.tcp(msg, "10.53.0.6") + nsec3s = [a for a in res.authority if a.rdtype == rdatatype.NSEC3] + assert len(nsec3s) == 2 + + msg = isctest.query.create("b.c.d.optout-tld", "A") + res = isctest.query.tcp(msg, "10.53.0.6") + nsec3s = [a for a in res.authority if a.rdtype == rdatatype.NSEC3] + assert len(nsec3s) == 1 + + res = isctest.query.tcp(msg, "10.53.0.6") + isctest.check.noerror(res) + isctest.check.noadflag(res) + msg = isctest.query.create("optout-tld", "SOA") + res = isctest.query.tcp(msg, "10.53.0.6") + isctest.check.noadflag(res) + + +def test_pending_ds(): + # check that a query against a validating resolver succeeds when there is + # a negative cache entry with trust level "pending" for the DS. prime + # with a +cd DS query to produce the negative cache entry, then send a + # query that uses that entry as part of the validation process. + ns4.rndc("flush", log=False) + msg = isctest.query.create("insecure.example", "DS", cd=True) + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.authority, 4) + msg = isctest.query.create("a.insecure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 1) + isctest.check.rr_count_eq(res.authority, 1) + isctest.check.noadflag(res) + + +def test_trust_anchors(servers, templates): + # DNSSEC tests related to unsupported, disabled and revoked trust anchors. + # + # This nameserver is loaded with a bunch of trust anchors. + # Some of them are good (enabled.managed, enabled.trusted, + # secure.managed, secure.trusted), and some of them are bad + # (disabled.managed, revoked.managed, unsupported.managed, + # disabled.trusted, revoked.trusted, unsupported.trusted). Make sure + # that the bad trust anchors are ignored. This is tested by looking + # for the corresponding lines in the logfile. + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"many_anchors": True}) + ns5.reconfigure(log=False) + + # check that keys with unsupported/disabled algorithms are ignored + grep_q( + "ignoring static-key for 'disabled.trusted.': algorithm is disabled", + "ns5/named.run", + ) + grep_q( + "ignoring static-key for 'disabled.managed.': algorithm is disabled", + "ns5/named.run", + ) + grep_q( + "ignoring static-key for 'unsupported.trusted.': algorithm is unsupported", + "ns5/named.run", + ) + grep_q( + "ignoring static-key for 'unsupported.managed.': algorithm is unsupported", + "ns5/named.run", + ) + grep_q("ignoring static-key for 'revoked.trusted.': bad key type", "ns5/named.run") + grep_q("ignoring static-key for 'revoked.managed.': bad key type", "ns5/named.run") + + # check that a key with supported algorithm validates as secure + msg = isctest.query.create("a.secure.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + if hasattr(res2, "extended_errors"): + assert not res2.extended_errors() + + msg = isctest.query.create("a.secure.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + if hasattr(res2, "extended_errors"): + assert not res2.extended_errors() + + # check that an unsupported signing algorithm yields insecure + msg = isctest.query.create("a.unsupported.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + if hasattr(res2, "extended_errors"): + assert ( + res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.unsupported.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + if hasattr(res2, "extended_errors"): + assert ( + res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # check that a disabled signing algorithm yields insecure + msg = isctest.query.create("a.disabled.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.disabled.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # check that zone signed with an algorithm that's disabled for + # some other domain, but not for this one, validates as secure. + # "enabled.trusted." and "enabled.managed." do not match the + # "disable-algorithms" option, so no special rules apply. (static) + msg = isctest.query.create("a.enabled.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + msg = isctest.query.create("a.enabled.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + # a revoked trust anchor is ignored when configured; check that + # this yields insecure. + msg = isctest.query.create("a.revoked.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.revoked.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + +def test_unknown_algorithms(): + # check that unknown DNSKEY algorithm validates as insecure + msg = isctest.query.create("dnskey-unknown.example", "A", dnssec=False) + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # check that unsupported DNSKEY algorithms are in the DNSKEY RRsets + msg = isctest.query.create("dnskey-unsupported.example", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.noerror(res) + + msg = isctest.query.create("dnskey-unsupported-2.example", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.noerror(res) + rrsets = [str(r) for r in res.answer] + assert any("257 3 255" in r for r in rrsets) + + # check that unsupported DNSKEY algorithm validates as insecure + msg = isctest.query.create("dnskey-unsupported.example", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert ( + res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + + # check that DNSKEY with an unsupported reserve key validates + msg = isctest.query.create("dnskey-unsupported-2.example", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check EDE code 2 for unsupported DS digest algorithm + msg = isctest.query.create("a.ds-unsupported.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + if hasattr(res, "extended_errors"): + assert res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DS_DIGEST_TYPE + + # check EDE code 1 for bad algorithm mnemonic + msg = isctest.query.create("badalg.secure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert ( + res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + + # check both EDE code 1 and 2 for unsupported digest on one DNSKEY + # and unsupported algorithm on the other + msg = isctest.query.create("a.digest-alg-unsupported.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + codes = {ede.code for ede in res.extended_errors()} + assert edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM in codes + assert edns.EDECode.UNSUPPORTED_DS_DIGEST_TYPE in codes + + # check that unknown DNSKEY algorithm + unknown NSEC3 hash algorithm + # validates as insecure + msg = isctest.query.create("dnskey-nsec3-unknown.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + +################################### +##### BEGIN MANAGED KEY TESTS ##### +################################### +def test_switch_managed(servers, templates): + # switch to intializing trust anchor instead of static + ns4 = servers["ns4"] + assert os.path.exists("ns4/managed-keys.bind.jnl") is False + shutil.copyfile("ns4/managed-keys.bind.in", "ns4/managed-keys.bind") + templates.render("ns4/named.conf", {"managed_key": True}) + ns4.reconfigure(log=False) + + +def test_secure_root_managed(servers): + # check that a query for a secure root validates + msg = isctest.query.create(".", "KEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check that "rndc secroots" dumps the trusted keys + ns4 = servers["ns4"] + key = int(getfrom("ns1/managed.key.id")) + alg = os.environ["DEFAULT_ALGORITHM"] + expected = f"./{alg}/{key} ; managed" + response = ns4.rndc("secroots -", log=False).splitlines() + assert expected in response + assert len(response) == 10 + + +def test_positive_validation_nsec_managed(): + msg = isctest.query.create("a.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_positive_validation_nsec3_managed(): + msg = isctest.query.create("a.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_positive_validation_optout_managed(): + msg = isctest.query.create("a.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_negative_validation_nsec_managed(): + # nxdomain + msg = isctest.query.create("q.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.adflag(res2) + + +def test_ds_managed(): + # check root DS queries validate + msg = isctest.query.create(".", "DS") + res1 = isctest.query.tcp(msg, "10.53.0.1") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.adflag(res2) + isctest.check.noerror(res2) + + # check DS queries succeed at RFC 1918 empty zone + msg = isctest.query.create("10.in-addr.arpa", "DS") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noerror(res2) + + +def test_keydata_storage(servers): + ns4 = servers["ns4"] + ns4.rndc("managed-keys sync", log=False) + with isctest.log.WatchLogFromStart("ns4/managed-keys.bind") as watcher: + watcher.wait_for_line(["KEYDATA", "next refresh:"]) + + +############################################ +##### BEGIN MULTIVIEW VALIDATION TESTS ##### +############################################ +def test_insecure_staticstub_delegation(servers, templates): + ns4 = servers["ns4"] + templates.render("ns4/named.conf", {"multi_view": True}) + ns4.reconfigure(log=False) + + # check insecure delegation between static-stub zones + msg = isctest.query.create("insecure.secure.example", "NS") + for _ in range(5): + res = isctest.query.tcp(msg, "10.53.0.4") + if res.rcode() == rcode.SERVFAIL: + time.sleep(1) + continue + isctest.check.noerror(res) + + msg = isctest.query.create("secure.example", "NS") + for _ in range(5): + res = isctest.query.tcp(msg, "10.53.0.4") + if res.rcode() == rcode.SERVFAIL: + time.sleep(1) + continue + isctest.check.noerror(res) diff --git a/bin/tests/system/isctest/mark.py b/bin/tests/system/isctest/mark.py index 0961d9bb14..97a03d217a 100644 --- a/bin/tests/system/isctest/mark.py +++ b/bin/tests/system/isctest/mark.py @@ -42,6 +42,15 @@ def feature_test(feature): return True +rsasha1 = pytest.mark.skipif(not feature_test("--rsasha1"), reason="RSASHA1 disabled") + + +extended_ds_digest = pytest.mark.skipif( + not feature_test("--extended-ds-digest"), + reason="extended DS digest algorithms disabled", +) + + def is_host_freebsd_13(*_): return platform.system() == "FreeBSD" and platform.release().startswith("13") diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl index a82bc98f22..79757fc0a7 100755 --- a/bin/tests/system/start.pl +++ b/bin/tests/system/start.pl @@ -264,8 +264,8 @@ sub construct_ns_command { foreach my $t_option( "dropedns", "ednsformerr", "ednsnotimp", "ednsrefused", - "cookiealwaysvalid", "noaa", "noedns", "nosoa", - "maxudp512", "maxudp1460", + "cookiealwaysvalid", "noaa", "noedns", "nonearest", + "nosoa", "maxudp512", "maxudp1460", "tat=1", "tat=3" ) { if (-e "$testdir/$server/named.$t_option") { $command .= "-T $t_option " From 4bd0213fe77977752f4261fa9170dd6e13fc4426 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 2 Jul 2025 01:06:19 -0700 Subject: [PATCH 07/14] convert dnssec signing tests to python the shell tests that queried servers to check correct signing behavior (using dnssec-signzone, dnssec-policy and nsupdate), as well as "rndc signing", private-type records, rndc zonestatus, offline keys, etc, have been moved to tests_signing.py. the minimal update test in the dnssec_update_test.pl script was also moved here and the perl script has been removed. --- bin/tests/system/dnssec/dnssec_update_test.pl | 99 --- bin/tests/system/dnssec/ns2/named.conf.j2 | 2 +- bin/tests/system/dnssec/ns2/sign.sh | 1 - bin/tests/system/dnssec/tests.sh | 738 ------------------ bin/tests/system/dnssec/tests_sh_dnssec.py | 1 + bin/tests/system/dnssec/tests_signing.py | 613 +++++++++++++++ bin/tests/system/dnssec/tests_validation.py | 6 - 7 files changed, 615 insertions(+), 845 deletions(-) delete mode 100644 bin/tests/system/dnssec/dnssec_update_test.pl create mode 100644 bin/tests/system/dnssec/tests_signing.py diff --git a/bin/tests/system/dnssec/dnssec_update_test.pl b/bin/tests/system/dnssec/dnssec_update_test.pl deleted file mode 100644 index a06c563e3c..0000000000 --- a/bin/tests/system/dnssec/dnssec_update_test.pl +++ /dev/null @@ -1,99 +0,0 @@ -#!/usr/bin/perl - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# -# DNSSEC Dynamic update test suite. -# -# Usage: -# -# perl update_test.pl [-s server] [-p port] zone -# -# The server defaults to 127.0.0.1. -# The port defaults to 53. -# -# Installation notes: -# -# This program uses the Net::DNS::Resolver module. -# You can install it by saying -# -# perl -MCPAN -e "install Net::DNS" -# - -use Getopt::Std; -use Net::DNS; -use Net::DNS::Update; -use Net::DNS::Resolver; - -$opt_s = "127.0.0.1"; -$opt_p = 53; - -getopt('s:p:'); - -$res = new Net::DNS::Resolver; -$res->nameservers($opt_s); -$res->port($opt_p); -$res->defnames(0); # Do not append default domain. - -@ARGV == 1 or die - "usage: perl update_test.pl [-s server] [-p port] zone\n"; - -$zone = shift @ARGV; - -my $failures = 0; - -sub assert { - my ($cond, $explanation) = @_; - if (!$cond) { - print "Test Failed: $explanation ***\n"; - $failures++ - } -} - -sub test { - my ($expected, @records) = @_; - - my $update = new Net::DNS::Update("$zone"); - - foreach $rec (@records) { - $update->push(@$rec); - } - - $reply = $res->send($update); - - # Did it work? - if (defined $reply) { - my $rcode = $reply->header->rcode; - assert($rcode eq $expected, "expected $expected, got $rcode"); - } else { - print "Update failed: ", $res->errorstring, "\n"; - } -} - -sub section { - my ($msg) = @_; - print "$msg\n"; -} - -section("Add a name"); -test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]); - -section("Delete the name"); -test("NOERROR", ["update", rr_del("a.$zone")]); - -if ($failures) { - print "$failures update tests failed.\n"; -} else { - print "All update tests successful.\n"; -} - -exit $failures; diff --git a/bin/tests/system/dnssec/ns2/named.conf.j2 b/bin/tests/system/dnssec/ns2/named.conf.j2 index da6df5d5fb..093aba3120 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.j2 +++ b/bin/tests/system/dnssec/ns2/named.conf.j2 @@ -185,7 +185,7 @@ zone "cdnskey-auto.secure" { zone "updatecheck-kskonly.secure" { type primary; - file "updatecheck-kskonly.secure.db.signed"; + file "updatecheck-kskonly.secure.db"; dnssec-policy kskonly; allow-update { any; }; }; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 2658fd10b3..ca824a2ad3 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -297,7 +297,6 @@ $SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 >settime.out.$zone.zsk 2>&1 # Don't sign, let dnssec-policy maintain do it. cat "$infile" "$key1.key" "$key2.key" >"$zonefile" -mv $zonefile "$zonefile.signed" zone=hours-vs-days infile=hours-vs-days.db.in diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 2b4f9c864a..89fcf1c6ab 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -19,62 +19,10 @@ set -e status=0 n=1 -rm -f dig.out.* - -dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" -} - -dig_with_answeropts() { - "$DIG" +noall +answer +dnssec -p "$PORT" "$@" -} - delv_with_opts() { "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" } -rndccmd() { - "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" -} - -# TODO: Move loadkeys_on to conf.sh.common -dnssec_loadkeys_on() { - nsidx=$1 - zone=$2 - nextpart ns${nsidx}/named.run >/dev/null - rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 -} - -# convert private-type records to readable form -showprivate() { - echo "-- $* --" - dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" >dig.out.$1.test$n - cut -f3 -d' ' /dev/null; then - echo_i "running DNSSEC update test" - ret=0 - { - output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) - rc=$? - } || true - test "$rc" -eq 0 || ret=1 - echo "$output" | cat_i - [ $ret -eq 1 ] && status=1 -else - echo_i "The DNSSEC update test requires the Net::DNS library." >&2 -fi - -echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" -ret=0 -( - kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) - ( - echo zone update-nsec3.example - echo server 10.53.0.3 "$PORT" - grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' - echo send - ) | $NSUPDATE -) -dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -grep "NSEC3 1 0 0 - .*" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that signing records have been marked as complete ($n)" -ret=0 -checkprivate dynamic.example 10.53.0.3 || ret=1 -checkprivate auto-nsec3.example 10.53.0.3 || ret=1 -checkprivate expiring.example 10.53.0.3 || ret=1 -checkprivate auto-nsec.example 10.53.0.3 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'rndc signing' without arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing >/dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'rndc signing -list' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -list >/dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -clear >/dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -clear all >/dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check rndc signing -list output ($n)" -ret=0 -{ rndccmd 10.53.0.3 signing -list dynamic.example >signing.out.dynamic.example; } 2>&1 -grep -q "No signing records found" signing.out.dynamic.example || { - ret=1 - sed 's/^/ns3 /' signing.out.dynamic.example | cat_i -} -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a split dnssec dnssec-signzone work ($n)" -ret=0 -dig_with_opts soa split-dnssec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a smart split dnssec dnssec-signzone work ($n)" -ret=0 -dig_with_opts soa split-smart.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" -ret=0 -dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG >dig.out.ns3.test$n 2>&1 -# there must be a signature here -[ -s dig.out.ns3.test$n ] || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that named doesn't loop when all private keys are not available ($n)" -ret=0 -lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true) -test "${lines:-1000}" -lt 15 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check the correct resigning time is reported in zonestatus ($n)" -ret=0 -rndccmd 10.53.0.3 \ - zonestatus secure.example >rndc.out.ns3.test$n -# next resign node: secure.example/DNSKEY -qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,') -qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,') -# next resign time: Thu, 24 Apr 2014 10:38:16 GMT -time=$(awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; - m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06"; - m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; - m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} - /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g') -dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 >dig.out.test$n -expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n) -inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n) -$PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS records are signed using KSK by with dnssec-policy ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a CDS deletion record is accepted ($n)" -ret=0 -( - echo zone cds-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cds-update.secure CDS - echo update add cds-update.secure 0 CDS 0 0 0 00 - echo send -) | $NSUPDATE >nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS records are signed only using KSK when added by nsupdate ($n)" -ret=0 -keyid=$(cat ns2/cds-update.secure.id) -( - echo zone cds-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cds-update.secure CDS - echo send - dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ - | grep "DNSKEY.257" \ - | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ - | sed "s/^/update add /" - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDS deletion records are signed only using KSK when added by nsupdate ($n)" -ret=0 -keyid=$(cat ns2/cds-update.secure.id) -( - echo zone cds-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cds-update.secure CDS - echo update add cds-update.secure 0 CDS 0 0 0 00 - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" -ret=0 -( - echo zone cds-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cds-update.secure CDS - echo send - dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ - | grep "DNSKEY.257" \ - | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ - | sed "s/^/update add /" - dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ - | grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' \ - | $DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure \ - | sed "s/^/update add /" - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 4 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" -ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# TODO: test case for GL #1689. -# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) -# we could write a test that signs a zone with supported and unsupported -# algorithm, apply a fixed rrset order such that the unsupported algorithm -# precedes the supported one in the DNSKEY RRset, and verify the result still -# validates succesfully. - -echo_i "check that a CDNSKEY deletion record is accepted ($n)" -ret=0 -( - echo zone cdnskey-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cdnskey-update.secure CDNSKEY - echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== - echo send -) | $NSUPDATE >nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that CDNSKEY records are signed using KSK only when added by nsupdate ($n)" -ret=0 -keyid=$(cat ns2/cdnskey-update.secure.id) -( - echo zone cdnskey-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cdnskey-update.secure CDNSKEY - dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ - | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" -ret=0 -( - echo zone cdnskey-update.secure - echo server 10.53.0.2 "$PORT" - echo update delete cdnskey-update.secure CDNSKEY - dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ - | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' - dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ - | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' - echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" -ret=0 -dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 -grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)" -ret=0 -dig_with_opts axfr occluded.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 -grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n >/dev/null || ret=1 -grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n >/dev/null || ret=1 -grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)" -ret=0 -dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1 -dig_with_opts any z.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1 -# A+RRSIG, NSEC+RRSIG -grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -### -### Additional checks for when the KSK is offline. -### - -# Save some useful information -zone="updatecheck-kskonly.secure" -KSK=$(cat ns2/${zone}.ksk.key) -ZSK=$(cat ns2/${zone}.zsk.key) -KSK_ID=$(cat ns2/${zone}.ksk.id) -ZSK_ID=$(cat ns2/${zone}.zsk.id) -SECTIONS="+answer +noauthority +noadditional" -echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" - -# Set key state for KSK. The ZSK rollovers below assume that there is a chain -# of trust established, so we tell named that the DS is in omnipresent state. -$SETTIME -s -d OMNIPRESENT now -K ns2 $KSK >/dev/null - -# Print IDs of keys used for generating RRSIG records for RRsets of type $1 -# found in dig output file $2. -get_keys_which_signed() { - qtype=$1 - output=$2 - # The key ID is the 11th column of the RRSIG record line. - awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$output" -} - -# Basic checks to make sure everything is fine before the KSK is made offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS"; do - echo_i "checking $qtype RRset is signed with KSK only ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -echo_i "checking SOA RRset is signed with ZSK only ($n)" -ret=0 -dig_with_opts $SECTIONS @10.53.0.2 soa $zone >dig.out.test$n -lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Roll the ZSK. -zsk2=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 "$zone") -keyfile_to_key_id "$zsk2" >ns2/$zone.zsk.id2 -ZSK_ID2=$(cat ns2/$zone.zsk.id2) -ret=0 -echo_i "prepublish new ZSK $ZSK_ID2 for $zone ($n)" -rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID $zone 2>&1 | sed 's/^/ns2 /' | cat_i -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -zsk_count_equals() { - expectedzsks=$1 - dig_with_opts @10.53.0.2 DNSKEY $zone >dig.out.test$n - lines=$(cat dig.out.test$n | grep "DNSKEY.*256 3 13" | wc -l) - test "$lines" -eq $expectedzsks || return 1 -} -echo_i "check DNSKEY RRset has successor ZSK $ZSK_ID2 ($n)" -ret=0 -# The expected number of ZSKs is 2. -retry_quiet 5 zsk_count_equals 2 || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Make new ZSK active. -echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" -ret=0 -$SETTIME -s -I now -K ns2 $ZSK >/dev/null -$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk2 >/dev/null -dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Wait for newest ZSK to become active. -echo_i "wait until new ZSK $ZSK_ID2 active and ZSK $ZSK_ID inactive" -for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Remove the KSK from disk. -echo_i "remove the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key ns2/$KSK.key.bak -mv ns2/$KSK.private ns2/$KSK.private.bak - -# Update the zone that requires a resign of the SOA RRset. -echo_i "update the zone with $zone IN TXT nsupdate added me" -( - echo zone $zone - echo server 10.53.0.2 "$PORT" - echo update add $zone. 300 in txt "nsupdate added me" - echo send -) | $NSUPDATE - -# Redo the tests now that the zone is updated and the KSK is offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS"; do - echo_i "checking $qtype RRset is signed with KSK only, KSK offline ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -for qtype in "SOA" "TXT"; do - echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID2 only, KSK offline ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -# Put back the KSK. -echo_i "put back the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key.bak ns2/$KSK.key -mv ns2/$KSK.private.bak ns2/$KSK.private - -# Roll the ZSK again. -zsk3=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 "$zone") -ret=0 -keyfile_to_key_id "$zsk3" >ns2/$zone.zsk.id3 -ZSK_ID3=$(cat ns2/$zone.zsk.id3) -echo_i "delete old ZSK $ZSK_ID, schedule ZSK $ZSK_ID2 inactive, and pre-publish ZSK $ZSK_ID3 for zone $zone ($n)" -$SETTIME -s -k HIDDEN now -z HIDDEN now -D now -K ns2 $ZSK >/dev/null -$SETTIME -s -k OMNIPRESENT now -z OMNIPRESENT now -K ns2 $zsk2 >/dev/null -dnssec_loadkeys_on 2 $zone || ret=1 -rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID2 $zone 2>&1 | sed 's/^/ns2 /' | cat_i -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Wait for newest ZSK to become published. -echo_i "wait until new ZSK $ZSK_ID3 published" -for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now published" ns2/named.run >/dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Remove the KSK from disk. -echo_i "remove the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key ns2/$KSK.key.bak -mv ns2/$KSK.private ns2/$KSK.private.bak - -# Update the zone that requires a resign of the SOA RRset. -echo_i "update the zone with $zone IN TXT nsupdate added me again" -( - echo zone $zone - echo server 10.53.0.2 "$PORT" - echo update add $zone. 300 in txt "nsupdate added me again" - echo send -) | $NSUPDATE - -# Redo the tests now that the ZSK roll has deleted the old key. -for qtype in "DNSKEY" "CDNSKEY" "CDS"; do - echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -for qtype in "SOA" "TXT"; do - echo_i "checking $qtype RRset is signed with ZSK $ZSK_ID2 only, old ZSK deleted ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -# Put back the KSK. -echo_i "put back the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key.bak ns2/$KSK.key -mv ns2/$KSK.private.bak ns2/$KSK.private - -# Make the new ZSK (ZSK3) active. -echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -ret=0 -$SETTIME -s -I now -K ns2 $zsk2 >/dev/null -$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk3 >/dev/null -dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Wait for newest ZSK to become active. -echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive" -for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 -done -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Remove the KSK from disk. -echo_i "remove the KSK $KSK_ID for zone $zone from disk" -mv ns2/$KSK.key ns2/$KSK.key.bak -mv ns2/$KSK.private ns2/$KSK.private.bak - -# Update the zone that requires a resign of the SOA RRset. -echo_i "update the zone with $zone IN TXT nsupdate added me one more time" -( - echo zone $zone - echo server 10.53.0.2 "$PORT" - echo update add $zone. 300 in txt "nsupdate added me one more time" - echo send -) | $NSUPDATE -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -# Redo the tests one more time. -for qtype in "DNSKEY" "CDNSKEY" "CDS"; do - echo_i "checking $qtype RRset is signed with KSK only, new ZSK active ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - -for qtype in "SOA" "TXT"; do - echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID3 only, new ZSK active ($n)" - ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n - lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) - test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -done - echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index 9f9cc76bf6..8448082c8c 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -72,6 +72,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns2/too-many-iterations.db", "ns2/inconsistent.db", "ns2/trusted.db", + "ns2/updatecheck-kskonly.secure.db", "ns2/updatecheck-kskonly.secure.ksk.id", "ns2/updatecheck-kskonly.secure.ksk.key", "ns2/updatecheck-kskonly.secure.zsk.id", diff --git a/bin/tests/system/dnssec/tests_signing.py b/bin/tests/system/dnssec/tests_signing.py new file mode 100644 index 0000000000..a5919e78d9 --- /dev/null +++ b/bin/tests/system/dnssec/tests_signing.py @@ -0,0 +1,613 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from collections import namedtuple +import os +import re +import struct +import time + +from dns import dnssec, name, rdataclass, rdatatype, update + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import isctest + + +# helper functions +def grep_c(regex, filename): + with open(filename, "r", encoding="utf-8") as f: + blob = f.read().splitlines() + results = [x for x in blob if re.search(regex, x)] + return len(results) + + +# run dnssec-keygen +def keygen(*args): + keygen_cmd = [os.environ.get("KEYGEN")] + keygen_cmd.extend(args) + return isctest.run.cmd(keygen_cmd, log_stdout=True).stdout.decode("utf-8").strip() + + +# run dnssec-settime +def settime(*args): + settime_cmd = [os.environ.get("SETTIME")] + settime_cmd.extend(args) + return isctest.run.cmd(settime_cmd, log_stdout=True).stdout.decode("utf-8").strip() + + +@pytest.mark.parametrize( + "domain", + [ + "auto-nsec.example", + "auto-nsec3.example", + ], +) +def test_signing_complete(domain): + PrivateType = namedtuple("PrivateType", ["alg", "key", "rem", "complete"]) + + def convert_private(rdata) -> PrivateType: + length = len(rdata.to_wire()) + assert length in (5, 7) + if length == 7: + _, key, rem, complete, alg = struct.unpack(">BHBBH", rdata.to_wire()) + else: + alg, key, rem, complete = struct.unpack(">BHBB", rdata.to_wire()) + return PrivateType(alg, key, rem, complete) + + # query for a private type record, make sure it shows "complete" + def check_complete(): + msg = isctest.query.create(domain, 65534) + res = isctest.query.tcp(msg, "10.53.0.3") + assert res.answer + for rdata in res.answer[0]: + record = convert_private(rdata) + assert record.complete + return True + + isctest.run.retry_with_timeout(check_complete, 10) + + +def test_split_dnssec(): + # check that split-dnssec signing worked (dnssec-signzone -D) + msg = isctest.query.create("split-dnssec.example.", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 2) + isctest.check.adflag(res2) + + # check that smart split-dnssec signing worked (dnssec-signzone -DS) + msg = isctest.query.create("split-smart.example.", "SOA") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.rr_count_eq(res2.answer, 2) + isctest.check.adflag(res2) + + +def test_expiring_rrsig(): + # check soon-to-expire RRSIGs without a replacement private + # key aren't deleted. this response has to have an RRSIG: + msg = isctest.query.create("expiring.example.", "NS") + res = isctest.query.tcp(msg, "10.53.0.3") + _, sigs = res.answer + assert sigs + + # check that named doesn't loop when private keys are not available + n = grep_c("reading private key file expiring.example", "ns3/named.run") + assert n < 15 + + # check expired signatures stay place when updates are disabled + msg = isctest.query.create("expired.example", "SOA") + res = isctest.query.tcp(msg, "10.53.0.3") + _, sigs = res.answer + assert sigs + + +def test_apex_signing(): + # check that DNAME at apex with NSEC3 is correctly signed + msg = isctest.query.create("dname-at-apex-nsec3.example.", "TXT") + res = isctest.query.tcp(msg, "10.53.0.3") + sigs = [str(a) for a in res.authority if a.rdtype == rdatatype.RRSIG] + alg = os.environ.get("DEFAULT_ALGORITHM_NUMBER") + assert any(f"NSEC3 {alg} 3 600" in a for a in sigs) + + +def test_occluded_data(): + # check that DNSKEY and other occluded data are excluded from + # a delegating bitmap + msg = isctest.query.create("occluded.example.", "AXFR") + res = isctest.query.tcp(msg, "10.53.0.3") + + n = "delegation.occluded.example." + delegation = [r for r in res.answer if str(r.name) == n] + assert [r for r in delegation if r.rdtype == rdatatype.DNSKEY], str(delegation) + assert [r for r in delegation if r.rdtype == rdatatype.AAAA], str(delegation) + nsec = [r for r in delegation if r.rdtype == rdatatype.NSEC] + assert nsec, str(delegation) + assert "DNSKEY" not in str(nsec[0]), str(res) + assert "AAAA" not in str(nsec[0]), str(res) + + # check that DNSSEC records are occluded from ANY in an insecure zone + msg = isctest.query.create("x.extrakey.example.", "ANY") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.noerror(res) + isctest.check.empty_answer(res) + msg = isctest.query.create("z.secure.example.", "ANY") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.noerror(res) + isctest.check.rr_count_eq(res.answer, 4) # A+RRSIG, NSEC+RRSIG + + +def test_update_signing(): + # minimal update test: add and delete a single record + up = update.UpdateMessage("dynamic.example.") + up.add("a.dynamic.example.", 300, "A", "73.80.65.49") + res = isctest.query.tcp(up, "10.53.0.3") + isctest.check.noerror(res) + + up = update.UpdateMessage("dynamic.example.") + up.delete("a.dynamic.example.") + res = isctest.query.tcp(up, "10.53.0.3") + isctest.check.noerror(res) + + msg = isctest.query.create("a.dynamic.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res) + isctest.check.adflag(res) + + # check that the NSEC3 record for the apex is properly signed + # when a DNSKEY is added via UPDATE + key = keygen( + "-q3fk", "-a", os.environ["DEFAULT_ALGORITHM"], "update-nsec3.example." + ) + + with open(f"{key}.key", "r", encoding="utf-8") as f: + dnskey = f.read().splitlines()[-1] + dnskey = " ".join(dnskey.split()[3:]) + + up = update.UpdateMessage("update-nsec3.example.") + up.add("update-nsec3.example.", 300, "DNSKEY", dnskey) + res = isctest.query.tcp(up, "10.53.0.3") + isctest.check.noerror(res) + + msg = isctest.query.create("update-nsec3.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + nsec3 = [str(a) for a in res.authority if a.rdtype == rdatatype.NSEC3] + assert any("1 0 0 -" in a for a in nsec3) + + +def test_cds_signing(): + # check that CDS records are signed using KSK+ZSK by dnssec-signzone + msg = isctest.query.create("cds.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sigs = res.answer + assert len(sigs) == 2 + + # check that CDS records are not signed using ZSK by dnssec-signzone -x + msg = isctest.query.create("cds-x.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sigs = res.answer + assert len(sigs) == 2 # there are two KSKs here + + # check that CDS records are signed using KSK by dnssec-policy + msg = isctest.query.create("cds-auto.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sigs = res.answer + assert len(sigs) == 1 + + # check that CDS records are signed only using KSK when added by nsupdate + with open("ns2/cds-update.secure.id", encoding="utf-8") as f: + keyid = int(f.read().splitlines()[0]) + up = update.UpdateMessage("cds-update.secure.") + up.delete("cds-update.secure.", "CDS") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cds-update.secure.", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res) + dnskeys, sigs = res.answer + ksk = [a for a in dnskeys if a.flags == 257][0] + ds = dnssec.make_ds("cds-update.secure.", ksk, 2) + up.add("cds-update.secure.", 1, "CDS", str(ds)) + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cds-update.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sig = res.answer + assert len(cds) == 1 + assert len(sig) == 1 + assert sig[0].key_tag == keyid + + # check that CDS deletion records are signed only using KSK when + # added by nsupdate + up = update.UpdateMessage("cds-update.secure.") + up.delete("cds-update.secure.", "CDS") + up.add("cds-update.secure.", 0, "CDS", "0 0 0 00") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cds-update.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sig = res.answer + assert len(cds) == 1 + assert "0 0 0 00" in str(cds[0]) + assert len(sig) == 1 + assert sig[0].key_tag == keyid + + # check that a non-matching CDS record is accepted with a + # matching CDS record. first, generate a DNSKEY with different flags: + badksk = type(ksk)( + ksk.rdclass, ksk.rdtype, ksk.flags + 1, ksk.protocol, ksk.algorithm, ksk.key + ) + up = update.UpdateMessage("cds-update.secure.") + badds = dnssec.make_ds("cds-update.secure.", badksk, 2) + up.delete("cds-update.secure.", "CDS") + up.add("cds-update.secure.", 1, "CDS", str(ds)) + up.add("cds-update.secure.", 1, "CDS", str(badds)) + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cds-update.secure.", "CDS") + res = isctest.query.tcp(msg, "10.53.0.2") + cds, sig = res.answer + assert len(cds) == 2 + assert len(sig) == 1 + + +def test_cdnskey_signing(): + # check that CDNSKEY records are signed using KSK+ZSK by dnssec-signzone + msg = isctest.query.create("cdnskey.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sigs = res.answer + assert len(sigs) == 2 + + # check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x + msg = isctest.query.create("cdnskey-x.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sigs = res.answer + assert len(sigs) == 2 # two KSKs here + + # check that CDNSKEY records are signed using KSK by dnssec-policy + msg = isctest.query.create("cdnskey-auto.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sigs = res.answer + assert len(sigs) == 1 + + # check that CDNSKEY records are signed only using KSK + # when added by nsupdate + with open("ns2/cdnskey-update.secure.id", encoding="utf-8") as f: + keyid = int(f.read().splitlines()[0]) + up = update.UpdateMessage("cdnskey-update.secure.") + up.delete("cdnskey-update.secure.", "CDNSKEY") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cdnskey-update.secure.", "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res) + dnskeys, sigs = res.answer + ksk = [a for a in dnskeys if a.flags == 257][0] + up.add("cdnskey-update.secure.", 1, "CDNSKEY", str(ksk)) + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cdnskey-update.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sig = res.answer + assert len(cdnskey) == 1 + assert len(sig) == 1 + assert sig[0].key_tag == keyid + + # check that CDNSKEY deletion records are signed only using KSK when + # added by nsupdate + up = update.UpdateMessage("cdnskey-update.secure.") + up.delete("cdnskey-update.secure.", "CDNSKEY") + up.add("cdnskey-update.secure.", 0, "CDNSKEY", "0 3 0 AA==") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cdnskey-update.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sig = res.answer + assert len(cdnskey) == 1 + assert "0 3 0 AA==" in str(cdnskey[0]) + assert len(sig) == 1 + assert sig[0].key_tag == keyid + + # check that a non-matching CDNSKEY record is accepted with a + # matching CDNSKEY record. first, generate a DNSKEY with different flags: + badksk = type(ksk)( + ksk.rdclass, ksk.rdtype, ksk.flags + 1, ksk.protocol, ksk.algorithm, ksk.key + ) + up = update.UpdateMessage("cdnskey-update.secure.") + up.delete("cdnskey-update.secure.", "CDNSKEY") + up.add("cdnskey-update.secure.", 1, "CDNSKEY", str(ksk)) + up.add("cdnskey-update.secure.", 1, "CDNSKEY", str(badksk)) + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + msg = isctest.query.create("cdnskey-update.secure.", "CDNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + cdnskey, sig = res.answer + assert len(cdnskey) == 2 + assert len(sig) == 1 + + +@pytest.mark.parametrize( + "cmd", + [ + "signing", # without arguments + "signing -list", # without zone + "signing -clear", # without zone + "signing -clear all", # without zone + ], +) +def test_rndc_signing_except(cmd, servers): + ns3 = servers["ns3"] + + # check that 'rndc signing' errors are handled + with pytest.raises(isctest.rndc.RNDCException): + ns3.rndc(cmd, log=False) + ns3.rndc("status", log=False) + + +def test_rndc_signing_output(servers): + ns3 = servers["ns3"] + + response = ns3.rndc("signing -list dynamic.example", log=False) + assert "No signing records found" in response + + +def test_zonestatus_signing(servers): + ns3 = servers["ns3"] + # check that the correct resigning time is reported in zonestatus. + # zonestatus reports a name/type and expecting resigning time; + # we convert the time to seconds since epoch, look up the RRSIG + # for the name and type, and check that the resigning time is + # after the inception and before the expiration. + + response = ns3.rndc("zonestatus secure.example", log=False) + + # next resign node: secure.example/DNSKEY + nrn = [r for r in response.splitlines() if "next resign node" in r][0] + rdname, rdtype = nrn.split()[3].split("/") + + # next resign time: Thu, 24 Apr 2014 10:38:16 GMT + nrt = [r for r in response.splitlines() if "next resign time" in r][0] + rtime = " ".join(nrt.split()[3:]) + rt = time.strptime(rtime, "%a, %d %b %Y %H:%M:%S %Z") + when = int(time.strftime("%s", rt)) + + msg = isctest.query.create(rdname, rdtype) + res = isctest.query.tcp(msg, "10.53.0.3") + _, sigs = res.answer + assert sigs[0].inception < when + assert when < sigs[0].expiration + + +def test_offline_ksk_signing(servers): + def getfrom(file): + with open(file, encoding="utf-8") as f: + return f.read().strip() + + def getkeyid(key: str): + m = re.match(r"K.*\+\d*\+(\d*)", key) + return int(m.group(1)) + + def check_signing_keys(types: list[str], expect: list[str], prohibit: list[str]): + for qtype in types: + isctest.log.debug(f"checking signing keys for {qtype}") + msg = isctest.query.create(zone, qtype) + res = isctest.query.tcp(msg, "10.53.0.2") + assert res.answer, str(res) + rrset = res.get_rrset( + res.answer, + name.from_text(f"{zone}."), + rdataclass.IN, + rdatatype.RRSIG, + rdatatype.RdataType.make(qtype), + ) + assert rrset, f"expected RRSIG({qtype}) missing from ANSWER" + str(res) + keys = {rr.key_tag for rr in rrset} + assert len(keys) == 1, str(res) + for exp in expect: + assert exp in keys + for proh in prohibit: + assert proh not in keys + return True + + def check_zskcount(): + msg = isctest.query.create(zone, "DNSKEY") + res = isctest.query.tcp(msg, "10.53.0.2") + dnskeys, _ = res.answer + zskcount = len([rr for rr in dnskeys if rr.flags == 256]) + assert zskcount == 2, str(res) + return True + + def ksk_remove(): + isctest.log.info("remove the KSK from disk") + os.rename(f"ns2/{KSK}.key", f"ns2/{KSK}.key.bak") + os.rename(f"ns2/{KSK}.private", f"ns2/{KSK}.private.bak") + + def ksk_recover(): + isctest.log.info("put back the KSK") + os.rename(f"ns2/{KSK}.key.bak", f"ns2/{KSK}.key") + os.rename(f"ns2/{KSK}.private.bak", f"ns2/{KSK}.private") + + def loadkeys(): + pattern = re.compile(f"{zone}/IN.*next key event") + with ns2.watch_log_from_here() as watcher: + ns2.rndc(f"loadkeys {zone}", log=False) + watcher.wait_for_line(pattern) + + ksk_only_types = ["DNSKEY", "CDNSKEY", "CDS"] + + ns2 = servers["ns2"] + zone = "updatecheck-kskonly.secure" + KSK = getfrom(f"ns2/{zone}.ksk.key") + ZSK = getfrom(f"ns2/{zone}.zsk.key") + KSKID = int(getfrom(f"ns2/{zone}.ksk.id")) + ZSKID = int(getfrom(f"ns2/{zone}.zsk.id")) + + # set key state for KSK. the ZSK rollovers below assume that there is a + # chain of trust established, so we tell named that the DS is in + # omnipresent state. + settime("-s", "-d", "OMNIPRESENT", "now", "-Kns2", KSK) + + isctest.log.info("check state before KSK is made offline") + isctest.log.info("make sure certain types are signed with KSK only") + check_signing_keys(ksk_only_types, expect=[KSKID], prohibit=[ZSKID]) + + isctest.log.info("check SOA is signed with ZSK only") + check_signing_keys(["SOA"], expect=[ZSKID], prohibit=[KSKID]) + + isctest.log.info("roll the ZSK") + ZSK2 = keygen( + "-qKns2", + "-Pnone", + "-Anone", + "-a", + os.environ["DEFAULT_ALGORITHM"], + "-b", + os.environ["DEFAULT_BITS"], + zone, + ) + ZSKID2 = getkeyid(ZSK2) + + isctest.log.info("prepublish new ZSK") + ns2.rndc(f"dnssec -rollover -key {ZSKID} {zone}", log=False) + isctest.run.retry_with_timeout(check_zskcount, 5) + + isctest.log.info("make the new ZSK active") + settime("-sKns2", "-Inow", ZSK) + settime("-sKns2", "-Anow", "-k", "OMNIPRESENT", "now", ZSK2) + loadkeys() + + with ns2.watch_log_from_start() as watcher: + watcher.wait_for_line( + [f"{ZSKID2} (ZSK) is now active", f"{ZSKID} (ZSK) is now inactive"] + ) + + ksk_remove() + + isctest.log.info("update the zone, requiring a resign of the SOA RRset") + up = update.UpdateMessage(f"{zone}.") + up.add(f"{zone}.", 300, "TXT", "added by UPDATE") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + isctest.log.info( + "redo the tests now that the zone is updated and the KSK is offline" + ) + isctest.log.info("make sure certain types are signed with KSK only") + check_signing_keys(ksk_only_types, expect=[KSKID], prohibit=[ZSKID, ZSKID2]) + + isctest.log.info("check TXT, SOA are signed with ZSK2 only") + + def check_txt_soa_zsk2(): + return check_signing_keys( + ["TXT", "SOA"], expect=[ZSKID2], prohibit=[KSKID, ZSKID] + ) + + isctest.run.retry_with_timeout(check_txt_soa_zsk2, 5) + + ksk_recover() + + isctest.log.info("roll the ZSK again") + ZSK3 = keygen( + "-qKns2", + "-Pnone", + "-Anone", + "-a", + os.environ["DEFAULT_ALGORITHM"], + "-b", + os.environ["DEFAULT_BITS"], + zone, + ) + ZSKID3 = getkeyid(ZSK3) + + isctest.log.info("delete old ZSK, schedule ZSK2 inactive, pre-publish ZSK3") + settime("-sKns2", "-k", "HIDDEN", "now", "-z", "HIDDEN", "now", "-Dnow", ZSK) + settime("-sKns2", "-k", "OMNIPRESENT", "now", "-z", "OMNIPRESENT", "now", ZSK2) + loadkeys() + ns2.rndc(f"dnssec -rollover -key {ZSKID2} {zone}", log=False) + + with ns2.watch_log_from_start() as watcher: + watcher.wait_for_line(f"{ZSKID3} (ZSK) is now published") + + ksk_remove() + + isctest.log.info("update the zone again, requiring a resign of the SOA RRset") + up = update.UpdateMessage(f"{zone}.") + up.add(f"{zone}.", 300, "TXT", "added by UPDATE again") + up.add(f"{zone}.", 300, "A", "1.2.3.4") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + isctest.log.info("redo the tests now that the ZSK roll has deleted the old key") + + isctest.log.info("make sure certain types are signed with KSK only") + check_signing_keys(ksk_only_types, expect=[KSKID], prohibit=[ZSKID, ZSKID2, ZSKID3]) + + isctest.log.info("check A, TXT, SOA are signed with ZSK2 only") + + def check_a_txt_soa_zsk2(): + return check_signing_keys( + ["A", "TXT", "SOA"], expect=[ZSKID2], prohibit=[KSKID, ZSKID, ZSKID3] + ) + + isctest.run.retry_with_timeout(check_a_txt_soa_zsk2, 5) + + ksk_recover() + + isctest.log.info("make ZSK3 active") + settime("-sKns2", "-Inow", ZSK2) + settime("-sKns2", "-k", "OMNIPRESENT", "now", "-Anow", ZSK3) + loadkeys() + + with ns2.watch_log_from_start() as watcher: + watcher.wait_for_line( + [f"{ZSKID3} (ZSK) is now active", f"{ZSKID2} (ZSK) is now inactive"] + ) + + ksk_remove() + + isctest.log.info("update the zone again, requiring a resign of the SOA RRset") + up = update.UpdateMessage(f"{zone}.") + up.add(f"{zone}.", 300, "TXT", "added by UPDATE one more time") + up.add(f"{zone}.", 300, "A", "4.3.2.1") + up.add(f"{zone}.", 300, "AAAA", "dead::beef") + res = isctest.query.tcp(up, "10.53.0.2") + isctest.check.noerror(res) + + isctest.log.info("redo the tests one last time") + isctest.log.info("make sure certain types are signed with KSK only") + check_signing_keys(ksk_only_types, expect=[KSKID], prohibit=[ZSKID, ZSKID2, ZSKID3]) + + isctest.log.info("check A, TXT, SOA are signed with ZSK2 only") + + def check_aaaa_a_txt_soa_zsk3(): + return check_signing_keys( + ["AAAA", "A", "TXT", "SOA"], + expect=[ZSKID3], + prohibit=[KSKID, ZSKID, ZSKID2], + ) + + isctest.run.retry_with_timeout(check_aaaa_a_txt_soa_zsk3, 5) diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index f0d132b9dc..8c9bc78554 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -1084,12 +1084,6 @@ def test_validating_forwarder(servers): def test_expired_signatures(servers): - # check expired signatures are still in place when updates are disabled - msg = isctest.query.create("expired.example", "SOA") - res = isctest.query.tcp(msg, "10.53.0.3") - soa, sigs = res.answer - assert sigs - # check expired signatures do not validate msg = isctest.query.create("expired.example", "SOA") res = isctest.query.tcp(msg, "10.53.0.3") From 5a457268d1544eea6f2e6ae52a9eb64bfe7456d8 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 3 Jul 2025 15:32:37 -0700 Subject: [PATCH 08/14] convert delv tests to python move all dnssec tests using delv from the shell test to tests_delv.py, and remove tests.sh and tests_sh_dnssec.py. --- bin/tests/system/dnssec/tests.sh | 238 --------------------- bin/tests/system/dnssec/tests_delv.py | 160 ++++++++++++++ bin/tests/system/dnssec/tests_sh_dnssec.py | 180 ---------------- 3 files changed, 160 insertions(+), 418 deletions(-) delete mode 100644 bin/tests/system/dnssec/tests.sh create mode 100644 bin/tests/system/dnssec/tests_delv.py delete mode 100644 bin/tests/system/dnssec/tests_sh_dnssec.py diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh deleted file mode 100644 index 89fcf1c6ab..0000000000 --- a/bin/tests/system/dnssec/tests.sh +++ /dev/null @@ -1,238 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -# shellcheck source=conf.sh -. ../conf.sh - -status=0 -n=1 - -delv_with_opts() { - "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" -} - -if [ -x "${DELV}" ]; then - ret=0 - echo_i "checking positive validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.example >delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" - "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example >delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking positive validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 - grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300 .*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - SP="[[:space:]]+" - - ret=0 - echo_i "checking positive validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.optout.example >delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking positive wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.example >delv.out$n || ret=1 - grep "a.wild.example..*10.0.0.27" delv.out$n >/dev/null || ret=1 - grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 3600 .*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.nsec3.example >delv.out$n || ret=1 - grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 - grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.optout.example >delv.out$n || ret=1 - grep "a.wild.optout.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 - grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.optout.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.optout.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.optout.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.example >delv.out$n || ret=1 - grep "a.insecure.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.nsec3.example >delv.out$n || ret=1 - grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.optout.example >delv.out$n || ret=1 - grep "a.insecure.optout.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.nsec3.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.optout.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking failed validation using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.bogus.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: RRSIG failed to verify" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking that validation fails when key record is missing using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.b.keyless.example >delv.out$n 2>&1 || ret=1 - grep "resolution failed: insecurity proof failed" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) - - ret=0 - echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 soa revkey.example >delv.out$n 2>&1 || ret=1 - grep "fully validated" delv.out$n >/dev/null || ret=1 - n=$((n + 1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status + ret)) -fi - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_delv.py b/bin/tests/system/dnssec/tests_delv.py new file mode 100644 index 0000000000..5e5f375ab7 --- /dev/null +++ b/bin/tests/system/dnssec/tests_delv.py @@ -0,0 +1,160 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re +import subprocess + +import pytest + +import isctest + + +pytestmark = pytest.mark.skipif(bool(os.getenv("TSAN_OPTIONS", "")), reason="TSAN") + + +# helper functions +def grep_c(regex, data): + blob = data.splitlines() + results = [x for x in blob if re.search(regex, x)] + return len(results) + + +# run delv +def delv(*args, tkeys=False): + delv_cmd = [os.environ.get("DELV")] + + tfile = "ns1/trusted.keys" if tkeys else "ns1/trusted.conf" + delv_cmd.extend(["@10.53.0.4", "-a", tfile, "-p", os.environ["PORT"]]) + delv_cmd.extend(args) + + return ( + isctest.run.cmd(delv_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + .stdout.decode("utf-8") + .strip() + ) + + +def test_positive_validation_delv(): + # check positive validation NSEC + response = delv("a", "a.example") + assert grep_c("a.example..*10.0.0.1", response) + assert grep_c("a.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*", response) + + # check positive validation NSEC (trsuted-keys) + response = delv("a", "a.example", tkeys=True) + assert grep_c("a.example..*10.0.0.1", response) + assert grep_c("a.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*", response) + + # check positive validation NSEC3 + response = delv("a", "a.nsec3.example") + assert grep_c("a.nsec3.example..*10.0.0.1", response) + assert grep_c("a.nsec3.example..*.RRSIG.A [0-9][0-9]* 3 300 .*", response) + + # check positive validation OPTOUT + response = delv("a", "a.optout.example") + assert grep_c("a.optout.example..*10.0.0.1", response) + assert grep_c("a.optout.example..*.RRSIG.A [0-9][0-9]* 3 300 .*", response) + + # check positive wildcard validation NSEC + response = delv("a", "a.wild.example") + assert grep_c("a.wild.example..*10.0.0.27", response) + assert grep_c("a.wild.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*", response) + + # check positive wildcard validation NSEC3 + response = delv("a", "a.wild.nsec3.example") + assert grep_c("a.wild.nsec3.example..*10.0.0.6", response) + assert grep_c("a.wild.nsec3.example..*.RRSIG.A [0-9][0-9]* 3 300 .*", response) + + # check positive wildcard validation OPTOUT + response = delv("a", "a.wild.optout.example") + assert grep_c("a.wild.optout.example..*10.0.0.6", response) + assert grep_c("a.wild.optout.example..*.RRSIG.A [0-9][0-9]* 3 300 .*", response) + + +def test_negative_validation_delv(): + # checking negative validation NXDOMAIN NSEC + response = delv("a", "q.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # checking negative validation NODATA NSEC + response = delv("txt", "a.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative validation NXDOMAIN NSEC3 + response = delv("a", "q.nsec3.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # checking negative validation NODATA NSEC3 + response = delv("txt", "a.nsec3.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative validation NXDOMAIN OPTOUT + response = delv("a", "q.optout.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # checking negative validation NODATA OPTOUT + response = delv("txt", "a.optout.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative wildcard validation NSEC + response = delv("txt", "b.wild.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative wildcard validation NSEC3 + response = delv("txt", "b.wild.nsec3.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + # checking negative wildcard validation OPTOUT + response = delv("txt", "b.wild.optout.example") + assert grep_c("resolution failed: ncache nxrrset", response) + + +def test_insecure_validation_delv(): + # check 1-server insecurity proof NSEC + response = delv("a", "a.insecure.example") + assert grep_c("a.insecure.example..*10.0.0.1", response) + + # check 1-server insecurity proof NSEC3 + response = delv("a", "a.insecure.nsec3.example") + assert grep_c("a.insecure.nsec3.example..*10.0.0.1", response) + + # check 1-server insecurity proof NSEC3 + response = delv("a", "a.insecure.optout.example") + assert grep_c("a.insecure.optout.example..*10.0.0.1", response) + + # check 1-server negative insecurity proof NSEC + response = delv("a", "q.insecure.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # check 1-server negative insecurity proof NSEC3 + response = delv("a", "q.insecure.nsec3.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + # check 1-server negative insecurity proof OPTOUT + response = delv("a", "q.insecure.optout.example") + assert grep_c("resolution failed: ncache nxdomain", response) + + +def test_validation_failure_delv(): + # check failed validation due to bogus data + response = delv("+cd", "a", "a.bogus.example") + assert grep_c("resolution failed: RRSIG failed to verify", response) + + # check failed validation due to missing key record + response = delv("+cd", "a", "a.b.keyless.example") + assert grep_c("resolution failed: insecurity proof failed", response) + + +def test_revoked_key_delv(): + # check failed validation succeeds when a revoked key is encountered + response = delv("+cd", "soa", "revkey.example") + assert grep_c("fully validated", response) diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py deleted file mode 100644 index 8448082c8c..0000000000 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ /dev/null @@ -1,180 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -import pytest - -pytestmark = pytest.mark.extra_artifacts( - [ - ".hypothesis/examples/*", - "K*", - "canonical*", - "delv.out*", - "dig.out.*", - "dsfromkey.out.*", - "named.secroots.*", - "nsupdate.out.*", - "python.out.*", - "rndc.out.*", - "signing.out.*", - "*/K*", - "*/dsset-*", - "*/managed.conf", - "*/trusted.conf", - "*/*.bk", - "*/*.jnl", - "*/*.jbk", - "*/*.signed", - "*/*.mkeys*", - "*/managed-keys.bind", - "ans*/ans.run", - "ans*/query.log", - "ns1/managed.key.id", - "ns1/root.db", - "ns1/trusted.keys", - "ns2/algroll.db", - "ns2/badparam.db", - "ns2/badparam.db.bad", - "ns2/cdnskey-update.secure.db", - "ns2/cdnskey-update.secure.id", - "ns2/cdnskey-x.secure.db", - "ns2/cdnskey.secure.db", - "ns2/cds-update.secure.db", - "ns2/cds-update.secure.id", - "ns2/cds-x.secure.db", - "ns2/cds.secure.db", - "ns2/dnskey-rrsigs-stripped.db", - "ns2/dnskey-rrsigs-stripped.db.next", - "ns2/dnskey-rrsigs-stripped.db.stripped", - "ns2/child.ds-rrsigs-stripped.db", - "ns2/ds-rrsigs-stripped.db", - "ns2/ds-rrsigs-stripped.db.next", - "ns2/ds-rrsigs-stripped.db.stripped", - "ns2/example.db", - "ns2/in-addr.arpa.db", - "ns2/lazy-ksk.db", - "ns2/managed.db", - "ns2/nsec3chain-test.db", - "ns2/peer-ns-spoof.db", - "ns2/peer.peer-ns-spoof.db", - "ns2/peer.peer-ns-spoof.db.next", - "ns2/peer.peer-ns-spoof.db.stripped", - "ns2/settime.out.updatecheck-kskonly.secure.ksk", - "ns2/settime.out.updatecheck-kskonly.secure.zsk", - "ns2/single-nsec3.db", - "ns2/too-many-iterations.db", - "ns2/inconsistent.db", - "ns2/trusted.db", - "ns2/updatecheck-kskonly.secure.db", - "ns2/updatecheck-kskonly.secure.ksk.id", - "ns2/updatecheck-kskonly.secure.ksk.key", - "ns2/updatecheck-kskonly.secure.zsk.id", - "ns2/updatecheck-kskonly.secure.zsk.id2", - "ns2/updatecheck-kskonly.secure.zsk.id3", - "ns2/updatecheck-kskonly.secure.zsk.key", - "ns3/NSEC", - "ns3/NSEC3", - "ns3/auto-nsec.example.db", - "ns3/auto-nsec3.example.db", - "ns3/badds.example.db", - "ns3/bogus.example.db", - "ns3/digest-alg-unsupported.example.db", - "ns3/disabled.managed.db", - "ns3/disabled.trusted.db", - "ns3/dname-at-apex-nsec3.example.db", - "ns3/dnskey-nsec3-unknown.example.db", - "ns3/dnskey-nsec3-unknown.example.db.tmp", - "ns3/dnskey-unknown.example.db", - "ns3/dnskey-unknown.example.db.tmp", - "ns3/dnskey-unsupported-2.example.db", - "ns3/dnskey-unsupported.example.db", - "ns3/dnskey-unsupported.example.db.tmp", - "ns3/ds-unsupported.example.db", - "ns3/dynamic.example.db", - "ns3/enabled.managed.db", - "ns3/enabled.trusted.db", - "ns3/example.bk", - "ns3/expired.example.db", - "ns3/expiring.example.db", - "ns3/extended-ds-unknown-oid.example.db", - "ns3/extended-ds-unknown-oid.example.db.stage1", - "ns3/extended-ds-unknown-oid.example.db.stage2", - "ns3/extradsoid.example.db", - "ns3/extradsunknownoid.example.db", - "ns3/extradsunknownoid.example.db.stage1", - "ns3/extradsunknownoid.example.db.stage2", - "ns3/future.example.db", - "ns3/keyless.example.db", - "ns3/kskonly.example.db", - "ns3/localkey.example.db", - "ns3/lower.example.db", - "ns3/managed-future.example.db", - "ns3/multiple.example.db", - "ns3/nsec3-unknown.example.db", - "ns3/nsec3.example.db", - "ns3/nsec3.nsec3.example.db", - "ns3/nsec3.optout.example.db", - "ns3/nsec3chain-test.bk", - "ns3/occluded.example.db", - "ns3/optout-unknown.example.db", - "ns3/optout.example.db", - "ns3/optout.nsec3.example.db", - "ns3/optout.optout.example.db", - "ns3/revkey.example.db", - "ns3/revoked.managed.db", - "ns3/revoked.trusted.db", - "ns3/rfc2335.example.bk", - "ns3/rsasha256.example.db", - "ns3/rsasha256oid.example.db", - "ns3/rsasha512.example.db", - "ns3/rsasha512oid.example.db", - "ns3/secure.below-cname.example.db", - "ns3/secure.example.db", - "ns3/secure.managed.db", - "ns3/secure.nsec3.example.db", - "ns3/secure.optout.example.db", - "ns3/secure.trusted.db", - "ns3/siginterval.conf", - "ns3/siginterval.example.db", - "ns3/split-dnssec.example.db", - "ns3/split-smart.example.db", - "ns3/target.peer-ns-spoof.db", - "ns3/trusted-future.key", - "ns3/ttlpatch.example.db", - "ns3/ttlpatch.example.db.patched", - "ns3/unknownoid.example.db", - "ns3/unknownoid.example.db.stage1", - "ns3/unknownoid.example.db.stage2", - "ns3/unsupported.managed.db", - "ns3/unsupported.managed.db.tmp", - "ns3/unsupported.trusted.db", - "ns3/unsupported.trusted.db.tmp", - "ns3/update-nsec3.example.db", - "ns3/update-nsec3.example.db.signed", - "ns3/upper.example.db", - "ns3/upper.example.db.lower", - "ns4/managed.conf", - "ns4/named.secroots", - "ns4/named_dump.db", - "ns4/named_dump.db.*", - "ns5/broken.conf", - "ns5/revoked.conf", - "ns5/many-trusted.conf", - "ns5/many-managed.conf", - "ns6/optout-tld.db", - "ns6/split-rrsig.db", - "ns6/split-rrsig.db.unsplit", - "ns9/trusted-localkey.conf", - ] -) - - -def test_dnssec(run_tests_sh): - run_tests_sh() From 3c067e99b3fad411439be6c253de21008e3b32ff Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 5 Jul 2025 11:12:02 -0700 Subject: [PATCH 09/14] tidy up the dnssec test tree many of the zones in the dnssec system test were identical or had only trivial differences, and it would be easier to keep track of them if they were sourced from template files. also, the extra_artifacts have been simplified and restored to the test files. --- bin/tests/system/dnssec/ns2/badparam.db.in | 21 -- .../dnssec/ns2/cdnskey-auto.secure.db.in | 14 -- .../dnssec/ns2/cdnskey-update.secure.db.in | 14 -- .../system/dnssec/ns2/cdnskey.secure.db.in | 14 -- .../system/dnssec/ns2/cds-update.secure.db.in | 14 -- bin/tests/system/dnssec/ns2/cds.secure.db.in | 14 -- .../system/dnssec/ns2/child.nsec3.example.db | 20 -- .../system/dnssec/ns2/child.optout.example.db | 20 -- bin/tests/system/dnssec/ns2/dst.example.db.in | 21 -- bin/tests/system/dnssec/ns2/example.db.in | 192 +++++++++--------- bin/tests/system/dnssec/ns2/lazy-ksk.db.in | 27 --- .../dnssec/ns2/private.secure.example.db.in | 28 --- ...c2335.example.db => rfc2335.example.db.in} | 0 bin/tests/system/dnssec/ns2/sign.sh | 47 ++++- .../{cds-auto.secure.db.in => template.db.in} | 9 +- .../system/dnssec/ns2/template.secure.db.in | 14 -- .../system/dnssec/ns3/auto-nsec.example.db.in | 40 ---- .../dnssec/ns3/auto-nsec3.example.db.in | 40 ---- .../system/dnssec/ns3/bogus.example.db.in | 27 --- .../ns3/digest-alg-unsupported.example.db.in | 22 -- .../ns3/dnskey-nsec3-unknown.example.db.in | 29 --- .../dnssec/ns3/dnskey-unknown.example.db.in | 29 --- .../ns3/dnskey-unsupported-2.example.db.in | 29 --- .../ns3/dnskey-unsupported.example.db.in | 29 --- .../dnssec/ns3/ds-unsupported.example.db.in | 22 -- .../system/dnssec/ns3/dynamic.example.db.in | 25 --- .../system/dnssec/ns3/expired.example.db.in | 44 ---- .../system/dnssec/ns3/expiring.example.db.in | 40 ---- .../ns3/extended-ds-unknown-oid.example.db.in | 28 --- .../dnssec/ns3/extradsoid.example.db.in | 28 --- .../ns3/extradsunknownoid.example.db.in | 28 --- ...cure.example.db => extrakey.example.db.in} | 4 +- .../system/dnssec/ns3/future.example.db.in | 40 ---- .../system/dnssec/ns3/generic.example.db.in | 23 --- bin/tests/system/dnssec/ns3/inline.example.db | 26 --- .../ns3/insecure.below-cname.example.db | 26 --- .../dnssec/ns3/insecure.nsec3.example.db | 26 --- .../dnssec/ns3/insecure.optout.example.db | 26 --- .../system/dnssec/ns3/insecure2.example.db | 27 --- .../system/dnssec/ns3/kskonly.example.db.in | 26 --- .../system/dnssec/ns3/lower.example.db.in | 21 -- .../dnssec/ns3/managed-future.example.db.in | 40 ---- .../system/dnssec/ns3/multiple.example.db.in | 29 --- bin/tests/system/dnssec/ns3/named.conf.j2 | 4 +- .../system/dnssec/ns3/nosign.example.db.in | 23 --- .../dnssec/ns3/nsec3-unknown.example.db.in | 29 --- .../system/dnssec/ns3/nsec3.example.db.in | 8 +- .../dnssec/ns3/nsec3.nsec3.example.db.in | 35 ---- .../dnssec/ns3/nsec3.optout.example.db.in | 35 ---- .../dnssec/ns3/optout-unknown.example.db.in | 29 --- .../system/dnssec/ns3/optout.example.db.in | 20 +- .../dnssec/ns3/optout.nsec3.example.db.in | 35 ---- .../dnssec/ns3/optout.optout.example.db.in | 35 ---- .../dnssec/ns3/publish-inactive.example.db.in | 26 --- .../system/dnssec/ns3/rsasha1-1024.example.db | 63 ------ .../dnssec/ns3/rsasha1-1024.example.db.in | 68 +++++-- .../system/dnssec/ns3/rsasha1.example.db | 63 ------ .../system/dnssec/ns3/rsasha1.example.db.in | 68 +++++-- .../system/dnssec/ns3/rsasha256.example.db.in | 28 --- .../dnssec/ns3/rsasha256oid.example.db.in | 28 --- .../system/dnssec/ns3/rsasha512.example.db.in | 28 --- .../dnssec/ns3/rsasha512oid.example.db.in | 28 --- .../ns3/secure.below-cname.example.db.in | 26 --- .../system/dnssec/ns3/secure.example.db.in | 4 +- .../dnssec/ns3/secure.nsec3.example.db.in | 35 ---- .../dnssec/ns3/secure.optout.example.db.in | 35 ---- .../dnssec/ns3/siginterval.example.db.in | 21 -- .../system/dnssec/ns3/sign-rsasha1-1024.sh | 4 +- bin/tests/system/dnssec/ns3/sign-rsasha1.sh | 6 +- bin/tests/system/dnssec/ns3/sign.sh | 122 ++++++----- .../dnssec/ns3/split-dnssec.example.db.in | 38 ---- .../dnssec/ns3/split-smart.example.db.in | 38 ---- .../template.db.in} | 5 +- .../system/dnssec/ns3/ttlpatch.example.db.in | 26 --- .../dnssec/ns3/unknownoid.example.db.in | 28 --- ...rithm.key => unsupported-algorithm.key.in} | 0 .../dnssec/ns3/update-nsec3.example.db.in | 40 ---- .../system/dnssec/ns3/upper.example.db.in | 21 -- ....example.db => nosoa.secure.example.db.in} | 4 +- bin/tests/system/dnssec/ns6/sign.sh | 7 + bin/tests/system/dnssec/tests_badkey.py | 30 +++ bin/tests/system/dnssec/tests_delv.py | 30 ++- bin/tests/system/dnssec/tests_policy.py | 30 +++ bin/tests/system/dnssec/tests_signing.py | 32 ++- bin/tests/system/dnssec/tests_tat.py | 30 +++ bin/tests/system/dnssec/tests_validation.py | 35 +++- 86 files changed, 529 insertions(+), 2014 deletions(-) delete mode 100644 bin/tests/system/dnssec/ns2/badparam.db.in delete mode 100644 bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in delete mode 100644 bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in delete mode 100644 bin/tests/system/dnssec/ns2/cdnskey.secure.db.in delete mode 100644 bin/tests/system/dnssec/ns2/cds-update.secure.db.in delete mode 100644 bin/tests/system/dnssec/ns2/cds.secure.db.in delete mode 100644 bin/tests/system/dnssec/ns2/child.nsec3.example.db delete mode 100644 bin/tests/system/dnssec/ns2/child.optout.example.db delete mode 100644 bin/tests/system/dnssec/ns2/dst.example.db.in delete mode 100644 bin/tests/system/dnssec/ns2/lazy-ksk.db.in delete mode 100644 bin/tests/system/dnssec/ns2/private.secure.example.db.in rename bin/tests/system/dnssec/ns2/{rfc2335.example.db => rfc2335.example.db.in} (100%) rename bin/tests/system/dnssec/ns2/{cds-auto.secure.db.in => template.db.in} (83%) delete mode 100644 bin/tests/system/dnssec/ns2/template.secure.db.in delete mode 100644 bin/tests/system/dnssec/ns3/auto-nsec.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/bogus.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/dynamic.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/expired.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/expiring.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/extradsoid.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in rename bin/tests/system/dnssec/ns3/{insecure.example.db => extrakey.example.db.in} (96%) delete mode 100644 bin/tests/system/dnssec/ns3/future.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/generic.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/inline.example.db delete mode 100644 bin/tests/system/dnssec/ns3/insecure.below-cname.example.db delete mode 100644 bin/tests/system/dnssec/ns3/insecure.nsec3.example.db delete mode 100644 bin/tests/system/dnssec/ns3/insecure.optout.example.db delete mode 100644 bin/tests/system/dnssec/ns3/insecure2.example.db delete mode 100644 bin/tests/system/dnssec/ns3/kskonly.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/lower.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/managed-future.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/multiple.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/nosign.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/optout-unknown.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/optout.optout.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/publish-inactive.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/rsasha1-1024.example.db delete mode 100644 bin/tests/system/dnssec/ns3/rsasha1.example.db delete mode 100644 bin/tests/system/dnssec/ns3/rsasha256.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/rsasha512.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/secure.optout.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/siginterval.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/split-dnssec.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/split-smart.example.db.in rename bin/tests/system/dnssec/{ns2/insecure.secure.example.db => ns3/template.db.in} (93%) delete mode 100644 bin/tests/system/dnssec/ns3/ttlpatch.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/unknownoid.example.db.in rename bin/tests/system/dnssec/ns3/{unsupported-algorithm.key => unsupported-algorithm.key.in} (100%) delete mode 100644 bin/tests/system/dnssec/ns3/update-nsec3.example.db.in delete mode 100644 bin/tests/system/dnssec/ns3/upper.example.db.in rename bin/tests/system/dnssec/ns6/{nosoa.secure.example.db => nosoa.secure.example.db.in} (93%) diff --git a/bin/tests/system/dnssec/ns2/badparam.db.in b/bin/tests/system/dnssec/ns2/badparam.db.in deleted file mode 100644 index b18d1863d5..0000000000 --- a/bin/tests/system/dnssec/ns2/badparam.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2010081000 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns2 -ns2 A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds.secure.db.in b/bin/tests/system/dnssec/ns2/cds.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cds.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/child.nsec3.example.db b/bin/tests/system/dnssec/ns2/child.nsec3.example.db deleted file mode 100644 index 8fc3bc837e..0000000000 --- a/bin/tests/system/dnssec/ns2/child.nsec3.example.db +++ /dev/null @@ -1,20 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2006081400 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ IN NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/child.optout.example.db b/bin/tests/system/dnssec/ns2/child.optout.example.db deleted file mode 100644 index 8fc3bc837e..0000000000 --- a/bin/tests/system/dnssec/ns2/child.optout.example.db +++ /dev/null @@ -1,20 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2006081400 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ IN NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/dst.example.db.in b/bin/tests/system/dnssec/ns2/dst.example.db.in deleted file mode 100644 index 0039484964..0000000000 --- a/bin/tests/system/dnssec/ns2/dst.example.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns2.example. -a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index c725132988..6531ae6649 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -12,10 +12,10 @@ $TTL 3600 ; 1 hour @ IN SOA mname1. . ( 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) ) NS ns2 NS ns3 @@ -30,8 +30,8 @@ d A 10.0.0.4 foo TXT "testing" foo A 10.0.1.0 -bad-cname CNAME a -bad-dname DNAME @ +bad-cname CNAME a +bad-dname DNAME @ ; Used for testing CNAME queries cname1 CNAME cname1-target @@ -52,153 +52,153 @@ secure NS ns3.secure ns3.secure A 10.53.0.3 ; An insecure subdomain -insecure NS ns.insecure -ns.insecure A 10.53.0.3 +insecure NS ns3.insecure +ns3.insecure A 10.53.0.3 -; A second insecure subdomain -insecure2 NS ns.insecure2 -ns.insecure2 A 10.53.0.3 +; A subdomain with an extra DNSKEY in the wrong place +extrakey NS ns3.extrakey +ns3.extrakey A 10.53.0.3 ; A secure subdomain we're going to inject bogus data into -bogus NS ns.bogus -ns.bogus A 10.53.0.3 +bogus NS ns3.bogus +ns3.bogus A 10.53.0.3 ; A subdomain with a corrupt DS -badds NS ns.badds -ns.badds A 10.53.0.3 +badds NS ns3.badds +ns3.badds A 10.53.0.3 ; A subdomain with a corrupt DS, but locally trusted by the forwarder -localkey NS ns.localkey -ns.localkey A 10.53.0.3 +localkey NS ns3.localkey +ns3.localkey A 10.53.0.3 ; A dynamic secure subdomain -dynamic NS dynamic -dynamic A 10.53.0.3 +dynamic NS ns3.dynamic +ns3.dynamic A 10.53.0.3 ; A subdomain with expired signatures -expired NS ns.expired -ns.expired A 10.53.0.3 +expired NS ns3.expired +ns3.expired A 10.53.0.3 ; A rfc2535 signed zone w/ CNAME rfc2535 NS ns.rfc2535 -ns.rfc2535 A 10.53.0.3 +ns.rfc2535 A 10.53.0.2 z A 10.0.0.26 -keyless NS ns.keyless -ns.keyless A 10.53.0.3 +keyless NS ns3.keyless +ns3.keyless A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 +nsec3 NS ns3.nsec3 +ns3.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 +optout NS ns3.optout +ns3.optout A 10.53.0.3 -nsec3-unknown NS ns.nsec3-unknown -ns.nsec3-unknown A 10.53.0.3 +nsec3-unknown NS ns3.nsec3-unknown +ns3.nsec3-unknown A 10.53.0.3 -optout-unknown NS ns.optout-unknown -ns.optout-unknown A 10.53.0.3 +optout-unknown NS ns3.optout-unknown +ns3.optout-unknown A 10.53.0.3 -dnskey-unknown NS ns.dnskey-unknown -ns.dnskey-unknown A 10.53.0.3 +dnskey-unknown NS ns3.dnskey-unknown +ns3.dnskey-unknown A 10.53.0.3 -dnskey-unsupported NS ns.dnskey-unsupported -ns.dnskey-unsupported A 10.53.0.3 +dnskey-unsupported NS ns3.dnskey-unsupported +ns3.dnskey-unsupported A 10.53.0.3 -dnskey-unsupported-2 NS ns.dnskey-unsupported -ns.dnskey-unsupported-2 A 10.53.0.3 +dnskey-unsupported-2 NS ns3.dnskey-unsupported +ns3.dnskey-unsupported-2 A 10.53.0.3 -ds-unsupported NS ns.ds-unsupported -ns.ds-unsupported A 10.53.0.3 +ds-unsupported NS ns3.ds-unsupported +ns3.ds-unsupported A 10.53.0.3 -digest-alg-unsupported NS ns.digest-alg-unsupported -ns.digest-alg-unsupported A 10.53.0.3 +digest-alg-unsupported NS ns3.digest-alg-unsupported +ns3.digest-alg-unsupported A 10.53.0.3 -dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown -ns.dnskey-nsec3-unknown A 10.53.0.3 +dnskey-nsec3-unknown NS ns3.dnskey-nsec3-unknown +ns3.dnskey-nsec3-unknown A 10.53.0.3 -multiple NS ns.multiple -ns.multiple A 10.53.0.3 +multiple NS ns3.multiple +ns3.multiple A 10.53.0.3 *.wild A 10.0.0.27 -rsasha256 NS ns.rsasha256 -ns.rsasha256 A 10.53.0.3 +rsasha256 NS ns3.rsasha256 +ns3.rsasha256 A 10.53.0.3 -rsasha512 NS ns.rsasha512 -ns.rsasha512 A 10.53.0.3 +rsasha512 NS ns3.rsasha512 +ns3.rsasha512 A 10.53.0.3 -kskonly NS ns.kskonly -ns.kskonly A 10.53.0.3 +kskonly NS ns3.kskonly +ns3.kskonly A 10.53.0.3 -update-nsec3 NS ns.update-nsec3 -ns.update-nsec3 A 10.53.0.3 +update-nsec3 NS ns3.update-nsec3 +ns3.update-nsec3 A 10.53.0.3 -auto-nsec NS ns.auto-nsec -ns.auto-nsec A 10.53.0.3 +auto-nsec NS ns3.auto-nsec +ns3.auto-nsec A 10.53.0.3 -auto-nsec3 NS ns.auto-nsec3 -ns.auto-nsec3 A 10.53.0.3 +auto-nsec3 NS ns3.auto-nsec3 +ns3.auto-nsec3 A 10.53.0.3 below-cname CNAME some.where.else. -insecure.below-cname NS ns.insecure.below-cname -ns.insecure.below-cname A 10.53.0.3 +insecure.below-cname NS ns3.insecure.below-cname +ns3.insecure.below-cname A 10.53.0.3 -secure.below-cname NS ns.secure.below-cname -ns.secure.below-cname A 10.53.0.3 +secure.below-cname NS ns3.secure.below-cname +ns3.secure.below-cname A 10.53.0.3 -ttlpatch NS ns.ttlpatch -ns.ttlpatch A 10.53.0.3 +ttlpatch NS ns3.ttlpatch +ns3.ttlpatch A 10.53.0.3 -split-dnssec NS ns.split-dnssec -ns.split-dnssec A 10.53.0.3 +split-dnssec NS ns3.split-dnssec +ns3.split-dnssec A 10.53.0.3 -split-smart NS ns.split-smart -ns.split-smart A 10.53.0.3 +split-smart NS ns3.split-smart +ns3.split-smart A 10.53.0.3 -upper NS ns.upper -ns.upper A 10.53.0.3 +upper NS ns3.upper +ns3.upper A 10.53.0.3 -LOWER NS NS.LOWER -NS.LOWER A 10.53.0.3 +LOWER NS NS3.LOWER +NS3.LOWER A 10.53.0.3 -expiring NS ns.expiring -ns.expiring A 10.53.0.3 +expiring NS ns3.expiring +ns3.expiring A 10.53.0.3 -future NS ns.future -ns.future A 10.53.0.3 +future NS ns3.future +ns3.future A 10.53.0.3 -managed-future NS ns.managed-future -ns.managed-future A 10.53.0.3 +managed-future NS ns3.managed-future +ns3.managed-future A 10.53.0.3 -revkey NS ns.revkey -ns.revkey A 10.53.0.3 +revkey NS ns3.revkey +ns3.revkey A 10.53.0.3 -rsasha1 NS ns.rsasha1 -ns.rsasha1 A 10.53.0.3 +rsasha1 NS ns3.rsasha1 +ns3.rsasha1 A 10.53.0.3 -rsasha1-1024 NS ns.rsasha1-1024 -ns.rsasha1-1024 A 10.53.0.3 +rsasha1-1024 NS ns3.rsasha1-1024 +ns3.rsasha1-1024 A 10.53.0.3 dname-at-apex-nsec3 NS ns3 -rsasha256oid NS ns.rsasha256oid -ns.rsasha256oid A 10.53.0.3 +rsasha256oid NS ns3.rsasha256oid +ns3.rsasha256oid A 10.53.0.3 -rsasha512oid NS ns.rsasha512oid -ns.rsasha512oid A 10.53.0.3 +rsasha512oid NS ns3.rsasha512oid +ns3.rsasha512oid A 10.53.0.3 -unknownoid NS ns.unknownoid -ns.unknownoid A 10.53.0.3 +unknownoid NS ns3.unknownoid +ns3.unknownoid A 10.53.0.3 -extradsoid NS ns.extradsoid -ns.extradsoid A 10.53.0.3 +extradsoid NS ns3.extradsoid +ns3.extradsoid A 10.53.0.3 -extradsunknownoid NS ns.extradsunknownoid -ns.extradsunknownoid A 10.53.0.3 +extradsunknownoid NS ns3.extradsunknownoid +ns3.extradsunknownoid A 10.53.0.3 -extended-ds-unknown-oid NS ns.extended-ds-unknown-oid -ns.extended-ds-unknown-oid A 10.53.0.3 +extended-ds-unknown-oid NS ns3.extended-ds-unknown-oid +ns3.extended-ds-unknown-oid A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/lazy-ksk.db.in b/bin/tests/system/dnssec/ns2/lazy-ksk.db.in deleted file mode 100644 index 1527e07c6e..0000000000 --- a/bin/tests/system/dnssec/ns2/lazy-ksk.db.in +++ /dev/null @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 30 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 30 ; minimum (1 hour) - ) - NS ns2 -ns2 A 10.53.0.2 -ns3 A 10.53.0.3 - -a A 10.0.0.1 -*.a A 10.0.0.3 -b A 10.0.0.2 -d A 10.0.0.4 diff --git a/bin/tests/system/dnssec/ns2/private.secure.example.db.in b/bin/tests/system/dnssec/ns2/private.secure.example.db.in deleted file mode 100644 index 94042ae40a..0000000000 --- a/bin/tests/system/dnssec/ns2/private.secure.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.2 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -private2secure-nxdomain CNAME r.example. -*.wild CNAME s.example. diff --git a/bin/tests/system/dnssec/ns2/rfc2335.example.db b/bin/tests/system/dnssec/ns2/rfc2335.example.db.in similarity index 100% rename from bin/tests/system/dnssec/ns2/rfc2335.example.db rename to bin/tests/system/dnssec/ns2/rfc2335.example.db.in diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index ca824a2ad3..e3f18af15e 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -29,6 +29,31 @@ done cp "../ns3/dsset-target.peer-ns-spoof." . +# Set up some unsigned zones: +# insecure +zone=insecure.secure. +infile=template.db.in +zonefile=insecure.secure.example.db +cp $infile $zonefile + +# delegated child of an nsec3 zone +zone=child.nsec3.secure. +infile=template.db.in +zonefile=child.nsec3.secure.example.db +cp $infile $zonefile + +# delegated child of an optout zone +zone=child.nsec3.secure. +infile=template.db.in +zonefile=child.nsec3.secure.example.db +cp $infile $zonefile + +# zone pre-signed with RFC2335 signatures +zone=rfc2335.example. +infile=rfc2335.example.db.in +zonefile=rfc2335.example.db +cp $infile $zonefile + # Sign the "trusted." and "managed." zones. zone=managed. infile=key.db.in @@ -143,7 +168,7 @@ cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" # Sign the badparam secure file zone=badparam. -infile=badparam.db.in +infile=template.db.in zonefile=badparam.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") @@ -211,7 +236,7 @@ cat "$key1.key" "$key2.key" >>"$zonefile" "$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1 zone=cds.secure -infile=cds.secure.db.in +infile=template.db.in zonefile=cds.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -220,7 +245,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-x.secure -infile=cds.secure.db.in +infile=template.db.in zonefile=cds-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") @@ -230,7 +255,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile" "$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-update.secure -infile=cds-update.secure.db.in +infile=template.db.in zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -239,7 +264,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile" keyfile_to_key_id "$key1" >cds-update.secure.id zone=cds-auto.secure -infile=cds-auto.secure.db.in +infile=template.db.in zonefile=cds-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -247,7 +272,7 @@ $SETTIME -P sync now "$key1" >/dev/null cat "$infile" >"$zonefile.signed" zone=cdnskey.secure -infile=cdnskey.secure.db.in +infile=template.db.in zonefile=cdnskey.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -256,7 +281,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-x.secure -infile=cdnskey.secure.db.in +infile=template.db.in zonefile=cdnskey-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") @@ -266,7 +291,7 @@ cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile" "$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-update.secure -infile=cdnskey-update.secure.db.in +infile=template.db.in zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -275,7 +300,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile" keyfile_to_key_id "$key1" >cdnskey-update.secure.id zone=cdnskey-auto.secure -infile=cdnskey-auto.secure.db.in +infile=template.db.in zonefile=cdnskey-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -283,7 +308,7 @@ $SETTIME -P sync now "$key1" >/dev/null cat "$infile" >"$zonefile.signed" zone=updatecheck-kskonly.secure -infile=template.secure.db.in +infile=template.db.in zonefile=${zone}.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -321,7 +346,7 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile" # A zone with a secure chain of trust of two KSKs, only one KSK is not signing. # zone=lazy-ksk -infile=lazy-ksk.db.in +infile=template.db.in zonefile=lazy-ksk.db ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") diff --git a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in b/bin/tests/system/dnssec/ns2/template.db.in similarity index 83% rename from bin/tests/system/dnssec/ns2/cds-auto.secure.db.in rename to bin/tests/system/dnssec/ns2/template.db.in index aa3aaabfaf..43ad12bb7c 100644 --- a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in +++ b/bin/tests/system/dnssec/ns2/template.db.in @@ -11,4 +11,11 @@ $TTL 3600 @ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. +@ NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +*.a A 10.0.0.3 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns2/template.secure.db.in b/bin/tests/system/dnssec/ns2/template.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/template.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in deleted file mode 100644 index 34006877b3..0000000000 --- a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.6 - -normalthenrrsig A 10.0.0.28 -rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in deleted file mode 100644 index 34006877b3..0000000000 --- a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.6 - -normalthenrrsig A 10.0.0.28 -rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bin/tests/system/dnssec/ns3/bogus.example.db.in deleted file mode 100644 index 0feb441cdd..0000000000 --- a/bin/tests/system/dnssec/ns3/bogus.example.db.in +++ /dev/null @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -c A 10.0.0.3 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in deleted file mode 100644 index 94fa465980..0000000000 --- a/bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in +++ /dev/null @@ -1,22 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 -a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in deleted file mode 100644 index 94fa465980..0000000000 --- a/bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in +++ /dev/null @@ -1,22 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 -a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bin/tests/system/dnssec/ns3/dynamic.example.db.in deleted file mode 100644 index babf54c2a5..0000000000 --- a/bin/tests/system/dnssec/ns3/dynamic.example.db.in +++ /dev/null @@ -1,25 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -; This has the NS and glue at the apex because testing RT #2399 -; requires we have only one name in the zone at a certain point -; during the test. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ NS @ -@ A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/expired.example.db.in b/bin/tests/system/dnssec/ns3/expired.example.db.in deleted file mode 100644 index eaee74b765..0000000000 --- a/bin/tests/system/dnssec/ns3/expired.example.db.in +++ /dev/null @@ -1,44 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 ; 1 hour -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns - MX 10 mx -ns A 10.53.0.3 -mx A 10.0.0.30 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.6 - -normalthenrrsig A 10.0.0.28 -rrsigonly A 10.0.0.29 - - diff --git a/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bin/tests/system/dnssec/ns3/expiring.example.db.in deleted file mode 100644 index be3e680354..0000000000 --- a/bin/tests/system/dnssec/ns3/expiring.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 ; 1 hour -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns - MX 10 mx -ns A 10.53.0.3 -mx A 10.0.0.30 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -child NS ns2.example. -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in b/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/extradsoid.example.db.in b/bin/tests/system/dnssec/ns3/extradsoid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/extradsoid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in b/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/extrakey.example.db.in similarity index 96% rename from bin/tests/system/dnssec/ns3/insecure.example.db rename to bin/tests/system/dnssec/ns3/extrakey.example.db.in index 76e3f47f21..c1d17da9b8 100644 --- a/bin/tests/system/dnssec/ns3/insecure.example.db +++ b/bin/tests/system/dnssec/ns3/extrakey.example.db.in @@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns -ns A 10.53.0.3 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 diff --git a/bin/tests/system/dnssec/ns3/future.example.db.in b/bin/tests/system/dnssec/ns3/future.example.db.in deleted file mode 100644 index 20c19c5216..0000000000 --- a/bin/tests/system/dnssec/ns3/future.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -child NS ns2.example. -insecure.empty NS ns.insecure.empty -ns.insecure.empty A 10.53.0.3 -foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/generic.example.db.in b/bin/tests/system/dnssec/ns3/generic.example.db.in deleted file mode 100644 index 5cc3ecc1bb..0000000000 --- a/bin/tests/system/dnssec/ns3/generic.example.db.in +++ /dev/null @@ -1,23 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a.b A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/inline.example.db b/bin/tests/system/dnssec/ns3/inline.example.db deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/inline.example.db +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.optout.example.db b/bin/tests/system/dnssec/ns3/insecure.optout.example.db deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/insecure.optout.example.db +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure2.example.db b/bin/tests/system/dnssec/ns3/insecure2.example.db deleted file mode 100644 index 76e3f47f21..0000000000 --- a/bin/tests/system/dnssec/ns3/insecure2.example.db +++ /dev/null @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x DNSKEY 258 3 5 Cg== -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bin/tests/system/dnssec/ns3/kskonly.example.db.in deleted file mode 100644 index 0b11a00b00..0000000000 --- a/bin/tests/system/dnssec/ns3/kskonly.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/lower.example.db.in b/bin/tests/system/dnssec/ns3/lower.example.db.in deleted file mode 100644 index a04793e312..0000000000 --- a/bin/tests/system/dnssec/ns3/lower.example.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA MNAME1. . ( - 2012042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ NS NS -NS A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/managed-future.example.db.in b/bin/tests/system/dnssec/ns3/managed-future.example.db.in deleted file mode 100644 index 20c19c5216..0000000000 --- a/bin/tests/system/dnssec/ns3/managed-future.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -child NS ns2.example. -insecure.empty NS ns.insecure.empty -ns.insecure.empty A 10.53.0.3 -foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/multiple.example.db.in b/bin/tests/system/dnssec/ns3/multiple.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/multiple.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2 index 47d0422ad2..6c9e18976c 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -123,9 +123,9 @@ zone "insecure.example" { allow-update { any; }; }; -zone "insecure2.example" { +zone "extrakey.example" { type primary; - file "insecure2.example.db"; + file "extrakey.example.db"; allow-update { any; }; }; diff --git a/bin/tests/system/dnssec/ns3/nosign.example.db.in b/bin/tests/system/dnssec/ns3/nosign.example.db.in deleted file mode 100644 index 2be8a2833a..0000000000 --- a/bin/tests/system/dnssec/ns3/nosign.example.db.in +++ /dev/null @@ -1,23 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.example.db.in index 55b38776da..f326e0b15a 100644 --- a/bin/tests/system/dnssec/ns3/nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/nsec3.example.db.in @@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns -ns A 10.53.0.3 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 @@ -31,8 +31,8 @@ insecure NS ns.insecure ns.insecure A 10.53.0.3 secure NS ns.secure ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 +nsec3 NS ns3.nsec3 +ns3.nsec3 A 10.53.0.3 optout NS ns.optout ns.optout A 10.53.0.3 02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in deleted file mode 100644 index f37dd750ce..0000000000 --- a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in +++ /dev/null @@ -1,29 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.e A 10.0.0.6 -child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.example.db.in index 20c19c5216..b1bcefa65f 100644 --- a/bin/tests/system/dnssec/ns3/optout.example.db.in +++ b/bin/tests/system/dnssec/ns3/optout.example.db.in @@ -17,8 +17,8 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns -ns A 10.53.0.3 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 @@ -26,14 +26,14 @@ d A 10.0.0.4 z A 10.0.0.26 a.a.a.a A 10.0.0.3 *.wild A 10.0.0.6 -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 +insecure NS ns3.insecure +ns3.insecure A 10.53.0.3 +secure NS ns3.secure +ns3.secure A 10.53.0.3 +nsec3 NS ns3.nsec3 +ns3.nsec3 A 10.53.0.3 +optout NS ns3.optout +ns3.optout A 10.53.0.3 child NS ns2.example. insecure.empty NS ns.insecure.empty ns.insecure.empty A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db deleted file mode 100644 index d51672c03c..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db +++ /dev/null @@ -1,63 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -; File written on Tue Jan 11 18:07:57 2022 -; dnssec_signzone version 9.17.21 -rsasha1-1024.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 -rsasha1-1024.example. 300 IN RRSIG SOA 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. kM6ztqAaLkxcRxYWrw2oe3qofzoIRjDv/tLD/A5edreqzzwj7H6Ihm0s JHfzqVOWBTwYzX0XgD0PXCqMdkXP7QlcWGYK7uCWnisayZIwNCdkywPC sS2ky1d0eK1A7kJ9nEH/eOgLba5uFZcAo8+9dD/6o6Rt1jTeTQkL4RHI UC8= -; resign=20900129082204 -rsasha1-1024.example. 300 IN NS ns.rsasha1-1024.example. -rsasha1-1024.example. 300 IN RRSIG NS 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. jxbsZlgK4B6IkCrZuNDVv/EIqgCU8pTOyWEt2DqvzRI8AeL3I+U9Nbcz 9gmQRaNEtffLVR/sfht6v1ms4AFJKd0xLSZj9ywsZKCmG12UxfNIoZ49 4d1ono8hGYU8xr1Qh1BU2HwgGY1JF4OyO28cgrkT2F9dAvG8MSMEW5Sg 9A8= -; resign=20900129082204 -rsasha1-1024.example. 300 IN NSEC a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY -rsasha1-1024.example. 300 IN RRSIG NSEC 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. AfEX9beXrft4d1moQD1VP3Em9cMgJmx2EYBKMlW5e5XFNk2Z5Wj1N//3 sBuUPNppxUilUEydqH5psVw7IMhrz8Q1+bhABNV7cPm1EOuq0NuQJ2LN JNlTnjfaRT6IAtY7d+NOCO2eKlDzMC/q8t2oaB+iHhgO7yc5+fxMGyQ/ PVc= -; resign=20900129082204 -rsasha1-1024.example. 300 IN DNSKEY 256 3 5 AwEAAaYD3SqsLtFHSfDhA8HhNKQJOToRptRmFhsYbqre+lq/BLpLQNkA 7Kq+chsUhOe+8OHMfkNXfr3XFyuUA3rBg15kq57NZ5gLzkHyeGqB9Ths M5pdwDCqPjJKP43W2+EXXHWsg5P94yldWcvMx1v80vrxGvUimfiQSznE hok/6oqR -rsasha1-1024.example. 300 IN DNSKEY 257 3 5 AwEAAeEe/ohrvXtDqYgrz5Q1WAKRstnnH0xi/4Mne49PLO56TcVPf6sg xpv/SaHSlQGJnVbQBLebPemKDAC1vVOUqdTDxHJbLuO28brIWMzf0pc1 5G2RNtrQf44E4yaibSROhyBmWoerUHTPGJw6BGDI4fb/CVWujFQ1ieBy WC0p1NWH -rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. nBLPJfoZe4G3wOe17bBSMooRZHe523pjdaTAK2PmXEa8exXH+OWCHh7f Jnh/SI89Hp9a2ru1Skze3FcUcTj/SlwtEuWpxOs9B1R29P1xVPCwkAfb xsmtmE6u5+oeLGrt88zA/kpjx6t0sFbU7A8/qxlpuoH+hdAu1jI2tlP4 d30= -rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 1151 rsasha1-1024.example. 0oNrcBsFySVjBT60SX3m7cKIPmuCOUH0ZFucrmEVXJLGpNOXe37aXbnC Iz+NHcaaeZQP/w4aYSTyQvZs6Vl5Tufeic3SWalzTGv0f01mIIk24v1a h4ePUB8w0b0+/qq89zl6Ccr2/PgTaLvjuSGYcgX15cigqPRcKQNYCwO1 Vsk= -; resign=20900129082204 -z.rsasha1-1024.example. 300 IN A 10.0.0.26 -z.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Zf/ynA7APXpNjcMPusIjRan0/ITLmeeY7GJfhCLeD3lEjnAd7dWRl7sC N5sBzUG78Mtgm39Ov/Kj2EwQjFcwcMUmppan3NzS+1YtYuZqlN9iAW+b UUfv8UQUHvM3x/hW4kNCPd2PHIzV2uedIp7VG3Lz72FvjHxECbI7g79V 18c= -; resign=20900129082204 -z.rsasha1-1024.example. 300 IN NSEC rsasha1-1024.example. A RRSIG NSEC -z.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. FPlYMJ41r79tkhIkDTX9/uVtcKXfHa+5oXb8fdo7/2CugjBfp5uihn57 3gMmY7Mi2aVsW64hRkehPJr+sTUOk5+ILhO2Qhjdrm2DpHgeSK29BTQr Okn9ruvpLhRFHwI/DllnKvBOyCmKSzJZE7PDOrqouGclNue07IXz+K2R bME= -; resign=20900129082204 -b.rsasha1-1024.example. 300 IN A 10.0.0.2 -b.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. gQmhCIwai57iscF2s5CJ5DbSy0Z9TiOWYGeFeZITxQ/koFOOjyuZXAZn 6f7mTUcFPhNm4AT/PJAs/L/tzcE16pcVwwDnHszdY28XwEU6OqaXUB3E T/Qu4Sh0BWet9U6JcSSqLG5317qJxqSGfnIJOXMucYi3MH3W8uSpapr+ 4Qk= -; resign=20900129082204 -b.rsasha1-1024.example. 300 IN NSEC d.rsasha1-1024.example. A RRSIG NSEC -b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Do6VghMEcHk35Q7fI2VrrQBYhChT4pnw791qUFhHZeol5fIKtEnrlviA RN2fbEY+7OrQQXo7Ywxo7nTD9sYsFgOwGKqKJ+yLNPcr++0csbkgt5rU ch1Lv+t7jOUuUX8IzgjOoCH5j9eoU5QtGkEBxf6z0nvlsLJaTWwTqvbr 7aU= -; resign=20900129082204 -a.rsasha1-1024.example. 300 IN A 10.0.0.1 -a.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. CaPXSTPLNeQ4MyRylYP/Ztb6kRT9/QdgpTnZxUHCjSdWEBXsrkEr55/z dBSQ8zGGOfCxlOkmgH/UrR7JmHTQrIqsb/iVq+6D0mfvNJDyNpT92bo8 r+C62/9NXLlkS5zcpyNG8Ls66EQ7dcFa6SxwdxF1qaoeBjJvkrGUMnzP UFo= -; resign=20900129082204 -a.rsasha1-1024.example. 300 IN NSEC b.rsasha1-1024.example. A RRSIG NSEC -a.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. DJlfCVMSPZ6KUIUhWUBt7LOCB8vBbxOFaR4PoHs/fLpGBWrQj46sjLKO W/TImquBg3ygYTOIyWEzVb177HryRmx65AKnfGLbzaTdTgHzcELwg88t EYFT4ODalqTn68o2RfWtNl95FNqJR/kguxxzFVgpN4zfGKXdhTWAA4JW zG0= -; resign=20900129082204 -a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN A 10.0.0.27 -a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG A 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. PVFCHIXgDCZOHsTsr3G9wMnPPmiY4CfOXC3b1ZF2qEDqloIT+YX5oKKE uiT6fCBteS6Cq8XTXdezXjqTqxrdY4qMMOBDnIZhf8eOxjFzMEUKKZuH 9c5rt8u35TihuIdKv9OPXdWuTJ4dVSEZjNNxvh3VoMW6XFagYmu3f8Gr 0rg= -; resign=20900129082204 -a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN NSEC ns.rsasha1-1024.example. A RRSIG NSEC -a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG NSEC 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. VOOEksRwMWNO2ESMrcMyPFAHuXyYgeLVODy46DwDx8PTli3/UwOH1e3l qd3Poh2K/OFP2v8TuzkXXnPW48Lg90haHtG9yLr5UUNoKntmBC9PFeqt P/qdOBiHszvcyyjJ4gabEX2gn+o/sL/klQV4m3mB4Vf5sg2dfX8Qyuw6 nDQ= -; resign=20900129082204 -d.rsasha1-1024.example. 300 IN A 10.0.0.4 -d.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. XcxbM4wA+yTOAwPePwRIg6E58HuMr5qIkdghNn/R5ck1JdirLbMB/Wpp Si+5a4q9F02Bs8uZv2YXtXRIa32i1/L6OPeU3RFQfvkpHbQNTvPtsuAL bmFGB/zdR6XQpqC6G+ip9qY+mk2hXwCZZ24NW90O9qYlE8Rp145/dIVM DPo= -; resign=20900129082204 -d.rsasha1-1024.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. A RRSIG NSEC -d.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. fmBjPGTNWOXAs51XO1fIRCKAbf9TLTV04TmlgLm50oOouEXsXpwKo6tb MbCGI2f+u986mtzLW4gWY+rcAPrMCndu5BPIYPk/Ngd6zqylWJzAfKyg PIqO0lf6jg0J3FfP39fw9bf+xB+AI1PWBrVZ55LotBYgIBZYhQ1LKPZ2 iyU= -; resign=20900129082204 -ns.rsasha1-1024.example. 300 IN A 10.53.0.3 -ns.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. beHl0WxLgPYkzKs/tdQnphXDzHx6FqdQRlVtJIYHGoWmWe4X6JWg4ENB a0xPeOGFQPBMgNuKbwyjAVmX0B3Su4LiBM7GcmfJbd4YRNCa4hQvhDpG o5A54Pxo2Qdo9Cffhzva5z4iO+DNnmBsfKGPna4sO2lRNfIxXlxCTbnE zps= -; resign=20900129082204 -ns.rsasha1-1024.example. 300 IN NSEC z.rsasha1-1024.example. A RRSIG NSEC -ns.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. aZTImJ5QFufIQEIuX+5ZYVW2Yq4ctxeX9zm9yrQaUODvVRm3X3WjncrU hkgDaW3a/j8RRG0cdAnzSWCzIMz0Yv4kWxrxCEJyIgmVUQ3fzxzpGwMF ZwCtNb9aWmImcAugTnjocn5+iCiyTEVipZmTASEyN0Bgp5Q4oFChnzIj kjk= -; resign=20900129082204 diff --git a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in index b2e7e21e20..d4009dc97e 100644 --- a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in +++ b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in @@ -9,19 +9,55 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +; File written on Sat Jul 5 14:07:41 2025 +; dnssec-signzone version 9.21.10-dev +rsasha1-1024.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 +rsasha1-1024.example. 300 IN RRSIG SOA 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. PJOZW7DeXBMB3VJ3RGFHbq5sWGc8zas7y8BKaEz4rWmScEfJrmt5ZGtm XPuQ08roCQjirb6ltLGMBorOZ5PrKkF998FhihCzUjJm9FSAVu3VW0FH 0AHGRuoErR7goE8kp3mQtqDjQfKN3RYisffzXC8K8WDb9AXNo6tdPl6d efA= +; resign=20930723222148 +rsasha1-1024.example. 300 IN NS ns3.rsasha1-1024.example. +rsasha1-1024.example. 300 IN RRSIG NS 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 7bxj7Z1i+Yfn9GzJg7eYbx46KPQOybj/aqhJUDp4ajlYKHrHHtlhHiez DfDj5RlgLGdAzRQPBs51L9KWWl+S6+MPujeVOIT+8SLWbkAWiaY2xLl4 YvZOFFelI1msoBPsXHt28OZz395Iun0VRTnOYAVR/M8lFAwhwYKxnK6S pD8= +; resign=20930723222148 +rsasha1-1024.example. 300 IN NSEC a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY +rsasha1-1024.example. 300 IN RRSIG NSEC 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. ranydIBWyrsp6gvreVGLy8jlHnQh6fL36grp1Rqp6OBNsSn+WegQP5uQ alksR/mDvSAFAeCEX6jJ+GbZan9SUYpkrqbyZtrX1+xKnbbu12ogx/lc Egph/QTXsD6iFBXRB7psiqV1mJx2PjmSHEsDN6zxbOvCrSBSoUQZOkeJ ePc= +; resign=20930723222148 +rsasha1-1024.example. 300 IN DNSKEY 256 3 5 AwEAAfrnP/8ng5St8Ok9VOJ4QWrOIfAp1pzT0quT8+Else7jAOI55qAB qcWOOMfkgF3AGfmD/OkTo17fq4HeoULrnOw8mTPjbQFowrnPRWpClj3N lRUVfYpVaKOzy3WnUSiqtegktKMaZgvBz5BgAeJOkG6IpHCqYab5135K JplSUlBz +rsasha1-1024.example. 300 IN DNSKEY 257 3 5 AwEAAfF0adqZOjSh1ADpmABpTwEAD/cWy/+9R42G+DqZK/8pkxfvC6N9 b9zWsa9LhyBge97aq7LyzlKO4HJvYK7su16y3ZeEQUplrwIwD6OPoffu X7vjNA+O7vikjdSN6sXI/x7eKwU+ZQbLyCao4COGy+Xl8VowWmIGJ3DZ wEhwOd+t +rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222148 20250705200741 29488 rsasha1-1024.example. qGZmNE1DZMvZ/OwZXuRtebtpIIE3pzYUQngQD9VUHyA9D1cLuElyevgl /pjOh5Vpt0nid1Y0HrLrXYe6xRsT8a+hhp+5ybUqjOpusBDkj/LYnlev y27Nor/GcHNy03R+B/Piu+1T3UA+dxvYc+YJrmmx7XU5tMpqFyV4C4if IyU= +rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222148 20250705200741 58758 rsasha1-1024.example. eMnV0gdwLW5SY+gL5CsTilyz3qN9YJBnD/EgaK4xXxnV8hoTXB/QgtAP +/jylOSIMqCT+VA9UlV2q2WyQd3n2ycdAaXIrZhMJDo/ErXcNrfi4h2G aKLVr/NiX6VlNhyNgbYgz0dM6CjcMbFQSr43hFJ4oWbOrEAS5a708/6t uUU= +; resign=20930723222148 +a.rsasha1-1024.example. 300 IN A 10.0.0.1 +a.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 41BzMHFHRo79n2jipZYetBEeJ2tb/HD2wj28I++yPLmVbn2IUnA0qOQV ypYQmAjhIKgDD+KHq0SB+WbPnVj6buV7WZ8mlknFDNxmMc6erdStBwsO shtL5kNUv33QTsyRGtreCnEjjWSSMzC63sdBXyjN5+ZWVqxKIFKGwMJZ uwg= +; resign=20930723222148 +a.rsasha1-1024.example. 300 IN NSEC b.rsasha1-1024.example. A RRSIG NSEC +a.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. KXNm/3ISKA9TJqFUAgrFVVwrRqIMZ9IhaLALTD8nZl5guNfq1NUnjKQW kbM24C2b9Wb3ID+lIlz8NygSdVyGpUsxvyn3s72wxRHyAQjWSgXMsxHH K7OlPMWKOKEaa27uGjbXkcITPstqveaZNdCdNba7hrjiBuETsLBRQoyi pO8= +; resign=20930723222148 +b.rsasha1-1024.example. 300 IN A 10.0.0.2 +b.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. sFXNp9u1KLmGALRtBygUQa4jNug25BWHJlBjKiaIQHal4YN2wpNMBfP5 8pwAfTJHpMZmnIfTQKpYHFYI+AZ0VUh8KRjkUfZYtgviu6BqPshuhNVa hKYpSzpUDCjjg29oYPC36sIZSnZDbhbRYLzERXMVB/tLujDgjoGD4z3b dzM= +; resign=20930723222148 +b.rsasha1-1024.example. 300 IN NSEC a.b.rsasha1-1024.example. A RRSIG NSEC +b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. mz7zYeNU967NoqNLTbi9ggh+jG8c4AQK8nfkP6f09EuH76BcU9T/BzKI lLPws1PYmBeT+WXmcwuFyDxPlSntO/xlU/t5wMGOjMwHWRPaFiaAx3H9 PZj9JC4UDfEKOB/2icS9HQrBqzsPlzYVWrdqkAgm4ErVl4DNU0zUhv6y Xpk= +; resign=20930723222148 +a.b.rsasha1-1024.example. 300 IN A 10.0.0.1 +a.b.rsasha1-1024.example. 300 IN RRSIG A 5 4 300 20930723222148 20250705200741 58758 rsasha1-1024.example. e4R1G9oEo5I2kPqVsbUYBgP0Bv5Eyp9BTesgKqAJ0q9NfZGtjh/03kCr A8CPw7mwL3qLEVo/oupkzpLj/gt5Zszdlmu7Bw81cJfV+x5cPyLjXJty Z9+T9KZIFa/tqW8FFF3/owEecTjcPjJs/mrlNy7lbp1kLXBIk6S7yt+c dpo= +; resign=20930723222148 +a.b.rsasha1-1024.example. 300 IN NSEC d.rsasha1-1024.example. A RRSIG NSEC +a.b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 4 300 20930723222148 20250705200741 58758 rsasha1-1024.example. Y3N3uY1kIyY9WlgWF8ZQ9gmo3Xi74G+UF195ljexwkjlU7LOX7TuaJpJ PyaqASJBGNF6aLbcwR89rItxJknSdNk4oqvQiwykZ0e02MXb/zPeqqkG +y9jS9M+ygKjMcyY+qHVgjy5UaldUqOV/bjg7cq2Z2FsCjkD+lCmGzfl pd4= +; resign=20930723222148 +d.rsasha1-1024.example. 300 IN A 10.0.0.4 +d.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. 1jqKrIB7M9la2A8cRVdy92TV19elq3pGvu19DGz77sbn3HYrb3lF+zSl O2g+75RxuwzN8yoGe5P6/EfaZviOPNBV5s5e+xKHQwAxE0RCdnLUcuE9 8PAuNBogBvhrDzZJQh0p1ap4vyuxCEH3jDYua9Ul7VMy8UmGcBO0BuaS f+A= +; resign=20930723222148 +d.rsasha1-1024.example. 300 IN NSEC ns3.rsasha1-1024.example. A RRSIG NSEC +d.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. JA2sayAAdp9pCtOSsv66hD6LlgA8IFC2gzVSIjYVnz5vevoXHcok7HTi UbaaWoE0UaCI5DrMTSc9x6IOMe0OTC4PLPl3dntnaiOZJfe1Fr97zyme jaMzqd61Tla/dGM58KUKKSL30hj/5o5DwW7ppdHKIW0sq3YXufnDOCgx TT8= +; resign=20930723222148 +ns3.rsasha1-1024.example. 300 IN A 10.53.0.3 +ns3.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. NTFkNDGrOnrz1BvHEgqq3I02y+unDlUmkd2RM5pFz4wMWlZm7b2sPFsi kGH8AwE7U5RBR4Pi6YLS7im+GKXRKEChYbHy7QU2XyvGueQ0AK8jLN3+ daSr0vK5RGSDihl3lWELQPGF4/qrYYVQI8itrewvYWA2EKmPjgJAtjKV DO4= +; resign=20930723222148 +ns3.rsasha1-1024.example. 300 IN NSEC z.rsasha1-1024.example. A RRSIG NSEC +ns3.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. Dx7nC3ZCVV+BTR06WOG6vh9mt81aQijpKH7N03GopNejfbEN3dtGR2n4 cEnc/rofcy0HaDiRGKptrxYNDez6g9awh73p9FDQgE/gnnOJ1WAOIyVi XE4OHSwxfRRdYNV5oDY5Dsl9/ZNuewwc22hfEHTALKDv5ncOeGlk4r/U cds= +; resign=20930723222148 +z.rsasha1-1024.example. 300 IN A 10.0.0.26 +z.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. RO5OYSdypaZuuB+cYQLfj9nZ6PgCpd3iSOZETdY0/RYcH31dX/mDWa/s ODefiUOcyZNJYbJmcZXbOboBQOsHSB2+SsYwc6hfkKiACvB564/6u/5v hujJJQqEpJfuGEaGfJtQHjPgXQoa33juX7k+4zOQJFAs0z4loIb5s9d2 Gyw= +; resign=20930723222148 +z.rsasha1-1024.example. 300 IN NSEC rsasha1-1024.example. A RRSIG NSEC +z.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20930723222148 20250705200741 58758 rsasha1-1024.example. hLdkoNjYFvJ0xYYOp2D0mqoZntJ8M0crDboQ5CGQ5fZD3eIFWG/uWqky 9tt6udqkqrVv7cniTlyoD1GQqBpx4FR9P5qgMXDQ5EvZ7WncjfVg2IFV PYZAqV1iFiQXackDd3jipKGFgx8NKvfl/jr1tdNR+5LqxHFM51zb7Hak J08= +; resign=20930723222148 diff --git a/bin/tests/system/dnssec/ns3/rsasha1.example.db b/bin/tests/system/dnssec/ns3/rsasha1.example.db deleted file mode 100644 index 2d16e503d4..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha1.example.db +++ /dev/null @@ -1,63 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -; File written on Tue Jan 4 17:29:34 2022 -; dnssec_signzone version 9.17.20 -rsasha1.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 -rsasha1.example. 300 IN RRSIG SOA 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. wg8k4y/Cs/+u2QfUnBURhD4isSFTzCofpdhMzVJEUfBqu1DBVO+FECQ4 U80NCg9iksxm7xsWAZiQx6Rzvh1rUqEA7OhCy7XiPuz+jR1TYHXJhRMu t9gu7aCdTkcXYCMtppd49/2vT+WPKB98QIKD6wgl4LFFhwbUCoXavin4 babUiJrJeAnuxmIeD5HtM5a+++p0F8QemdP5FkX3WCRBHNFGnoVYJjc7 PZ+L8ZpKElah47XzJwAYWDr34TwqU9llCOcXlXYKBqDKO9fEtJJ1hyk9 Sf4fGOdzZD9Pj4Zz83UlHumeZPfIC1N0xVBYvGPu8LU41WZ4BgZfKSoS UIpbPQ== -; resign=20900122074341 -rsasha1.example. 300 IN NS ns.rsasha1.example. -rsasha1.example. 300 IN RRSIG NS 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. VqOKkNo7CRH2uquL/46cIVoIPvFYT2WrpwpG6ienlJoLF/mZn0ReoMaK G29R8Q0tklalk14CGShiD409lXDRynyHgmLGIFjkXMd6aNRQOdD1O+7C wEhAj4/FEz+qpk/xRGMslxCCF1P7DxpX5ZPI9DuPVVvTRk4131CALaFQ EPblDzEgd7JeoO0tKnPjpzXLdr86NDeDVZXonimjEhQNrvrrurQ5/u2F x7jVmovN47Z06+XCbleC2ag8ZazNkYfU8GlFvkozZMGZtnpja1/SllNJ ZdURisd3JFMw/xsZd1v2MspKYcZePTfzyk/keXSJ0AlO7TA1X2sjiFOo 1fhSnQ== -; resign=20900122074341 -rsasha1.example. 300 IN NSEC a.rsasha1.example. NS SOA RRSIG NSEC DNSKEY -rsasha1.example. 300 IN RRSIG NSEC 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. U7SEGuJ95CKk6+sWNCNHfPuvjJ2KChhutImWmSTc9lgb3uSfptzwbYnP UZ3xG0IqkayRJhBSizLb5kntvBZbcz4pEWZ+o7ZJdiBHcCARj82OJaLF d147VB3XJa6rIi+o/Zm8SIbxU7gugqRds7KfSTxAIjHzLpCcu12hlgfc Qso1LYiVeU5GVnmfuNJQL7QvS3BQuTylTI1+HQpiY6W8Bzev/TcbhoDJ Ywp4hvgF4VGCvrO2glSO4VycLjluawKSlrNaLbAtWIYYUSPbvtktM8tQ GBqOij4l7eMCTGRCoExWEnr+CzWAauoemhLDh27Bq6VNjD5iIvjzt3Ym uGDQUg== -; resign=20900122074341 -rsasha1.example. 300 IN DNSKEY 256 3 5 AwEAAe31msH3kL5cIQ6C1vTnB8GvbFDm0t/j5XWnLonaKDSUoHtKLlRq pBPuwlORRUZxRSs7VDAaKE0YGky/YklSCqvo8gBD4dkNjWD/6XGkmtEq DOL8XCz1KO+djs7WLCuCyGIkG282+sntuZJj4IMd+ZDW1urCwaP94t3u W9N+PgrSacK9Ff1bwLR9KIgkRFpJ+JxPeaFYnVEyB4ZaZ8DgPWYNJ+aC awL0nATybC8asPeCGvft3lSS99z55IMfkpjF1rwHIVybqhiukRighazQ ljjVQdlXj3YxFgD0fpscJ6yN0QXdseagxiT4PahnwaHYHUhgGm+HB1zA pA49L9dg2RE= -rsasha1.example. 300 IN DNSKEY 257 3 5 AwEAAcQdnpcda8XlNxllEGbWy9EGkD5TtHEbxThaB9c6ZNQPTf3gJw0A LpIZ787sepWND7vPcq6Qb/xZEmC6ER5OfaYbDznUh8q5NaaTbSwv0tng gE8KPwtvlgH+4eUmOcEkGrfR9G6J9S8JTT5bUWKTUbprxE65/8xcY33S cEeOpi34DLR9GLNvPLTSLuWQcYrq1YZFHbivQ45oFD9PvWPJWOoAN68N T28e0ZV8QHuXqW0IEheeW+AEemywupdaxun6Cvvolfz2EMYFnYX8YycE 0qUoDC4W9w3xB4nOllWQfJzgQkSTr/I4XCgepFunBeuAHZhCoQHPt9fK IfPUYxQzaa8= -rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. tODh3LiRuG/ao3ZtJSLBPCy74pkfHXMPRUgFP7MhNR3X6gq75daTVHLi ApTesgAXPAbHI404ps/8M2Z84dkMKBhRDdp1e9OwR8IB4Iw0IOGp2rV7 oZSYNzgnlwRfQ2G75G3xbCjiQhY0H+7IlSiys3sAaI67plvI3nDC3C/r zyDKiY90pK31e+q72SSK+1t/MlsRm0nAYHyUZGLuBMoXYHwonLImeH9Q jwy+cXLwhzOfPfm97ailNifEk38+P+H+Yq35Cp1ezpMzxAi67AcY83sR XB7RVRCf/4uUErh5rYcl6EcnHFh1xA9oSHsaPQbd39PO2fNanyvdPH+p b0ey0A== -rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20900122074341 20220104052934 9662 rsasha1.example. Ksyrf1lseBMSQGyPWrSve/X09Nb1CWB//Yvjw9HAEBwna9wseI6cH6mi B1G2JyFmTFzxGgVmf0wB+oec2w7nt5/uUJbyVfLQvCs9RXBGEpKAwhVf GKIwcSF1VTyVfx+PYPHvCpeN01Qm3C/5pJ28dkT65Hry2a7f39kk/8YZ 4zVM1nYaTsBUQdQWvR5UlSm0S3SUMBc2MIEUGUFBhtBJ10W8VkIfNzma ONjMHthu8vLAfwuBYX8zzJIVB31XvnxZDa4LSM4PesyPZ+KVR27o5dlL gQS62u3PWJDgEhUNFIa8A+5kDENC24p7DSfG+Aipe3upefBpBAW3VEdN A/nwQQ== -; resign=20900122074341 -b.rsasha1.example. 300 IN A 10.0.0.2 -b.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. ivXu+xAyZThIsY2T1c1wczdeeIG/37z+nO9sbUOzcUyf4+T9lX+6rU0D gxQTxHVdcsw3ge/C+dU2qcrs3EHHW4JcpT1yZMbXcyo+w5ocj5oHGYD2 L3iKLCEZrzdkIwmY4GXNyTznk0X5GKuaP7P6PeNrwWEBficB6xLSiLm7 tsswVcc4XyHa+zKBbxevIt2bKvRUfruyztgENZXJ5125Kx1Ee70Hwvgw bNc2J7lqpJw5c5O8yUaXq5gsxcaLBuONbQ4ANL5PtFQJJY7B5GhqlRTy gVrThJsoZj66pfa8gK92yn8uRG6sFpAbtPrTMQaReiExOhCUdBZRBmA+ RWUTKQ== -; resign=20900122074341 -b.rsasha1.example. 300 IN NSEC d.rsasha1.example. A RRSIG NSEC -b.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. hHtS5Bev1RkOJhsz4QnWJzzn/BBRLJil1l1RCbX+nbVbPE93l/2aDi12 jgctWKIfAiVfdFn93uno11+7Lq+bJaiMvaozJ+f7XWMAPsITOlKGNtiw l9kqZJExugH3q0RC1W0xxnb6HlIbwYGn6refUexaZKjgBsUg302pY7bh 6z4WuPakuxAqsaI6KLxLAlm7CWmdXvpFMCc1dnIVDplxOAvEINTrEesY sffjfmRbP3YAXC6/xvu0WVlikgklJjjiRqdeiSqPLGlnb79OAF5whHSL nYvWscX00/f+SOiniFoAFH2KeSb7VdJ2jvpTaqWjrYxxvwuZMsKNzwRI 4pnH/w== -; resign=20900122074341 -a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN A 10.0.0.27 -a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN RRSIG A 5 13 300 20900122074341 20220104052934 30286 rsasha1.example. BQT+sZ6SJUbGDJ0eG6WBM19+UoBGZEie96E7EXaeS4It3M+EaMkIWIGD hp0MwiC0yW8u0zWjlA57t3yRpVhvCic8kl4SPs5tOmDXyy5RRJ7YOHNx 3PCuAbkoTfoLt5ReVtGcs5LTz+lmPUKZw/dwols5x8v1PIC2O/Ud6Yep TE9Qeymj1/C3GxxLVPLxXQhirkhT6LfMmFH6fNwec6U7bVRyMo3twcvK TDxkEZu5qA0+6bSrLC/xdyZYE38RQOlicmmGfYAIkDWKDdDXYbfBeJq6 zP8aFvdqOckDBvXQcnP9Cq+IvQX1noO90ePYf5AzNxAEQFJ4S1LUm/0q mQqNLA== -; resign=20900122074341 -a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN NSEC ns.rsasha1.example. A RRSIG NSEC -a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN RRSIG NSEC 5 13 300 20900122074341 20220104052934 30286 rsasha1.example. jvJup/Pg4BpAjh+eLMKEYFkpK/iOVt3QggGL7CRMxzxkYYMJNPwXqdAt 5MovIAFjFKBQm0RDe8/tqav/zdOZrDTyRZ2Zsh9qOp7hlOhy4oqQF+4n Wqg3x8v9gSgrzSAsiJAhb3fbbfdAb3Esc1R0Ec/RcLYEUXiD1eLTG0cB qtVmX3McwXTmu0OGpn0Dsg8CTSuQnrvo24bvsah5SEL1/NVkPtEE7KDT Q8orR7LNM0EeIL1CHxT5dqCAo5MvUm9L8GL/YIOZgtifD/uL23T0ej4j 0JYN7EYoDyFT0fyGeBoS2jkCZTsQZivfnkE5J4Ch1nAU5bUmSeX1eZHK nvce9Q== -; resign=20900122074341 -d.rsasha1.example. 300 IN A 10.0.0.4 -d.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. 1mZnG0HsIygSfEue9vMlqWpIQ59EmrktvFrGBzNUEDQDjsoGHv+syMFi A8BtRPkrHZzGaYTqy4L8ZL6V5vZPN1icETNVebx7teBTNFIwlvubdKoQ Zg/37W8gW6U1PN4khQlfX7W5XMFifF4qfCfI3XhkPgKacVaucHQhvGth ZzgCbhCQBVMooRb+v+nzknin0qpIWm7pVPh94BaajxQJ0mNwVQ8hjdJP jy16PH4z/aQ6oPjPKMbnMwTQOdWVUKsZtEkBGcAjJWLFmUJYpR5PPdRB /VsEtjexNKZtDwn0/QUIqUi4GcSp0ISTDBTNDjImJhWVJUoFh6S6zuRW tPYZGA== -; resign=20900122074341 -d.rsasha1.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. A RRSIG NSEC -d.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. oWJRAhXbXUA84Nc56NyMocBq93bn3k4uGeqv+XL2L5l6yjxQYxKzjqq1 O5m72K6GiIjoIeun5TxJlEI7/o1EivTxdGYVP4Fsb//Wrv422QcHwS27 xNsFhLMFQglBCOaZzj1v3G2nXRRjP8x81ysg048THlhH5Jm7cW3aUmuS P6kXebWVwIc2nywLHVr/U4dCT2sHOk2gkUuaj8p6rMLVYwj/5dBRijVl Wm131ZeimetxrrRVxXtOfof7W4pqx3bpYRqb/Exdh035Hen+QesxRYTA zcxY7CywJY59afc9/abQBWGkPLfF7rgfJjPIc3MpJlP4SPf0SV4bTNUU nptZ/A== -; resign=20900122074341 -ns.rsasha1.example. 300 IN A 10.53.0.3 -ns.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. ONQph6nkFWSS6dqe/agbVnbjwTtA8ZZATpTCqoRJp2QoEgIjZ/0Yh7Fl Axz4PnpMYsEoie0IZ0/g+xTH7nXYphZzzzgedK8WK0vdTW3Pspyoiek/ tWjiGshqq1atHgi+jjRiuhnEvkaX0UDipMCQvI7oFHMOJxmnwZBCNWMc kBu9vbqtr/+HM4y+jGywg5l2XVkmHC5RZv1CoYc5PhfvV4zMI2RCb/Km i5eNCrUZefRfAq4fK9M67Jh/WnfRWfnHZKZN3O0yiRdnKOh2tOQP3X46 fIuNldCeg1PPnkbs4R+ekqJYhpEydNuWKEoKw2ZgeIrmbcRqepD6y3SZ UP/TAw== -; resign=20900122074341 -ns.rsasha1.example. 300 IN NSEC z.rsasha1.example. A RRSIG NSEC -ns.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. s7P7k9FDJrO1JhUVjgVUDQXNXfNOJrYVt44OoD45e7w4Q7QkyeZe+6z1 Arj9tW1bI9nIVNo63DT51bsJmj4vPf4SuJgHO05ElkLFSvHn17qMdw8Q Kpx8MQa7plAISqzl9hJip0exMuV+1IHujO9VGE42CxKl0q6l2b/x3+Il afx47bcEePkdhHXyhOSdrtxFTayzjMd/7uSy6p1jFSEVrheejQ/r44t3 9uxEc4EYfiP+HVfnjJ178j2Xa4dZyi3ljhJjaH5oleiy5c2Y5kXRIuXH OcIQ2axO7LT/yupRcBPlo7ulwI9iEVd2Q2gueMqaJ9YEWlcoOSFu1H75 7IRAbA== -; resign=20900122074341 -z.rsasha1.example. 300 IN A 10.0.0.26 -z.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. nuqG+ILECKKCQockETu4yLRKZzv9qjXJpfD0/yw5Cw7nSrZFvAjpkQR2 f+xmzbcxP4xiYqs1I+nz8cnHs6NNkJA8vcmk9dnzRu78X0x8MFFV0Yha jQKK/cSzhEhys7GMYv3Jz6lKfmFOAoq1et9PaQT6w8zQD8Q5vBzKrvZm pg+QzZvvgToZfj4e5J7nrhnyOVo7Jec5l/aBCGJbgRMDxjyyC0ufOjnm POvsTZk+wM3+wuN6zYwDpproPiH/6vC/yPlDHeh6kDt971dMsdvRv+kS KAzPyN8rweptJ/HRprb9x6zcAJOrK0T1sJ+EhMbYMgC/py6aAn+T7G5D FGY1tg== -; resign=20900122074341 -z.rsasha1.example. 300 IN NSEC rsasha1.example. A RRSIG NSEC -z.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. Wj5DkrGppeMFn8bWLUMfFPCzDAO2HeabbEIMaAHBH/g0hdn+2PPkQc8D D6WCSc4q5gyGNRSXj2Kik2TojD9n/5WuwDAA3W2AOso+4d616lSy9pyj x+e4WZ6y6tAYRRIGIVTdDEOxrZ8KspclWk7H6OAAPIYvgZeYjox21qXN BknpIifVoaYUoxi3e81k25erm/Xww4uU2SMQgvq3sBrs0YGANembfxas BRVmSmBykpugHgS1/Fl19Hp40y/JTBzqOLrHgPgHO4aH89dgta0WlMhb 8uCUOjHNjcR+KO3KUpKDZkH8IuJHWWFd0TabdV0KBhpInQh6Yorhpjg7 qNBbgA== -; resign=20900122074341 -a.rsasha1.example. 300 IN A 10.0.0.1 -a.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. eJyAqMArSagK54kSFvJxE5qYXFSDYxj6Vt8l4gi58BQigO7p5v0BUWcS icToRx3a9+rSdhnBuGbOWGNlrKFfCKrLmqYrlI9GFSAFLAFj7DETSKDJ X5dQ0KnpyGL3SneQsDWAvAof0y9B17dnBHQMSjeVqqQLjYEnq3ZIdT3c b6emCGMhcbfIAOYWt7t9nk/J2tsTsdoKtTCHP1SHjn5sE++BPXOce49X gFnNMD+pOcoLH8Z07RcTQ8IeNIa9hO8UaypyicaHQ2F0JtsiL1pqREXf QsBeLC12Gbi0rxJX3gdj0LXsmSerVl6BgaNjPTp3840WKrW3nTG/8Lre bxgkow== -; resign=20900122074341 -a.rsasha1.example. 300 IN NSEC b.rsasha1.example. A RRSIG NSEC -a.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. 6fZ5/GXrFAc9lEspMNlPa40F8O/tGq1oaSZXVstwLH124TNWxRK+i8eT H77Kq80vZkDus8rkLr4fiLP3ApXVBffCRHZWecGrYaPGDbQXALQEktld NhmLr9Nf30Jq7KvVV9Qf4daPC7ZwkB8EsikJxjpQ/paHlU/Pua7ZonnH /x9HHRJBLWb/PPQWEc++8SSjA79+HZVbB8rBwXyxHO1tFBCbBpK/JNwu KpRqNp/mwxPpSaJGZIuhHlzfbLsS4WoXjdG+fob4RqsPPwrf/uAAzKM2 dHVuqZ1erH3ryb4JdRo+MhqD0+vC/7+eNccEXraBsE5xGw4M62Se37WC kyQDQA== -; resign=20900122074341 diff --git a/bin/tests/system/dnssec/ns3/rsasha1.example.db.in b/bin/tests/system/dnssec/ns3/rsasha1.example.db.in index b2e7e21e20..f358bf1248 100644 --- a/bin/tests/system/dnssec/ns3/rsasha1.example.db.in +++ b/bin/tests/system/dnssec/ns3/rsasha1.example.db.in @@ -9,19 +9,55 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +; File written on Sat Jul 5 14:07:24 2025 +; dnssec-signzone version 9.21.10-dev +rsasha1.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 +rsasha1.example. 300 IN RRSIG SOA 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. HD26wOumxWQ/epo0958sjThZr0yfTMHnIn5hC2ZdOia9uuBBnHR0kPyS ++zd/Q9lFb6MRzkfLEHGexv2fXIHnWcCLp93gYvMm/HWf0/MhUzhabzO YJfcDKRT3PUEgDvuE0tiHEGWHYAb0iXQi1cjpZhvw6yikAQ2o3UUn3e2 QTQ0JO7EnG4wNxPnr92VPcTLTqajczCz63cvCvJpkaUCjAFyTKvCpgyl /eRKagX0UA8lv+DmOwFCTG0p1JeIQMQoW7xZELEWb9mAR/o1VmcJnYT3 Awi35hTj9XhM+bPCK4qqOkq6JNMSnOA4Xxg1baTEqjrFJZmEG+iyImoL 5d1DLQ== +; resign=20930723222131 +rsasha1.example. 300 IN NS ns3.rsasha1.example. +rsasha1.example. 300 IN RRSIG NS 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. KAZovbd0Urp3LIrLsCV7UldT5ze4fYG8iaXWpyrw7/JmZIZOWA3X4rgF hlhxes8xD73qrV96dWuNZmTMs+mp665bAbX78sjfZZdmWGWrpPzse6G3 YEm6EGSOWjrsb/kOmKPiRTaVUhTanAjJC17rhixEYRBrvekpnDx/3PjX HnJRR8a75DXVrhm47u4/hHD7cS2hOfZj4xqNyWOlpNIaH7ZWPzO34SR9 iuPReF4Q06NG741TdAfsl3h9YeCfZWBH1DQ7jwrq5hRGPTtZmq7OTyMm dH0ovRF6ntYYbU0aOanS4l7sjEVwr+AkrFG8Pu9Ipey5Tlgn3bx40cAn 5TDkfg== +; resign=20930723222131 +rsasha1.example. 300 IN NSEC a.rsasha1.example. NS SOA RRSIG NSEC DNSKEY +rsasha1.example. 300 IN RRSIG NSEC 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. DIhZ8/JkklG9nAC0CB98mmOVnXy7KS+CbG4vC8OrnOSi8nyyHuNC2Zt7 p2taM2KshEJ3piXUsICLbQDpHwrbbRx5RbctaLQz5S3lhx+0j3TNZWaT 2kWP5jMyhNDxaNn35xh7yTamDEKC20Bk5YyN76YClEkwqAr9ksj/FUNY RYIG9+4jjOt962Vj/5e0pgK+1ZbM3lF8WvJAh44YgWD9U4D1nBmyrkTq gBwJUbCvEmyoCxOQfSQhTwaAqKQ3IalnC2hfHfYQsEwpbVwfvt4LGEy+ b0vNnBGHKriM2T/p59vtblWirsxDc8QNpYmtOvjVket4nvzBuA7eqUFt /QijRQ== +; resign=20930723222131 +rsasha1.example. 300 IN DNSKEY 256 3 5 AwEAAYnqt4hwxo/oi63pCLz4EQaUyQU1viMhQ6EVnIXKdPdymJ51tKuh qJ+uT1MxcMwH97b/2CtqTtbI4MP7ksxDWh7JE4R2kzdKrtb1darcvSiy Ewh73TG+1wvt1f7ZC8Hw2TdiU+mLL3vFBfmnUN1Q0xSULKckdlOwH9I/ 20xeS6mz8tYxOC/N9N3AH8gPF4pxoEHkX2XpzdmBSKlgD4Sp1Iqqnebg U/JK2JK2SUZr2ZmCeSMmAmPCt5rT6B6hN8XQkhqPLG3vygqsoLbGngVV nBXFpziMi3VyQ48yvjnNTpzrkfNo/3vrRyrLpBw9I8ZtZNOrypwayBdu fgbfk7veeqk= +rsasha1.example. 300 IN DNSKEY 257 3 5 AwEAAcWJul/er9Gsevi3PxbuJV2iGlbCC1WF1PZ9dluBKZFFCRbl45Mt D32nMBjpr0TkwVRVoTa2tNYdPIo/GrS6EZfUzM6coA3IEK68j0tgqz9b S8fJAaBYMTWlcvho/o9aEZjcnVW3c6IwjxAqUq+4wdokgjV64s+RBPZF 1zRbJz8ONINHmxvKHBzZzVa2Cq7FaHoQpF0NVrHhEuic8IXrW5F9Djah 0svAdethvpfpwVIsthfkv8/E4CfLDFymSe93g4mwMgcIBCZs1ikk1tbG 2oTrUjFui+iXJWIAoKZ8PqfBAWnxckTt1FJCg2cNrxtWAo1WncJdX3py hK7TjQ+DIKc= +rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222131 20250705200724 55127 rsasha1.example. qrWtbMhGFKeRoXgphkmpTQJxI04Cl/hmtE81YuB9Em7F/cNAu7yFi0O4 ZDmm8qRyV4a7itK0Ce/WzFBrCp3CuyJ9MG3hyvJDtIoLTHtCL0QeMwDA j9V68ajgTBNYC1ZwhbDTiD53EJDjplU2U6lCB0zxzJkEE4wPdkotddjG Q6LOy0qSej4raIoOwptaTIkRXa0fAYXz696A2S8bDq74Z9Bw6qcYoj0X EwqFnngFS2Wf4scpeoplR/psRP6n345inw8duF+XieGdt8XSaBw3Qf/E h0eReXQcA/GFpRj4Rvevj+vN1LSBnuwZMd5aC3+xHYf99jAzPYdglScc Rv19qw== +rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20930723222131 20250705200724 56181 rsasha1.example. hvncQdiu+zpcYQRPG19nmbpPPCCGFAT5s4dITGslA5/V764XGvuowX24 CuZMMTefS1KkR79GzRYuTOw/T+vbinMZcU1KvSWaSNsKwYUIsP6cYZXG DX8ug0X+eijggV2bm+43yGjjNKe00e+Aoj8xHNDJhyy+qbKOHUp87Fbc mAKwpq35gEeuBt13PaJxkuQZVxAe88F9TXwhmaUOrlGrj+5XASJR6Cz0 DmlW4p26X//Uvs44bbyDN/hxF1rGOu/D470Q4Lkhsu9B3wtG3vPoNwSv BaMoFU717YJ3a2li7mean6IXIvyCmS1YQk+EvNfcpiW9yPWHjB/0kycH 37HSDw== +; resign=20930723222131 +a.rsasha1.example. 300 IN A 10.0.0.1 +a.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. V0TqYXv83i25Ir50MPgxnWrdhhE1nIMCpAca7e7FKUrLkGlsypFzbTX+ 5hBHaYENXYr+Risr7B4ZdV0LQk4aXfmKqvPLqU0nYfsh/g86bq9wklaU R3QywkOEJqOfirpTWz/wybAE1ELasFncx/VaPrYQ8Zqw6H/Vb1yVSJWs ZqnfDFbZ7mYfEF4wgfc4St3UzjpuoDwfAhbwWg91t85UbYs0SvgYpgbS QLNL+/ltG0hLKNsIzp/aYQQ3IOeeiofDCDOZSl9k3KAezJofJUy3YRBb YVpbe89h6Gb6m4/kO17rLrwQLg7I90ctPgdqQSCKk8x0WzK3N1gfhxxM fcFnsw== +; resign=20930723222131 +a.rsasha1.example. 300 IN NSEC b.rsasha1.example. A RRSIG NSEC +a.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. MxKko8nlw+QysAsrOjR7UtXgHsEsvsDMji/riMT0PbSEDMPJv22hQHbs hDhBD7xNygGZ6bSIX6gXd2uBVfUePzmXCk5tBraXywZ173SvFy/cMJu/ Q9FAFkPKvyEAhswiYUnrXWnujyNmDUK8JFrjI7TSLzQ6mXh4+PO+7b4E GpRCyhArL0Ov1iDipA1CpxCGfLJNaY+kvA+8VPcxob78Ly7cv81kwafY oV635DUp6D4tqSYgPMgwJyOuiek9D7bZJIHPiH/59jWZ0Ik9TNC4EVNF 1Fy4VjdMAFGnW9KIAUWMfSIxImzbh7V17H3H4C96LMNZIWJJG9zxOtMf r6fS2Q== +; resign=20930723222131 +b.rsasha1.example. 300 IN A 10.0.0.2 +b.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. dM6MhQGCqyBNdEbr0YMS/+sUjNDrdkkBcKhrtZ271WDx07838oY9XbpZ v+cKtLuhk69Gm0xErN32k+Qaa+LhqP1YPdqmnyAEycUJXUE7HsH6E9Fz 8AKp/BDQshb209++d3JQxlbch9sqodpIRkxYIkTVJfBt6vsAstYwZHCF I8+PbjTn2zNkBZz0rmj5+AxDDNfnRmcPOoXVJXKNkasQgagSWr1bieb8 15CMDnk/PJhFpHdJ5NiQck8Y9bUMaz8mPBJpFeJwwssY3jCe2qb96IaJ e+XLRpJntHpZvBy3DpO0jA2WHf9WkS1/4toVh4ePHc+FgJBEUXJyPqXc OzjGog== +; resign=20930723222131 +b.rsasha1.example. 300 IN NSEC a.b.rsasha1.example. A RRSIG NSEC +b.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. VV6Z1mhegfATU+mN9gEqrL9oJNpPeZY+Ld7p9kp4oBL+omWo5c/DQ1LR xFUUA6mp1fm81vQwxkxqSwfixABF40lX82ooKQZkgOMKEDvsfkZR4dE5 bN5Dp0JUQTH9fuEX4mo9jrto0gPVKuI0PihHzNfgo8aBFIiXZA86D3/w phVgC+x/o/kZ5Keau01kY8DRxK8Fb1dU3FMjJB8gQFpPwv2wde8yxYgn HUql7sSkmFpQO9heh9+lPqQTwThaiM+PnYY7D96O/28Y4FTfS3D/RCnS Xb4gGM//gkbTmXPlFsaYqYeBdFJbkh0cI4YZxk4ynVXsWL1D0Nb2FqqS XnjBAQ== +; resign=20930723222131 +a.b.rsasha1.example. 300 IN A 10.0.0.1 +a.b.rsasha1.example. 300 IN RRSIG A 5 4 300 20930723222131 20250705200724 56181 rsasha1.example. Ctc9dyCVDi7ptbp/g2H5NmCmPSGhYTKcES2bCXz6xnByyISpjyrJjG9X 71RVB1ZfF9FIiaHu97K96zmYB0GsvhHiYx+WV0En3gYhzWEze3IoCrYf wxYkYwhYeaqRksl4utpDlzURUsxlqGbKw0XFT8vV8lm9nAg7E0hI10Bj VAVvc2Wuf3niV+GE0t2wXa17ccPeL78B7ab59extwCKG/gYLm8gJ547u 9kAdnw2Hi7FWBSXSoM02PESZLcN+GEWJ9Jc6O/m2aGSryer6W4UV8HLF TtN72HJvog1ky3RArlkUwvuwD2w8eiVHARN85t0hnykVT25K0q1dwIR+ d3B2Mw== +; resign=20930723222131 +a.b.rsasha1.example. 300 IN NSEC d.rsasha1.example. A RRSIG NSEC +a.b.rsasha1.example. 300 IN RRSIG NSEC 5 4 300 20930723222131 20250705200724 56181 rsasha1.example. U48IEvy4W8MhJaTxZvemh31MxAU6Xwn5K2MCJhu9MenDRWQqrmPSBKfo nIMSp+a1Wcjsu9UQgBDzoOTuNWKCSI5H2YwhGQsIpCYpIiK/j8X4DCqm cIS0ipTipTbLGPBHfgvwA1KFJhtMi0FOaqe9OXODZFJ3vCz5J/uvmG4H O8PADlUX1clFR4iipLhCa4bvfojUGMM401oDIIxaQLpsrbm1iOqjTvrm glnDQFvFvO3+3J4wLRuVDtV5Z21AhzLIgIXwhh1P4zI4B5aELHB8rrec W6CWkbb6WdZ/rHIiMspe03dby7aW5qbP5pwXwhiycqCqkIvlQAGaxphj 1Hcd3g== +; resign=20930723222131 +d.rsasha1.example. 300 IN A 10.0.0.4 +d.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. fMn2pTXdK3X+l5cwvP/Lk+luqWhC12mxkvK2GNScLGWG6xq9PZzzLUPU mAiEvzUnFPswZzKDgN99OORpPRJXNN7c0S3qqejBhEpz1kkDM1zTaFdY yGwzuNn9I5O6O+//adYkFZu/qCD90ggVA71KSUQVkHfdWt0WiqUdZExY sRbxDf36moVaJ+PtWnnvbXPcdlALouSv3msyf3FwIrfQcr9PpV9bE+rZ jKN+sab4n1/YkSBdFyTht2MSUzxKyfn+TgxCzBdGeSk00JNzyKBlDau8 ebmR7oYLQcAhj43v4u+wPbuilDw4tyhxcgrRMr5ZnjG7XzaivcoLpZMA umrQLw== +; resign=20930723222131 +d.rsasha1.example. 300 IN NSEC ns3.rsasha1.example. A RRSIG NSEC +d.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. G+FZFvRZm4GXf/zfkLH7gWKuTxIhZ3rO/iP9e4Xg2Dcz9Jt/yCIXVkr4 I7bbBOnE8NGS43E55NILYS3aA7llzJtutENqBw9TRW3EcqFlYsFUBUeK T/FCV3zEYlEPeiO82jK7l+1CpiVeVvbX3pLYDrME/lbYeu8KUYsj/fBa Iq5S8mnWD7ZzR7KiSBQU97bn0YAi9pyhA4t3YqrR1MClf3/lpzLq5Rv9 YSzW+7O/jpvCGUotr3bgOpZWtZ0v5QxKdf8Anx6KHgH9n6ZdbareopeO y8mKVk0FmtuYZefMm/0n8uU0aYrwf38bpLMQMcqrT9gVaAPullFC9D/R Z670cw== +; resign=20930723222131 +ns3.rsasha1.example. 300 IN A 10.53.0.3 +ns3.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. V/B0gi6v54YeufttfGwEVEy8+UivueXqqb2BOj+U4wMpFcunT71Y5Sqf iTs5uH42EkyKbBrz+wXyx4ar4VNSp0ONA3oPx0rZTFA6FV18L7BkYPtW Mh2Fs2qxc4XdGUgHqt4K3LT4ond7a2hek0aBA7EWc0hggs2YflE60766 zmjK/OWaUinG/bZqM1KaaMMlporXaGp9yDyvs6ikgI0YKaQd5GtOK5XC xEJPsIovvyvChXPP/OFPnqOjcXS7zZtxey4krqFUe3Ttbb7sQGrAqv2f 59cB7TO5O/uMZ+iy4Q4sih1FPuDYoBCVT/9LzyOp7glyHyvq4Emp9QkA zlYGKg== +; resign=20930723222131 +ns3.rsasha1.example. 300 IN NSEC z.rsasha1.example. A RRSIG NSEC +ns3.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. NpqZAR5fkDzDzqBYzeKD+FbAtMWHj0rcKsJloAsO4bNqAH5575v07oAz CtqIU8QD55zSya6glTWXOImUtPZia7KQAq84k85UmEnI7idDezpO5g5a gwDb8p6/L8a5YFL0i7QmjVjxGxWha7E2dDma3fDIICaF/sMqixE6Qi06 NBXvVwbPYsI27tXEDugigEEoO6mmwUxih8O0ifOjy9rVh8zA7UTT0NtI ZavRYz5grUZ6Otrqf6q1d27PaGxRvBjltmXBZTSmQvHVexkjPlrLcIIN LygvWnYIZfY8csF+5gOlYN6jR6eTnMgjy0Xf4kitUjXAI4apeBe1/nRO P3HlQw== +; resign=20930723222131 +z.rsasha1.example. 300 IN A 10.0.0.26 +z.rsasha1.example. 300 IN RRSIG A 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. K8Cz5MTHdD6loMbfXOSCuwTwsuwGUmqmI7BlKhRULTk5RZRDrXPfiBQa Hr2umtzrnclgm+LSpuFrRPoQOWaJ1cAXzpM8bF+WvL8UKasIxBD5rxzW en/QvmfpgQQH/LwUW+MnsIMuDxs8P5GQ4267crMPfZ7kwaA69FIz/TCJ B0mt5bw/6I7MABqxD3YfZ69uxh04WtjhHFGTBV9CUhsvB1IXgSU7udKg 2+ZTJJqRf4+6hy3ztJFy28HRcBHPkdcJ1AR++pPb8PTFTIUdBqzZQ8h7 kFYQP6jOP34rw8HuvNB6El5scCr7emhMt0yuEdA4+hbQc8UUU7qo1z4C l/gj+A== +; resign=20930723222131 +z.rsasha1.example. 300 IN NSEC rsasha1.example. A RRSIG NSEC +z.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20930723222131 20250705200724 56181 rsasha1.example. eJ35f6tSE8yUMR+z+vnJwdg8eAS/VM2e0oVaGLD5JBwboocJW45IaRv0 DIbq62NBt+BHSv2LZlKXaZwA+rNGmcDXqhlscTMYoqIu2AItNBRJaQwj 3aF3AySSOADG1obymVM+HLVO12kifQTJBSPHUcpuvtBtnz1o4POaBFAa icCJf33cNirEDIYWGTmc2MejhrvfU/uuy3YIHUFYkAiX6WISva9pmNiJ pPq+5zRUZpsFISHc0W6coUuwgyQlVLmziTVesfgxSER0rp0BJ/B7M14+ xvWPSoHHhSU0fR8DkzUWJA6hbEpgB7sLNDL4NPnaUDiZGdTXCGzXbnum Ttcm8Q== +; resign=20930723222131 diff --git a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 5859ebcdc5..decb1eb3f0 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -38,8 +38,8 @@ ns.private A 10.53.0.2 insecure NS ns2.insecure ns2.insecure A 10.53.0.2 -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.6 +nosoa NS ns6.nosoa +ns6.nosoa A 10.53.0.6 normalthenrrsig A 10.0.0.28 rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in deleted file mode 100644 index 15fe621fd0..0000000000 --- a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in +++ /dev/null @@ -1,35 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - diff --git a/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bin/tests/system/dnssec/ns3/siginterval.example.db.in deleted file mode 100644 index ec6603a91f..0000000000 --- a/bin/tests/system/dnssec/ns3/siginterval.example.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2012042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ NS ns -ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh b/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh index 20e4bc52dd..981d4af52b 100644 --- a/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh +++ b/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh @@ -20,8 +20,8 @@ zone=rsasha1-1024.example k1=$("$KEYGEN" -a rsasha1 -b 1024 $zone) k2=$("$KEYGEN" -a rsasha1 -b 1024 -f KSK $zone) -cat $zone.db.in $k1.key $k2.key >$zone.tmp -# use maximum expirey period (-e 2^31-1-3600) +cat template.db.in $k1.key $k2.key >$zone.tmp +# use maximum expiry period (-e 2^31-1-3600) # use output format full for easy extraction of KSK (-O full) "$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp diff --git a/bin/tests/system/dnssec/ns3/sign-rsasha1.sh b/bin/tests/system/dnssec/ns3/sign-rsasha1.sh index c62f3fe660..ce2afa254f 100644 --- a/bin/tests/system/dnssec/ns3/sign-rsasha1.sh +++ b/bin/tests/system/dnssec/ns3/sign-rsasha1.sh @@ -20,8 +20,8 @@ zone=rsasha1.example k1=$("$KEYGEN" -a rsasha1 $zone) k2=$("$KEYGEN" -a rsasha1 -f KSK $zone) -cat $zone.db.in $k1.key $k2.key >$zone.tmp -# use maximum expirey period (-e 2^31-1-3600) +cat template.db.in $k1.key $k2.key >$zone.tmp +# use maximum expiry period (-e 2^31-1-3600) # use output format full for easy extraction of KSK (-O full) -"$SIGNER" +2147480047 -o $zone -f $zone.db -O full $zone.tmp +"$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 58da7378f0..b7ec530e3c 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -77,6 +77,14 @@ done echo_i "ns3/sign.sh: example zones" +# first set up some insecure zones: +cp template.db.in insecure.example.db +cp template.db.in insecure.below-cname.example.db +cp template.db.in insecure.nsec3.example.db +cp template.db.in insecure.optout.example.db +cp extrakey.example.db.in extrakey.example.db + +# now the signed zones: zone=secure.example. infile=secure.example.db.in zonefile=secure.example.db @@ -92,7 +100,7 @@ cat "$zonefile" "$zonefile".signed >"$zonefile".tmp mv "$zonefile".tmp "$zonefile".signed zone=bogus.example. -infile=bogus.example.db.in +infile=template.db.in zonefile=bogus.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -102,7 +110,7 @@ cat "$infile" "$keyname.key" >"$zonefile" "$SIGNER" -z -o "$zone" "$zonefile" >/dev/null zone=dynamic.example. -infile=dynamic.example.db.in +infile=template.db.in zonefile=dynamic.example.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -113,7 +121,7 @@ cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" "$SIGNER" -o "$zone" "$zonefile" >/dev/null zone=keyless.example. -infile=generic.example.db.in +infile=template.db.in zonefile=keyless.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -134,7 +142,7 @@ rm -f "$zonefiletmp" # NSEC3/NSEC test zone # zone=secure.nsec3.example. -infile=secure.nsec3.example.db.in +infile=template.db.in zonefile=secure.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -147,7 +155,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # NSEC3/NSEC3 test zone # zone=nsec3.nsec3.example. -infile=nsec3.nsec3.example.db.in +infile=template.db.in zonefile=nsec3.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -160,7 +168,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # OPTOUT/NSEC3 test zone # zone=optout.nsec3.example. -infile=optout.nsec3.example.db.in +infile=template.db.in zonefile=optout.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -186,7 +194,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # OPTOUT/NSEC test zone # zone=secure.optout.example. -infile=secure.optout.example.db.in +infile=template.db.in zonefile=secure.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -199,7 +207,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # OPTOUT/NSEC3 test zone # zone=nsec3.optout.example. -infile=nsec3.optout.example.db.in +infile=template.db.in zonefile=nsec3.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -212,7 +220,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # OPTOUT/OPTOUT test zone # zone=optout.optout.example. -infile=optout.optout.example.db.in +infile=template.db.in zonefile=optout.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -238,7 +246,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). # zone=nsec3-unknown.example. -infile=nsec3-unknown.example.db.in +infile=template.db.in zonefile=nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -251,7 +259,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). # zone=optout-unknown.example. -infile=optout-unknown.example.db.in +infile=template.db.in zonefile=optout-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -265,7 +273,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # Algorithm 7 is replaced by 100 in the zone and dsset. # zone=dnskey-unknown.example -infile=dnskey-unknown.example.db.in +infile=template.db.in zonefile=dnskey-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -284,7 +292,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # Algorithm 7 is replaced by 255 in the zone and dsset. # zone=dnskey-unsupported.example -infile=dnskey-unsupported.example.db.in +infile=template.db.in zonefile=dnskey-unsupported.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -303,7 +311,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # digest for another DNSKEY # zone=digest-alg-unsupported.example. -infile=digest-alg-unsupported.example.db.in +infile=template.db.in zonefile=digest-alg-unsupported.example.db cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone") @@ -327,7 +335,7 @@ $DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE" # to mimic unsupported DS digest (see ns5/many_anchors). # zone=ds-unsupported.example. -infile=ds-unsupported.example.db.in +infile=template.db.in zonefile=ds-unsupported.example.db cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone") @@ -345,13 +353,13 @@ mv "$zonefile".tmp "$zonefile".signed # Different from above because this key is not intended for signing. # zone=dnskey-unsupported-2.example -infile=dnskey-unsupported-2.example.db.in +infile=template.db.in zonefile=dnskey-unsupported-2.example.db ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key.in >"$zonefile" "$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null @@ -360,7 +368,7 @@ cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile" # Algorithm 7 is replaced by 100 in the zone and dsset. # zone=dnskey-nsec3-unknown.example -infile=dnskey-nsec3-unknown.example.db.in +infile=template.db.in zonefile=dnskey-nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -378,7 +386,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # A multiple parameter nsec3 zone. # zone=multiple.example. -infile=multiple.example.db.in +infile=template.db.in zonefile=multiple.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -386,23 +394,23 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$keyname.key" >"$zonefile" "$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC +awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC.db "$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3 +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3.db "$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db "$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db "$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3.db "$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null -cat NSEC NSEC3 >>"$zonefile".signed +cat NSEC.db NSEC3.db >>"$zonefile".signed # # A RSASHA256 zone. # zone=rsasha256.example. -infile=rsasha256.example.db.in +infile=template.db.in zonefile=rsasha256.example.db keyname=$("$KEYGEN" -q -a RSASHA256 "$zone") @@ -415,7 +423,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A RSASHA512 zone. # zone=rsasha512.example. -infile=rsasha512.example.db.in +infile=template.db.in zonefile=rsasha512.example.db keyname=$("$KEYGEN" -q -a RSASHA512 "$zone") @@ -428,7 +436,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A RSASHA256OID zone. # zone=rsasha256oid.example. -infile=rsasha256oid.example.db.in +infile=template.db.in zonefile=rsasha256oid.example.db keyname=$("$KEYGEN" -q -a RSASHA256OID "$zone") @@ -441,7 +449,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # A RSASHA512OID zone. # zone=rsasha512oid.example. -infile=rsasha512oid.example.db.in +infile=template.db.in zonefile=rsasha512oid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -456,7 +464,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # 1.2.840.113549.1.1.14 # zone=unknownoid.example -infile=unknownoid.example.db.in +infile=template.db.in zonefile=unknownoid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -481,7 +489,7 @@ sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* unknownoid.example./\1 ${tag} unknownoid. # A PRIVATEOID zone with a extra DS record for a non-existent DNSKEY. # zone=extradsoid.example. -infile=extradsoid.example.db.in +infile=template.db.in zonefile=extradsoid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -502,7 +510,7 @@ keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") # the DNSKEY RRset with using this unknown OID. # zone=extradsunknownoid.example -infile=extradsunknownoid.example.db.in +infile=template.db.in zonefile=extradsunknownoid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -536,7 +544,7 @@ sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zon # match the DNSKEY RRset with using this unknown OID. # zone=extended-ds-unknown-oid.example -infile=extended-ds-unknown-oid.example.db.in +infile=template.db.in zonefile=extended-ds-unknown-oid.example.db keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") @@ -568,7 +576,7 @@ fi # A zone with the DNSKEY set only signed by the KSK # zone=kskonly.example. -infile=kskonly.example.db.in +infile=template.db.in zonefile=kskonly.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") @@ -580,7 +588,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # A zone with the expired signatures # zone=expired.example. -infile=expired.example.db.in +infile=template.db.in zonefile=expired.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") @@ -593,7 +601,7 @@ rm -f "$kskname.*" "$zskname.*" # A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE. # zone=update-nsec3.example. -infile=update-nsec3.example.db.in +infile=template.db.in zonefile=update-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") @@ -606,7 +614,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # extra keys not in the initial signed zone. # zone=auto-nsec.example. -infile=auto-nsec.example.db.in +infile=template.db.in zonefile=auto-nsec.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") @@ -621,7 +629,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # extra keys not in the initial signed zone. # zone=auto-nsec3.example. -infile=auto-nsec3.example.db.in +infile=template.db.in zonefile=auto-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") @@ -635,7 +643,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # Secure below cname test zone. # zone=secure.below-cname.example. -infile=secure.below-cname.example.db.in +infile=template.db.in zonefile=secure.below-cname.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$keyname.key" >"$zonefile" @@ -645,7 +653,7 @@ cat "$infile" "$keyname.key" >"$zonefile" # Patched TTL test zone. # zone=ttlpatch.example. -infile=ttlpatch.example.db.in +infile=template.db.in zonefile=ttlpatch.example.db signedfile=ttlpatch.example.db.signed patchedfile=ttlpatch.example.db.patched @@ -661,7 +669,7 @@ $CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \ # Separate DNSSEC records. # zone=split-dnssec.example. -infile=split-dnssec.example.db.in +infile=template.db.in zonefile=split-dnssec.example.db signedfile=split-dnssec.example.db.signed @@ -675,7 +683,7 @@ echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" # Separate DNSSEC records smart signing. # zone=split-smart.example. -infile=split-smart.example.db.in +infile=template.db.in zonefile=split-smart.example.db signedfile=split-smart.example.db.signed @@ -690,7 +698,7 @@ echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" # Zone with signatures about to expire, but no private key to replace them # zone="expiring.example." -infile="expiring.example.db.in" +infile="template.db.in" zonefile="expiring.example.db" signedfile="expiring.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -704,15 +712,15 @@ mv -f "${kskname}.private" "${kskname}.private.moved" # A zone where the signer's name has been forced to uppercase. # zone="upper.example." -infile="upper.example.db.in" +infile="template.db.in" zonefile="upper.example.db" lower="upper.example.db.lower" signedfile="upper.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null -$CHECKZONE -D upper.example $lower 2>/dev/null \ +"$SIGNER" -P -S -o "$zone" -f "$lower" "$zonefile" >/dev/null +$CHECKZONE -D upper.example "$lower" 2>/dev/null \ | sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile # @@ -720,18 +728,19 @@ $CHECKZONE -D upper.example $lower 2>/dev/null \ # upper case. # zone="LOWER.EXAMPLE." -infile="lower.example.db.in" +infile="template.db.in" zonefile="lower.example.db" signedfile="lower.example.db.signed" +sed -e 's/ns3/NS3/' -e 's/mname1/MNAME1/' "$infile" >"$zonefile" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -cp "$infile" "$zonefile" "$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null # # An inline signing zone # zone=inline.example. +cp template.db.in inline.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -739,7 +748,7 @@ zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # A zone which will change its signatures-validity # zone=siginterval.example -infile=siginterval.example.db.in +infile=template.db.in zonefile=siginterval.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -747,10 +756,9 @@ cp "$infile" "$zonefile" # # A zone with a bad DS in the parent -# (sourced from bogus.example.db.in) # zone=badds.example. -infile=bogus.example.db.in +infile=template.db.in zonefile=badds.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -764,7 +772,7 @@ sed -e 's/bogus/badds/g' dsset-badds.example. # Same as badds, but locally trusted by the forwarder # zone=localkey.example. -infile=bogus.example.db.in +infile=template.db.in zonefile=localkey.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -779,7 +787,7 @@ keyfile_to_static_keys $keyname >../ns9/trusted-localkey.conf # A zone with future signatures. # zone=future.example -infile=future.example.db.in +infile=template.db.in zonefile=future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -791,7 +799,7 @@ cp -f "$kskname.key" trusted-future.key # A zone with future signatures. # zone=managed-future.example -infile=managed-future.example.db.in +infile=template.db.in zonefile=managed-future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") @@ -802,7 +810,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" # A zone with a revoked key # zone=revkey.example. -infile=generic.example.db.in +infile=template.db.in zonefile=revkey.example.db ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") @@ -848,12 +856,16 @@ cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ # We only need to generate the dsset. # zone=rsasha1.example +infile=rsasha1.example.db.in zonefile=rsasha1.example.db +cp $infile $zonefile awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \ | $DSFROMKEY -f - "$zone" >"dsset-${zone}." zone=rsasha1-1024.example +infile=rsasha1-1024.example.db.in zonefile=rsasha1-1024.example.db +cp $infile $zonefile awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \ | $DSFROMKEY -f - "$zone" >"dsset-${zone}." diff --git a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in deleted file mode 100644 index 55b38776da..0000000000 --- a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in +++ /dev/null @@ -1,38 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -child NS ns2.example. -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/split-smart.example.db.in b/bin/tests/system/dnssec/ns3/split-smart.example.db.in deleted file mode 100644 index 55b38776da..0000000000 --- a/bin/tests/system/dnssec/ns3/split-smart.example.db.in +++ /dev/null @@ -1,38 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a A 10.0.0.3 -*.wild A 10.0.0.6 -child NS ns2.example. -insecure NS ns.insecure -ns.insecure A 10.53.0.3 -secure NS ns.secure -ns.secure A 10.53.0.3 -nsec3 NS ns.nsec3 -ns.nsec3 A 10.53.0.3 -optout NS ns.optout -ns.optout A 10.53.0.3 -02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns2/insecure.secure.example.db b/bin/tests/system/dnssec/ns3/template.db.in similarity index 93% rename from bin/tests/system/dnssec/ns2/insecure.secure.example.db rename to bin/tests/system/dnssec/ns3/template.db.in index 62862f5305..f603e448ff 100644 --- a/bin/tests/system/dnssec/ns2/insecure.secure.example.db +++ b/bin/tests/system/dnssec/ns3/template.db.in @@ -17,10 +17,11 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) - NS ns2 -ns2 A 10.53.0.2 + NS ns3 +ns3 A 10.53.0.3 a A 10.0.0.1 +a.b A 10.0.0.1 b A 10.0.0.2 d A 10.0.0.4 z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in deleted file mode 100644 index 14971bd7a6..0000000000 --- a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/unknownoid.example.db.in b/bin/tests/system/dnssec/ns3/unknownoid.example.db.in deleted file mode 100644 index f6c4fabdd3..0000000000 --- a/bin/tests/system/dnssec/ns3/unknownoid.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key.in similarity index 100% rename from bin/tests/system/dnssec/ns3/unsupported-algorithm.key rename to bin/tests/system/dnssec/ns3/unsupported-algorithm.key.in diff --git a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in deleted file mode 100644 index 34006877b3..0000000000 --- a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a - -private NS ns.private -ns.private A 10.53.0.2 - -insecure NS ns.insecure -ns.insecure A 10.53.0.2 - -nosoa NS ns.nosoa -ns.nosoa A 10.53.0.6 - -normalthenrrsig A 10.0.0.28 -rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/upper.example.db.in b/bin/tests/system/dnssec/ns3/upper.example.db.in deleted file mode 100644 index ec6603a91f..0000000000 --- a/bin/tests/system/dnssec/ns3/upper.example.db.in +++ /dev/null @@ -1,21 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2012042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ NS ns -ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns6/nosoa.secure.example.db b/bin/tests/system/dnssec/ns6/nosoa.secure.example.db.in similarity index 93% rename from bin/tests/system/dnssec/ns6/nosoa.secure.example.db rename to bin/tests/system/dnssec/ns6/nosoa.secure.example.db.in index 6b7af12553..85044d4168 100644 --- a/bin/tests/system/dnssec/ns6/nosoa.secure.example.db +++ b/bin/tests/system/dnssec/ns6/nosoa.secure.example.db.in @@ -17,6 +17,6 @@ $TTL 300 ; 5 minutes 1814400 ; expire (3 weeks) 3600 ; minimum (1 hour) ) -@ IN NS ns -ns IN A 10.53.0.6 +@ IN NS ns6 +ns6 IN A 10.53.0.6 a IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 74ae836f71..f2e231f235 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -18,6 +18,13 @@ set -e echo_i "ns6/sign.sh" +# set up unsigned zone first +zone=nosoa.secure.example. +infile=nosoa.secure.example.db.in +zonefile=nosoa.secure.example.db +cp "$infile" "$zonefile" + +# now sign the others zone=optout-tld infile=optout-tld.db.in zonefile=optout-tld.db diff --git a/bin/tests/system/dnssec/tests_badkey.py b/bin/tests/system/dnssec/tests_badkey.py index b646789e3a..ca883f81e7 100644 --- a/bin/tests/system/dnssec/tests_badkey.py +++ b/bin/tests/system/dnssec/tests_badkey.py @@ -11,9 +11,39 @@ from dns import flags +import pytest + import isctest +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + def test_misconfigured_validation(): # check that validation fails with a misconfigured trust anchor msg = isctest.query.create("example.", "SOA") diff --git a/bin/tests/system/dnssec/tests_delv.py b/bin/tests/system/dnssec/tests_delv.py index 5e5f375ab7..6ed76fe90f 100644 --- a/bin/tests/system/dnssec/tests_delv.py +++ b/bin/tests/system/dnssec/tests_delv.py @@ -18,7 +18,35 @@ import pytest import isctest -pytestmark = pytest.mark.skipif(bool(os.getenv("TSAN_OPTIONS", "")), reason="TSAN") +pytestmark = [ + pytest.mark.skipif(bool(os.getenv("TSAN_OPTIONS", "")), reason="TSAN"), + pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] + ), +] # helper functions diff --git a/bin/tests/system/dnssec/tests_policy.py b/bin/tests/system/dnssec/tests_policy.py index bbeb8189b3..d76a0ed5f0 100644 --- a/bin/tests/system/dnssec/tests_policy.py +++ b/bin/tests/system/dnssec/tests_policy.py @@ -14,9 +14,39 @@ import time from dns import rdatatype +import pytest + import isctest +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + def is_rrsig_soa(rrset): return rrset.rdtype == rdatatype.RRSIG and rrset.covers == rdatatype.SOA diff --git a/bin/tests/system/dnssec/tests_signing.py b/bin/tests/system/dnssec/tests_signing.py index a5919e78d9..617c62234f 100644 --- a/bin/tests/system/dnssec/tests_signing.py +++ b/bin/tests/system/dnssec/tests_signing.py @@ -23,6 +23,34 @@ pytest.importorskip("dns", minversion="2.0.0") import isctest +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + # helper functions def grep_c(regex, filename): with open(filename, "r", encoding="utf-8") as f: @@ -171,10 +199,10 @@ def test_update_signing(): # check that the NSEC3 record for the apex is properly signed # when a DNSKEY is added via UPDATE key = keygen( - "-q3fk", "-a", os.environ["DEFAULT_ALGORITHM"], "update-nsec3.example." + "-Kns3", "-q3fk", "-a", os.environ["DEFAULT_ALGORITHM"], "update-nsec3.example." ) - with open(f"{key}.key", "r", encoding="utf-8") as f: + with open(f"ns3/{key}.key", "r", encoding="utf-8") as f: dnskey = f.read().splitlines()[-1] dnskey = " ".join(dnskey.split()[3:]) diff --git a/bin/tests/system/dnssec/tests_tat.py b/bin/tests/system/dnssec/tests_tat.py index 5f527d0964..97b5a253f3 100644 --- a/bin/tests/system/dnssec/tests_tat.py +++ b/bin/tests/system/dnssec/tests_tat.py @@ -14,9 +14,39 @@ import re from dns import edns +import pytest + import isctest +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + def test_tat_queries(servers): ns1 = servers["ns1"] ns6 = servers["ns6"] diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index 8c9bc78554..74cb7c6dff 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -18,12 +18,40 @@ from dns import edns, flags, name, rcode, rdataclass, rdatatype import pytest -pytest.importorskip("dns", minversion="2.0.0") import isctest import isctest.mark from isctest.util import param +pytest.importorskip("dns", minversion="2.0.0") +pytestmark = pytest.mark.extra_artifacts( + [ + "*/K*", + "*/dsset-*", + "*/*.bk", + "*/*.conf", + "*/*.db", + "*/*.id", + "*/*.jnl", + "*/*.jbk", + "*/*.key", + "*/*.signed", + "*/settime.out.*", + "ans*/ans.run", + "*/trusted.keys", + "*/*.bad", + "*/*.next", + "*/*.stripped", + "*/*.tmp", + "*/*.stage?", + "*/*.patched", + "*/*.lower", + "*/*.upper", + "*/*.unsplit", + ] +) + + # helper functions def grep_q(regex, filename): with open(filename, "r", encoding="utf-8") as f: @@ -64,7 +92,7 @@ def test_insecure_glue(): isctest.check.rr_count_eq(res.answer, 1) isctest.check.rr_count_eq(res.authority, 1) isctest.check.rr_count_eq(res.additional, 1) - assert str(res.additional[0].name) == "ns.insecure.example." + assert str(res.additional[0].name) == "ns3.insecure.example." addrs = [str(a) for a in res.additional[0]] assert "10.53.0.3" in addrs @@ -1271,11 +1299,12 @@ def test_broken_servers(): isctest.check.noadflag(res) -def test_pending_ds(): +def test_pending_ds(servers): # check that a query against a validating resolver succeeds when there is # a negative cache entry with trust level "pending" for the DS. prime # with a +cd DS query to produce the negative cache entry, then send a # query that uses that entry as part of the validation process. + ns4 = servers["ns4"] ns4.rndc("flush", log=False) msg = isctest.query.create("insecure.example", "DS", cd=True) res = isctest.query.tcp(msg, "10.53.0.4") From e7bd28dbf8cc7c1f43c4a219062f20980d4c2ba0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 10 Jul 2025 15:16:06 +0200 Subject: [PATCH 10/14] Parametrize dnssec/tests_badkey.py tests Utilize test parametrization to reduce code duplication. --- bin/tests/system/dnssec/tests_badkey.py | 111 ++++++++---------------- 1 file changed, 35 insertions(+), 76 deletions(-) diff --git a/bin/tests/system/dnssec/tests_badkey.py b/bin/tests/system/dnssec/tests_badkey.py index ca883f81e7..ef3c20b251 100644 --- a/bin/tests/system/dnssec/tests_badkey.py +++ b/bin/tests/system/dnssec/tests_badkey.py @@ -14,6 +14,7 @@ from dns import flags import pytest import isctest +from isctest.util import param pytestmark = pytest.mark.extra_artifacts( @@ -44,90 +45,48 @@ pytestmark = pytest.mark.extra_artifacts( ) -def test_misconfigured_validation(): - # check that validation fails with a misconfigured trust anchor - msg = isctest.query.create("example.", "SOA") +@pytest.mark.parametrize( + "check, qname, qtype", + [ + param("validation", "example.", "SOA"), + param("negative-validation", "example.", "PTR"), + param("insecurity-proof", "a.insecure.example.", "A"), + ], +) +def test_misconfigured_ta_servfail(check, qname, qtype): + isctest.log.info(f"check that {check} fails") + msg = isctest.query.create(qname, qtype) res = isctest.query.tcp(msg, "10.53.0.5") isctest.check.servfail(res) -def test_misconfigured_negative_validation(): - # check that negative validation fails with a misconfigured trust anchor - msg = isctest.query.create("example.", "PTR") - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.servfail(res) - - -def test_misconfigured_insecurity(): - # check that insecurity proofs fail with a misconfigured trust anchor - msg = isctest.query.create("a.insecure.example.", "A") - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.servfail(res) - - -def test_misconfigured_cd_positive(): - # check AD bit of a positive answer with misconfigured trust anchor, CD=1 - msg = isctest.query.create("example.", "SOA") +@pytest.mark.parametrize( + "check, qname, qtype, rcode_func", + [ + param("positive-answer", "example.", "SOA", isctest.check.noerror), + param("negative-answer", "q.example.", "SOA", isctest.check.nxdomain), + param("bogus-answer", "a.bogus.example.", "SOA", isctest.check.noerror), + param("insecurity-proof", "a.insecure.example.", "SOA", isctest.check.noerror), + param( + "negative-insecurity-proof", + "q.insecure.example.", + "SOA", + isctest.check.nxdomain, + ), + ], +) +def test_misconfigured_ta_with_cd(check, qname, qtype, rcode_func): + isctest.log.info(f"check {check} with CD=1") + msg = isctest.query.create(qname, qtype) msg.flags |= flags.CD res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res) - assert (res.flags & flags.AD) == 0 + rcode_func(res) + isctest.check.noadflag(res) - -def test_misconfigured_cd_negative(): - # check cd bit on a negative answer with misconfigured trust anchor, CD=1 - msg = isctest.query.create("q.example.", "SOA") - msg.flags |= flags.CD - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.nxdomain(res) - assert (res.flags & flags.AD) == 0 - # compare the response from a correctly configured server + isctest.log.debug("compare the response from a correctly configured server") res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.nxdomain(res2) - assert (res2.flags & flags.AD) == 0 - assert res.answer == res2.answer - - -def test_misconfigured_cd_bogus(): - # check cd bit on a query that should fail - msg = isctest.query.create("a.bogus.example.", "SOA") - msg.flags |= flags.CD - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res) - assert (res.flags & flags.AD) == 0 - # compare the response from a correctly configured server - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.noerror(res2) - assert (res2.flags & flags.AD) == 0 - assert res.answer == res2.answer - - -def test_misconfigured_cd_insecurity(): - # check cd bit on an insecurity proof - msg = isctest.query.create("a.insecure.example.", "SOA") - msg.flags |= flags.CD - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res) - assert (res.flags & flags.AD) == 0 - # compare the response from a correctly configured server - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.noerror(res2) - assert (res2.flags & flags.AD) == 0 - assert res.answer == res2.answer - - -def test_misconfigured_cd_negative_insecurity(): - # check cd bit on an insecurity proof - msg = isctest.query.create("q.insecure.example.", "A") - msg.flags |= flags.CD - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.nxdomain(res) - assert (res.flags & flags.AD) == 0 - # compare the response from a correctly configured server - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.nxdomain(res2) - assert (res2.flags & flags.AD) == 0 - assert res.answer == res2.answer + isctest.check.noadflag(res2) + isctest.check.same_answer(res, res2) def test_revoked_init(servers, templates): From b7a2061e5fec310c2355c589863eb91b935599a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 10 Jul 2025 15:21:05 +0200 Subject: [PATCH 11/14] Split up badkey tests into separate modules If nsX.reconfigure() is used in a way that might affect other tests within the same module, it's best to split up the tests which need the reconfig to a separate module. This ensures the reconfigure() won't interfere with test results in case the tests are executed separately, or in a different order. --- bin/tests/system/dnssec/ns9/named.conf.j2 | 3 +- bin/tests/system/dnssec/tests_badkey.py | 35 --------------- .../system/dnssec/tests_badkey_broken.py | 45 +++++++++++++++++++ .../system/dnssec/tests_badkey_revoked.py | 28 ++++++++++++ 4 files changed, 75 insertions(+), 36 deletions(-) create mode 100644 bin/tests/system/dnssec/tests_badkey_broken.py create mode 100644 bin/tests/system/dnssec/tests_badkey_revoked.py diff --git a/bin/tests/system/dnssec/ns9/named.conf.j2 b/bin/tests/system/dnssec/ns9/named.conf.j2 index 3b0e39d3b5..2a335b5a9f 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.j2 +++ b/bin/tests/system/dnssec/ns9/named.conf.j2 @@ -13,6 +13,8 @@ // NS9 +{% set forward_badkey = forward_badkey | default(False) %} + options { query-source address 10.53.0.9; notify-source 10.53.0.9; @@ -24,7 +26,6 @@ options { recursion yes; dnssec-validation yes; forward only; -{% set forward_badkey = forward_badkey | default(False) %} {% if forward_badkey %} forwarders { 10.53.0.5; }; {% else %} diff --git a/bin/tests/system/dnssec/tests_badkey.py b/bin/tests/system/dnssec/tests_badkey.py index ef3c20b251..ca80734d4d 100644 --- a/bin/tests/system/dnssec/tests_badkey.py +++ b/bin/tests/system/dnssec/tests_badkey.py @@ -87,38 +87,3 @@ def test_misconfigured_ta_with_cd(check, qname, qtype, rcode_func): res2 = isctest.query.tcp(msg, "10.53.0.4") isctest.check.noadflag(res2) isctest.check.same_answer(res, res2) - - -def test_revoked_init(servers, templates): - # use a revoked key and try to reiniitialize; check for failure - ns5 = servers["ns5"] - templates.render("ns5/named.conf", {"revoked_key": True}) - ns5.reconfigure(log=False) - - msg = isctest.query.create(".", "SOA") - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.servfail(res) - - -def test_broken_forwarding(servers, templates): - # check forwarder CD behavior (forward server with bad trust anchor) - ns5 = servers["ns5"] - templates.render("ns5/named.conf", {"broken_key": True}) - ns5.reconfigure(log=False) - - ns9 = servers["ns9"] - templates.render("ns9/named.conf", {"forward_badkey": True}) - ns9.reconfigure(log=False) - - # confirm invalid trust anchor produces SERVFAIL in resolver - msg = isctest.query.create("a.secure.example.", "A") - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.servfail(res) - - # check that lookup involving forwarder succeeds and SERVFAIL was received - with ns9.watch_log_from_here() as watcher: - msg = isctest.query.create("a.secure.example.", "SOA") - res = isctest.query.tcp(msg, "10.53.0.9") - isctest.check.noerror(res) - assert (res.flags & flags.AD) != 0 - watcher.wait_for_line("status: SERVFAIL") diff --git a/bin/tests/system/dnssec/tests_badkey_broken.py b/bin/tests/system/dnssec/tests_badkey_broken.py new file mode 100644 index 0000000000..5d09a862ea --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey_broken.py @@ -0,0 +1,45 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import flags + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"broken_key": True}) + ns5.reconfigure(log=False) + + ns9 = servers["ns9"] + templates.render("ns9/named.conf", {"forward_badkey": True}) + ns9.reconfigure(log=False) + + +def test_broken_forwarding(servers): + # check forwarder CD behavior (forward server with bad trust anchor) + ns9 = servers["ns9"] + + # confirm invalid trust anchor produces SERVFAIL in resolver + msg = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + # check that lookup involving forwarder succeeds and SERVFAIL was received + with ns9.watch_log_from_here() as watcher: + msg = isctest.query.create("a.secure.example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + assert (res.flags & flags.AD) != 0 + watcher.wait_for_line("status: SERVFAIL") diff --git a/bin/tests/system/dnssec/tests_badkey_revoked.py b/bin/tests/system/dnssec/tests_badkey_revoked.py new file mode 100644 index 0000000000..eba2eaba02 --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey_revoked.py @@ -0,0 +1,28 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"revoked_key": True}) + ns5.reconfigure(log=False) + + +def test_revoked_init(): + # use a revoked key and check for failure when using revoked key + msg = isctest.query.create(".", "SOA") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) From 19941adab05a736faec8b5fb334a61d6b692e3c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 25 Jul 2025 18:22:21 +0200 Subject: [PATCH 12/14] Split up dnssec validation tests to multiple modules Put each config into a separate module to avoid interfering with other tests. --- bin/tests/system/dnssec/tests_validation.py | 285 +----------------- .../dnssec/tests_validation_accept_expired.py | 64 ++++ .../dnssec/tests_validation_managed_keys.py | 108 +++++++ .../dnssec/tests_validation_many_anchors.py | 137 +++++++++ .../dnssec/tests_validation_multiview.py | 62 ++++ bin/tests/system/nta/tests_nta.py | 2 - 6 files changed, 372 insertions(+), 286 deletions(-) create mode 100644 bin/tests/system/dnssec/tests_validation_accept_expired.py create mode 100644 bin/tests/system/dnssec/tests_validation_managed_keys.py create mode 100644 bin/tests/system/dnssec/tests_validation_many_anchors.py create mode 100644 bin/tests/system/dnssec/tests_validation_multiview.py diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index 74cb7c6dff..917d517043 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -14,7 +14,7 @@ import re import shutil import time -from dns import edns, flags, name, rcode, rdataclass, rdatatype +from dns import edns, flags, name, rdataclass, rdatatype import pytest @@ -1184,49 +1184,6 @@ def test_expired_signatures(servers): assert rrset.ttl <= 60 -def test_accept_expired(servers, templates): - ns4 = servers["ns4"] - templates.render("ns4/named.conf", {"accept_expired": True}) - ns4.reconfigure(log=False) - - # test TTL of about-to-expire rrsets with accept-expired - ns4.rndc("flush", log=False) - msg = isctest.query.create("expiring.example", "SOA") - msg.flags |= flags.CD - res1 = isctest.query.tcp(msg, "10.53.0.4") - msg = isctest.query.create("expiring.example", "SOA") - res2 = isctest.query.tcp(msg, "10.53.0.4") - for rrset in res1.answer: - assert rrset.ttl <= 3600 - for rrset in res2.answer: - assert rrset.ttl <= 120 - - # test TTL is capped at RRSIG expiry time in the additional section - # with accept-expired - ns4.rndc("flush", log=False) - msg = isctest.query.create("expiring.example", "MX") - msg.flags |= flags.CD - res1 = isctest.query.tcp(msg, "10.53.0.4") - msg = isctest.query.create("expiring.example", "MX") - res2 = isctest.query.tcp(msg, "10.53.0.4") - for rrset in res1.additional: - assert rrset.ttl <= 3600 - for rrset in res2.additional: - assert rrset.ttl <= 120 - - # test TTL of expired rrsets with accept-expired - ns4.rndc("flush", log=False) - msg = isctest.query.create("expired.example", "SOA") - msg.flags |= flags.CD - res1 = isctest.query.tcp(msg, "10.53.0.4") - msg = isctest.query.create("expired.example", "SOA") - res2 = isctest.query.tcp(msg, "10.53.0.4") - for rrset in res1.additional: - assert rrset.ttl <= 3600 - for rrset in res2.additional: - assert rrset.ttl <= 120 - - def test_casing(): # test legacy upper-case signer name validation msg = isctest.query.create("upper.example", "SOA") @@ -1318,132 +1275,6 @@ def test_pending_ds(servers): isctest.check.noadflag(res) -def test_trust_anchors(servers, templates): - # DNSSEC tests related to unsupported, disabled and revoked trust anchors. - # - # This nameserver is loaded with a bunch of trust anchors. - # Some of them are good (enabled.managed, enabled.trusted, - # secure.managed, secure.trusted), and some of them are bad - # (disabled.managed, revoked.managed, unsupported.managed, - # disabled.trusted, revoked.trusted, unsupported.trusted). Make sure - # that the bad trust anchors are ignored. This is tested by looking - # for the corresponding lines in the logfile. - ns5 = servers["ns5"] - templates.render("ns5/named.conf", {"many_anchors": True}) - ns5.reconfigure(log=False) - - # check that keys with unsupported/disabled algorithms are ignored - grep_q( - "ignoring static-key for 'disabled.trusted.': algorithm is disabled", - "ns5/named.run", - ) - grep_q( - "ignoring static-key for 'disabled.managed.': algorithm is disabled", - "ns5/named.run", - ) - grep_q( - "ignoring static-key for 'unsupported.trusted.': algorithm is unsupported", - "ns5/named.run", - ) - grep_q( - "ignoring static-key for 'unsupported.managed.': algorithm is unsupported", - "ns5/named.run", - ) - grep_q("ignoring static-key for 'revoked.trusted.': bad key type", "ns5/named.run") - grep_q("ignoring static-key for 'revoked.managed.': bad key type", "ns5/named.run") - - # check that a key with supported algorithm validates as secure - msg = isctest.query.create("a.secure.trusted", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - isctest.check.noerror(res2) - isctest.check.adflag(res2) - if hasattr(res2, "extended_errors"): - assert not res2.extended_errors() - - msg = isctest.query.create("a.secure.managed", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - isctest.check.noerror(res2) - isctest.check.adflag(res2) - if hasattr(res2, "extended_errors"): - assert not res2.extended_errors() - - # check that an unsupported signing algorithm yields insecure - msg = isctest.query.create("a.unsupported.trusted", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - if hasattr(res2, "extended_errors"): - assert ( - res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM - ) - isctest.check.noerror(res2) - isctest.check.noadflag(res2) - - msg = isctest.query.create("a.unsupported.managed", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - if hasattr(res2, "extended_errors"): - assert ( - res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM - ) - isctest.check.noerror(res2) - isctest.check.noadflag(res2) - - # check that a disabled signing algorithm yields insecure - msg = isctest.query.create("a.disabled.trusted", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - isctest.check.noerror(res2) - isctest.check.noadflag(res2) - - msg = isctest.query.create("a.disabled.managed", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - isctest.check.noerror(res2) - isctest.check.noadflag(res2) - - # check that zone signed with an algorithm that's disabled for - # some other domain, but not for this one, validates as secure. - # "enabled.trusted." and "enabled.managed." do not match the - # "disable-algorithms" option, so no special rules apply. (static) - msg = isctest.query.create("a.enabled.trusted", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - isctest.check.noerror(res2) - isctest.check.adflag(res2) - - msg = isctest.query.create("a.enabled.managed", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - isctest.check.noerror(res2) - isctest.check.adflag(res2) - - # a revoked trust anchor is ignored when configured; check that - # this yields insecure. - msg = isctest.query.create("a.revoked.trusted", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - isctest.check.noerror(res2) - isctest.check.noadflag(res2) - - msg = isctest.query.create("a.revoked.managed", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.noerror(res1) - isctest.check.noerror(res2) - isctest.check.noadflag(res2) - - def test_unknown_algorithms(): # check that unknown DNSKEY algorithm validates as insecure msg = isctest.query.create("dnskey-unknown.example", "A", dnssec=False) @@ -1513,117 +1344,3 @@ def test_unknown_algorithms(): isctest.check.noerror(res1) isctest.check.noerror(res2) isctest.check.noadflag(res2) - - -################################### -##### BEGIN MANAGED KEY TESTS ##### -################################### -def test_switch_managed(servers, templates): - # switch to intializing trust anchor instead of static - ns4 = servers["ns4"] - assert os.path.exists("ns4/managed-keys.bind.jnl") is False - shutil.copyfile("ns4/managed-keys.bind.in", "ns4/managed-keys.bind") - templates.render("ns4/named.conf", {"managed_key": True}) - ns4.reconfigure(log=False) - - -def test_secure_root_managed(servers): - # check that a query for a secure root validates - msg = isctest.query.create(".", "KEY") - res = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.noerror(res) - isctest.check.adflag(res) - - # check that "rndc secroots" dumps the trusted keys - ns4 = servers["ns4"] - key = int(getfrom("ns1/managed.key.id")) - alg = os.environ["DEFAULT_ALGORITHM"] - expected = f"./{alg}/{key} ; managed" - response = ns4.rndc("secroots -", log=False).splitlines() - assert expected in response - assert len(response) == 10 - - -def test_positive_validation_nsec_managed(): - msg = isctest.query.create("a.example", "A") - res1 = isctest.query.tcp(msg, "10.53.0.2") - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.same_answer(res1, res2) - isctest.check.adflag(res2) - - -def test_positive_validation_nsec3_managed(): - msg = isctest.query.create("a.nsec3.example", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.same_answer(res1, res2) - isctest.check.noerror(res2) - isctest.check.adflag(res2) - - -def test_positive_validation_optout_managed(): - msg = isctest.query.create("a.optout.example", "A") - res1 = isctest.query.tcp(msg, "10.53.0.3") - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.same_answer(res1, res2) - isctest.check.adflag(res2) - - -def test_negative_validation_nsec_managed(): - # nxdomain - msg = isctest.query.create("q.example", "A") - res1 = isctest.query.tcp(msg, "10.53.0.2") - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.same_answer(res1, res2) - isctest.check.nxdomain(res2) - isctest.check.adflag(res2) - - -def test_ds_managed(): - # check root DS queries validate - msg = isctest.query.create(".", "DS") - res1 = isctest.query.tcp(msg, "10.53.0.1") - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.same_data(res1, res2) - isctest.check.adflag(res2) - isctest.check.noerror(res2) - - # check DS queries succeed at RFC 1918 empty zone - msg = isctest.query.create("10.in-addr.arpa", "DS") - res1 = isctest.query.tcp(msg, "10.53.0.2") - res2 = isctest.query.tcp(msg, "10.53.0.4") - isctest.check.same_data(res1, res2) - isctest.check.noerror(res2) - - -def test_keydata_storage(servers): - ns4 = servers["ns4"] - ns4.rndc("managed-keys sync", log=False) - with isctest.log.WatchLogFromStart("ns4/managed-keys.bind") as watcher: - watcher.wait_for_line(["KEYDATA", "next refresh:"]) - - -############################################ -##### BEGIN MULTIVIEW VALIDATION TESTS ##### -############################################ -def test_insecure_staticstub_delegation(servers, templates): - ns4 = servers["ns4"] - templates.render("ns4/named.conf", {"multi_view": True}) - ns4.reconfigure(log=False) - - # check insecure delegation between static-stub zones - msg = isctest.query.create("insecure.secure.example", "NS") - for _ in range(5): - res = isctest.query.tcp(msg, "10.53.0.4") - if res.rcode() == rcode.SERVFAIL: - time.sleep(1) - continue - isctest.check.noerror(res) - - msg = isctest.query.create("secure.example", "NS") - for _ in range(5): - res = isctest.query.tcp(msg, "10.53.0.4") - if res.rcode() == rcode.SERVFAIL: - time.sleep(1) - continue - isctest.check.noerror(res) diff --git a/bin/tests/system/dnssec/tests_validation_accept_expired.py b/bin/tests/system/dnssec/tests_validation_accept_expired.py new file mode 100644 index 0000000000..dc80695f66 --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation_accept_expired.py @@ -0,0 +1,64 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import flags + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + ns4 = servers["ns4"] + templates.render("ns4/named.conf", {"accept_expired": True}) + ns4.reconfigure(log=False) + + +def test_accept_expired(servers): + ns4 = servers["ns4"] + + # test TTL of about-to-expire rrsets with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "SOA") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "SOA") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.answer: + assert rrset.ttl <= 3600 + for rrset in res2.answer: + assert rrset.ttl <= 120 + + # test TTL is capped at RRSIG expiry time in the additional section + # with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expiring.example", "MX") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expiring.example", "MX") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert rrset.ttl <= 3600 + for rrset in res2.additional: + assert rrset.ttl <= 120 + + # test TTL of expired rrsets with accept-expired + ns4.rndc("flush", log=False) + msg = isctest.query.create("expired.example", "SOA") + msg.flags |= flags.CD + res1 = isctest.query.tcp(msg, "10.53.0.4") + msg = isctest.query.create("expired.example", "SOA") + res2 = isctest.query.tcp(msg, "10.53.0.4") + for rrset in res1.additional: + assert rrset.ttl <= 3600 + for rrset in res2.additional: + assert rrset.ttl <= 120 diff --git a/bin/tests/system/dnssec/tests_validation_managed_keys.py b/bin/tests/system/dnssec/tests_validation_managed_keys.py new file mode 100644 index 0000000000..7195818d4b --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation_managed_keys.py @@ -0,0 +1,108 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import shutil + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + ns4 = servers["ns4"] + assert os.path.exists("ns4/managed-keys.bind.jnl") is False + shutil.copyfile("ns4/managed-keys.bind.in", "ns4/managed-keys.bind") + templates.render("ns4/named.conf", {"managed_key": True}) + ns4.reconfigure(log=False) + + +# helper functions +def getfrom(file): + with open(file, encoding="utf-8") as f: + return f.read().strip() + + +def test_secure_root_managed(servers): + # check that a query for a secure root validates + msg = isctest.query.create(".", "KEY") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check that "rndc secroots" dumps the trusted keys + ns4 = servers["ns4"] + key = int(getfrom("ns1/managed.key.id")) + alg = os.environ["DEFAULT_ALGORITHM"] + expected = f"./{alg}/{key} ; managed" + response = ns4.rndc("secroots -", log=False).splitlines() + assert expected in response + assert len(response) == 10 + + +def test_positive_validation_nsec_managed(): + msg = isctest.query.create("a.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_positive_validation_nsec3_managed(): + msg = isctest.query.create("a.nsec3.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + +def test_positive_validation_optout_managed(): + msg = isctest.query.create("a.optout.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2) + + +def test_negative_validation_nsec_managed(): + # nxdomain + msg = isctest.query.create("q.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.nxdomain(res2) + isctest.check.adflag(res2) + + +def test_ds_managed(): + # check root DS queries validate + msg = isctest.query.create(".", "DS") + res1 = isctest.query.tcp(msg, "10.53.0.1") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.adflag(res2) + isctest.check.noerror(res2) + + # check DS queries succeed at RFC 1918 empty zone + msg = isctest.query.create("10.in-addr.arpa", "DS") + res1 = isctest.query.tcp(msg, "10.53.0.2") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_data(res1, res2) + isctest.check.noerror(res2) + + +def test_keydata_storage(servers): + ns4 = servers["ns4"] + ns4.rndc("managed-keys sync", log=False) + with isctest.log.WatchLogFromStart("ns4/managed-keys.bind") as watcher: + watcher.wait_for_line(["KEYDATA", "next refresh:"]) diff --git a/bin/tests/system/dnssec/tests_validation_many_anchors.py b/bin/tests/system/dnssec/tests_validation_many_anchors.py new file mode 100644 index 0000000000..47c3277ca5 --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation_many_anchors.py @@ -0,0 +1,137 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import edns +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"many_anchors": True}) + with ns5.watch_log_from_here() as watcher: + ns5.reconfigure(log=False) + watcher.wait_for_line( + [ + "ignoring static-key for 'disabled.trusted.': algorithm is disabled", + "ignoring static-key for 'disabled.managed.': algorithm is disabled", + "ignoring static-key for 'unsupported.trusted.': algorithm is unsupported", + "ignoring static-key for 'unsupported.managed.': algorithm is unsupported", + "ignoring static-key for 'unsupported.managed.': algorithm is unsupported", + "ignoring static-key for 'revoked.trusted.': bad key type", + "ignoring static-key for 'revoked.managed.': bad key type", + ] + ) + + +def test_trust_anchors(): + # DNSSEC tests related to unsupported, disabled and revoked trust anchors. + # + # This nameserver is loaded with a bunch of trust anchors. + # Some of them are good (enabled.managed, enabled.trusted, + # secure.managed, secure.trusted), and some of them are bad + # (disabled.managed, revoked.managed, unsupported.managed, + # disabled.trusted, revoked.trusted, unsupported.trusted). Make sure + # that the bad trust anchors are ignored. This is tested by looking + # for the corresponding lines in the logfile. + + # check that a key with supported algorithm validates as secure + msg = isctest.query.create("a.secure.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + if hasattr(res2, "extended_errors"): + assert not res2.extended_errors() + + msg = isctest.query.create("a.secure.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + if hasattr(res2, "extended_errors"): + assert not res2.extended_errors() + + # check that an unsupported signing algorithm yields insecure + msg = isctest.query.create("a.unsupported.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + if hasattr(res2, "extended_errors"): + assert ( + res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.unsupported.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + if hasattr(res2, "extended_errors"): + assert ( + res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # check that a disabled signing algorithm yields insecure + msg = isctest.query.create("a.disabled.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.disabled.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + # check that zone signed with an algorithm that's disabled for + # some other domain, but not for this one, validates as secure. + # "enabled.trusted." and "enabled.managed." do not match the + # "disable-algorithms" option, so no special rules apply. (static) + msg = isctest.query.create("a.enabled.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + msg = isctest.query.create("a.enabled.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.adflag(res2) + + # a revoked trust anchor is ignored when configured; check that + # this yields insecure. + msg = isctest.query.create("a.revoked.trusted", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) + + msg = isctest.query.create("a.revoked.managed", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res1) + isctest.check.noerror(res2) + isctest.check.noadflag(res2) diff --git a/bin/tests/system/dnssec/tests_validation_multiview.py b/bin/tests/system/dnssec/tests_validation_multiview.py new file mode 100644 index 0000000000..e8d21681f4 --- /dev/null +++ b/bin/tests/system/dnssec/tests_validation_multiview.py @@ -0,0 +1,62 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + ns4 = servers["ns4"] + templates.render("ns4/named.conf", {"multi_view": True}) + ns4.reconfigure(log=False) + + +def getfrom(file): + with open(file, encoding="utf-8") as f: + return f.read().strip() + + +def test_staticstub_delegations(): + # check insecure delegation between static-stub zones + def docheck(): + msg = isctest.query.create("insecure.secure.example", "NS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + msg = isctest.query.create("secure.example", "NS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res) + return True + + isctest.run.retry_with_timeout(docheck, 5) + + +def test_validator_logging(ns4): + # check that validator logging includes the view name with multiple views + pattern = re.compile("view rec: *validat") + with ns4.watch_log_from_start() as watcher: + msg = isctest.query.create("secure.example", "NS") + isctest.query.tcp(msg, "10.53.0.4") + watcher.wait_for_line(pattern) + + +def test_secure_roots(ns4): + # check that "rndc secroots" dumps the trusted keys with multiple views + key = int(getfrom("ns1/managed.key.id")) + alg = os.environ["DEFAULT_ALGORITHM"] + expected = f"./{alg}/{key} ; static" + response = ns4.rndc("secroots -", log=False).splitlines() + assert expected in response, response + assert len(response) == 17 diff --git a/bin/tests/system/nta/tests_nta.py b/bin/tests/system/nta/tests_nta.py index 088a3c5a1d..f4ca8d3e7f 100644 --- a/bin/tests/system/nta/tests_nta.py +++ b/bin/tests/system/nta/tests_nta.py @@ -13,8 +13,6 @@ import os import re import time -import pytest - import isctest From d0e2487ab6b6adf0c4b20c5bd97b97c34eb23501 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 25 Jul 2025 17:21:56 +0200 Subject: [PATCH 13/14] Various TTL fixes in dnssec tests Make sure the various TTL checks are using a lower bound as well and use a common TTL of 5 min. --- bin/tests/system/dnssec/ns2/example.db.in | 2 +- bin/tests/system/dnssec/ns2/template.db.in | 2 +- bin/tests/system/dnssec/tests_delv.py | 6 +++--- bin/tests/system/dnssec/tests_validation.py | 8 ++++---- .../system/dnssec/tests_validation_accept_expired.py | 6 +++--- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 6531ae6649..47c2eb7f0e 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -9,7 +9,7 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 3600 ; 1 hour +$TTL 300 ; 5 minutes @ IN SOA mname1. . ( 2000042407 ; serial 20 ; refresh (20 seconds) diff --git a/bin/tests/system/dnssec/ns2/template.db.in b/bin/tests/system/dnssec/ns2/template.db.in index 43ad12bb7c..a84b75b618 100644 --- a/bin/tests/system/dnssec/ns2/template.db.in +++ b/bin/tests/system/dnssec/ns2/template.db.in @@ -9,7 +9,7 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -$TTL 3600 +$TTL 300 ; 5 minutes @ SOA ns2.example. . 1 3600 1200 86400 1200 @ NS ns2 ns2 A 10.53.0.2 diff --git a/bin/tests/system/dnssec/tests_delv.py b/bin/tests/system/dnssec/tests_delv.py index 6ed76fe90f..2e6f2f26c9 100644 --- a/bin/tests/system/dnssec/tests_delv.py +++ b/bin/tests/system/dnssec/tests_delv.py @@ -75,12 +75,12 @@ def test_positive_validation_delv(): # check positive validation NSEC response = delv("a", "a.example") assert grep_c("a.example..*10.0.0.1", response) - assert grep_c("a.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*", response) + assert grep_c("a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*", response) # check positive validation NSEC (trsuted-keys) response = delv("a", "a.example", tkeys=True) assert grep_c("a.example..*10.0.0.1", response) - assert grep_c("a.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*", response) + assert grep_c("a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*", response) # check positive validation NSEC3 response = delv("a", "a.nsec3.example") @@ -95,7 +95,7 @@ def test_positive_validation_delv(): # check positive wildcard validation NSEC response = delv("a", "a.wild.example") assert grep_c("a.wild.example..*10.0.0.27", response) - assert grep_c("a.wild.example..*.RRSIG.A [0-9][0-9]* 2 3600 .*", response) + assert grep_c("a.wild.example..*.RRSIG.A [0-9][0-9]* 2 300 .*", response) # check positive wildcard validation NSEC3 response = delv("a", "a.wild.nsec3.example") diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index 917d517043..0e923a3440 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -721,7 +721,7 @@ def test_cache(servers): isctest.check.rr_count_eq(res1.answer, 2) isctest.check.rr_count_eq(res2.answer, 2) for rrset in res1.answer: - assert rrset.ttl <= 3600 + assert 3000 <= rrset.ttl <= 3600 for rrset in res2.answer: assert rrset.ttl <= 300 @@ -1157,7 +1157,7 @@ def test_expired_signatures(servers): msg = isctest.query.create("expiring.example", "SOA") res2 = isctest.query.tcp(msg, "10.53.0.4") for rrset in res1.answer: - assert rrset.ttl <= 3600 + assert 240 <= rrset.ttl <= 300 for rrset in res2.answer: assert rrset.ttl <= 60 @@ -1168,7 +1168,7 @@ def test_expired_signatures(servers): msg = isctest.query.create("expiring.example", "NS") res2 = isctest.query.tcp(msg, "10.53.0.4") for rrset in res1.additional: - assert rrset.ttl <= 3600 + assert 240 <= rrset.ttl <= 300 for rrset in res2.additional: assert rrset.ttl <= 60 @@ -1179,7 +1179,7 @@ def test_expired_signatures(servers): msg = isctest.query.create("expiring.example", "MX") res2 = isctest.query.tcp(msg, "10.53.0.4") for rrset in res1.additional: - assert rrset.ttl <= 3600 + assert 240 <= rrset.ttl <= 300 for rrset in res2.additional: assert rrset.ttl <= 60 diff --git a/bin/tests/system/dnssec/tests_validation_accept_expired.py b/bin/tests/system/dnssec/tests_validation_accept_expired.py index dc80695f66..207fba1d00 100644 --- a/bin/tests/system/dnssec/tests_validation_accept_expired.py +++ b/bin/tests/system/dnssec/tests_validation_accept_expired.py @@ -34,7 +34,7 @@ def test_accept_expired(servers): msg = isctest.query.create("expiring.example", "SOA") res2 = isctest.query.tcp(msg, "10.53.0.4") for rrset in res1.answer: - assert rrset.ttl <= 3600 + assert 240 <= rrset.ttl <= 300 for rrset in res2.answer: assert rrset.ttl <= 120 @@ -47,7 +47,7 @@ def test_accept_expired(servers): msg = isctest.query.create("expiring.example", "MX") res2 = isctest.query.tcp(msg, "10.53.0.4") for rrset in res1.additional: - assert rrset.ttl <= 3600 + assert 240 <= rrset.ttl <= 300 for rrset in res2.additional: assert rrset.ttl <= 120 @@ -59,6 +59,6 @@ def test_accept_expired(servers): msg = isctest.query.create("expired.example", "SOA") res2 = isctest.query.tcp(msg, "10.53.0.4") for rrset in res1.additional: - assert rrset.ttl <= 3600 + assert 240 <= rrset.ttl <= 300 for rrset in res2.additional: assert rrset.ttl <= 120 From 53be3af05cb020693ddba32f594a6a078e1e1086 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 25 Jul 2025 18:29:55 +0200 Subject: [PATCH 14/14] Use nsX fixtures rather than servers Rather than using servers["nsX"] syntax, utilize the nsX fixtures to make the test code a bit more concise. See fe5534291699572e67ad4a854b412e40c524307a --- .../system/dnssec/tests_badkey_broken.py | 7 ++--- .../system/dnssec/tests_badkey_revoked.py | 3 +- bin/tests/system/dnssec/tests_policy.py | 3 +- bin/tests/system/dnssec/tests_signing.py | 14 +++------ bin/tests/system/dnssec/tests_tat.py | 5 +--- bin/tests/system/dnssec/tests_validation.py | 30 +++++-------------- .../dnssec/tests_validation_accept_expired.py | 7 ++--- .../dnssec/tests_validation_managed_keys.py | 9 ++---- .../dnssec/tests_validation_many_anchors.py | 3 +- .../dnssec/tests_validation_multiview.py | 3 +- 10 files changed, 24 insertions(+), 60 deletions(-) diff --git a/bin/tests/system/dnssec/tests_badkey_broken.py b/bin/tests/system/dnssec/tests_badkey_broken.py index 5d09a862ea..8b27e19110 100644 --- a/bin/tests/system/dnssec/tests_badkey_broken.py +++ b/bin/tests/system/dnssec/tests_badkey_broken.py @@ -17,19 +17,16 @@ import isctest @pytest.fixture(scope="module", autouse=True) -def reconfigure(servers, templates): - ns5 = servers["ns5"] +def reconfigure(ns5, ns9, templates): templates.render("ns5/named.conf", {"broken_key": True}) ns5.reconfigure(log=False) - ns9 = servers["ns9"] templates.render("ns9/named.conf", {"forward_badkey": True}) ns9.reconfigure(log=False) -def test_broken_forwarding(servers): +def test_broken_forwarding(ns9): # check forwarder CD behavior (forward server with bad trust anchor) - ns9 = servers["ns9"] # confirm invalid trust anchor produces SERVFAIL in resolver msg = isctest.query.create("a.secure.example.", "A") diff --git a/bin/tests/system/dnssec/tests_badkey_revoked.py b/bin/tests/system/dnssec/tests_badkey_revoked.py index eba2eaba02..bc9a422dca 100644 --- a/bin/tests/system/dnssec/tests_badkey_revoked.py +++ b/bin/tests/system/dnssec/tests_badkey_revoked.py @@ -15,8 +15,7 @@ import isctest @pytest.fixture(scope="module", autouse=True) -def reconfigure(servers, templates): - ns5 = servers["ns5"] +def reconfigure(ns5, templates): templates.render("ns5/named.conf", {"revoked_key": True}) ns5.reconfigure(log=False) diff --git a/bin/tests/system/dnssec/tests_policy.py b/bin/tests/system/dnssec/tests_policy.py index d76a0ed5f0..f32406def4 100644 --- a/bin/tests/system/dnssec/tests_policy.py +++ b/bin/tests/system/dnssec/tests_policy.py @@ -51,13 +51,12 @@ def is_rrsig_soa(rrset): return rrset.rdtype == rdatatype.RRSIG and rrset.covers == rdatatype.SOA -def test_signatures_validity(servers, templates): +def test_signatures_validity(ns3, templates): # check that increasing signatures-validity triggers resigning msg = isctest.query.create("siginterval.example.", "AXFR") res = isctest.query.tcp(msg, "10.53.0.3") before = next(filter(is_rrsig_soa, res.answer)) - ns3 = servers["ns3"] templates.render("ns3/named.conf", {"long_sigs": True}) with ns3.watch_log_from_here() as watcher: ns3.reconfigure(log=False) diff --git a/bin/tests/system/dnssec/tests_signing.py b/bin/tests/system/dnssec/tests_signing.py index 617c62234f..2ff3e0e063 100644 --- a/bin/tests/system/dnssec/tests_signing.py +++ b/bin/tests/system/dnssec/tests_signing.py @@ -387,24 +387,19 @@ def test_cdnskey_signing(): "signing -clear all", # without zone ], ) -def test_rndc_signing_except(cmd, servers): - ns3 = servers["ns3"] - +def test_rndc_signing_except(cmd, ns3): # check that 'rndc signing' errors are handled with pytest.raises(isctest.rndc.RNDCException): ns3.rndc(cmd, log=False) ns3.rndc("status", log=False) -def test_rndc_signing_output(servers): - ns3 = servers["ns3"] - +def test_rndc_signing_output(ns3): response = ns3.rndc("signing -list dynamic.example", log=False) assert "No signing records found" in response -def test_zonestatus_signing(servers): - ns3 = servers["ns3"] +def test_zonestatus_signing(ns3): # check that the correct resigning time is reported in zonestatus. # zonestatus reports a name/type and expecting resigning time; # we convert the time to seconds since epoch, look up the RRSIG @@ -430,7 +425,7 @@ def test_zonestatus_signing(servers): assert when < sigs[0].expiration -def test_offline_ksk_signing(servers): +def test_offline_ksk_signing(ns2): def getfrom(file): with open(file, encoding="utf-8") as f: return f.read().strip() @@ -487,7 +482,6 @@ def test_offline_ksk_signing(servers): ksk_only_types = ["DNSKEY", "CDNSKEY", "CDS"] - ns2 = servers["ns2"] zone = "updatecheck-kskonly.secure" KSK = getfrom(f"ns2/{zone}.ksk.key") ZSK = getfrom(f"ns2/{zone}.zsk.key") diff --git a/bin/tests/system/dnssec/tests_tat.py b/bin/tests/system/dnssec/tests_tat.py index 97b5a253f3..48e7891ca3 100644 --- a/bin/tests/system/dnssec/tests_tat.py +++ b/bin/tests/system/dnssec/tests_tat.py @@ -47,10 +47,7 @@ pytestmark = pytest.mark.extra_artifacts( ) -def test_tat_queries(servers): - ns1 = servers["ns1"] - ns6 = servers["ns6"] - +def test_tat_queries(ns1, ns6): # check that trust-anchor-telemetry queries are logged with ns6.watch_log_from_start() as watcher: watcher.wait_for_line("sending trust-anchor-telemetry query '_ta-") diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index 0e923a3440..36c743f6a0 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -116,7 +116,7 @@ def test_adflag(): isctest.check.noadflag(res2) -def test_secure_root(servers): +def test_secure_root(ns4): # check that a query for a secure root validates msg = isctest.query.create(".", "KEY") res = isctest.query.tcp(msg, "10.53.0.4") @@ -124,7 +124,6 @@ def test_secure_root(servers): isctest.check.adflag(res) # check that "rndc secroots" dumps the trusted keys - ns4 = servers["ns4"] key = int(getfrom("ns1/managed.key.id")) alg = os.environ["DEFAULT_ALGORITHM"] expected = f"./{alg}/{key} ; static" @@ -375,7 +374,7 @@ def test_signing_algorithms(): isctest.check.adflag(res2) -def test_private_algorithms(servers): +def test_private_algorithms(ns4): # positive answer, private algorithm msg = isctest.query.create("a.rsasha256oid.example", "A") res1 = isctest.query.tcp(msg, "10.53.0.3") @@ -398,7 +397,6 @@ def test_private_algorithms(servers): isctest.check.adflag(res2) # positive anwer, extra ds for unknown private algorithm - ns4 = servers["ns4"] with ns4.watch_log_from_here() as watcher: msg = isctest.query.create("a.extradsunknownoid.example", "A") res1 = isctest.query.tcp(msg, "10.53.0.3") @@ -704,9 +702,7 @@ def test_negative_validation_optout(): isctest.check.servfail(res2) -def test_cache(servers): - ns4 = servers["ns4"] - +def test_cache(ns4): # check that key id's are logged when dumping the cache ns4.rndc("dumpdb -cache", log=False) assert grep_q("; key id = ", "ns4/named_dump.db") @@ -755,7 +751,7 @@ def test_cache(servers): assert res1.authority[0].ttl != res2.authority[0].ttl -def test_insecure_proof_nsec(servers): +def test_insecure_proof_nsec(ns4): # 1-server positive msg = isctest.query.create("a.insecure.example", "A") res1 = isctest.query.tcp(msg, "10.53.0.3") @@ -806,7 +802,6 @@ def test_insecure_proof_nsec(servers): isctest.check.noadflag(res2) # insecurity proof using negative cache - ns4 = servers["ns4"] ns4.rndc("flush", log=False) msg = isctest.query.create("insecure.example", "DS", cd=True) isctest.query.tcp(msg, "10.53.0.4") @@ -931,10 +926,7 @@ def test_positive_validation_multistage(qname): isctest.check.adflag(res2) -def test_validation_recovery(servers): - ns2 = servers["ns2"] - ns4 = servers["ns4"] - +def test_validation_recovery(ns2, ns4): # check recovery from spoofed server address. # prime cache with spoofed address records... msg = isctest.query.create("target.peer-ns-spoof", "A", cd=True) @@ -1070,10 +1062,7 @@ def test_transitions(): assert str(a[0]) == "10.53.0.10" -def test_validating_forwarder(servers): - ns9 = servers["ns9"] - ns4 = servers["ns4"] - +def test_validating_forwarder(ns4, ns9): # check validating forwarder behavior with mismatching NS ns4.rndc("flush", log=False) msg = isctest.query.create("inconsistent", "NS", dnssec=False, cd=True) @@ -1111,7 +1100,7 @@ def test_validating_forwarder(servers): watcher.wait_for_line("status: SERVFAIL") -def test_expired_signatures(servers): +def test_expired_signatures(ns4): # check expired signatures do not validate msg = isctest.query.create("expired.example", "SOA") res = isctest.query.tcp(msg, "10.53.0.3") @@ -1148,8 +1137,6 @@ def test_expired_signatures(servers): isctest.check.adflag(res) isctest.check.noerror(res) - ns4 = servers["ns4"] - # test TTL is capped at RRSIG expiry time ns4.rndc("flush", log=False) msg = isctest.query.create("expiring.example", "SOA", cd=True) @@ -1256,12 +1243,11 @@ def test_broken_servers(): isctest.check.noadflag(res) -def test_pending_ds(servers): +def test_pending_ds(ns4): # check that a query against a validating resolver succeeds when there is # a negative cache entry with trust level "pending" for the DS. prime # with a +cd DS query to produce the negative cache entry, then send a # query that uses that entry as part of the validation process. - ns4 = servers["ns4"] ns4.rndc("flush", log=False) msg = isctest.query.create("insecure.example", "DS", cd=True) res = isctest.query.tcp(msg, "10.53.0.4") diff --git a/bin/tests/system/dnssec/tests_validation_accept_expired.py b/bin/tests/system/dnssec/tests_validation_accept_expired.py index 207fba1d00..43b44d8cff 100644 --- a/bin/tests/system/dnssec/tests_validation_accept_expired.py +++ b/bin/tests/system/dnssec/tests_validation_accept_expired.py @@ -17,15 +17,12 @@ import isctest @pytest.fixture(scope="module", autouse=True) -def reconfigure(servers, templates): - ns4 = servers["ns4"] +def reconfigure(ns4, templates): templates.render("ns4/named.conf", {"accept_expired": True}) ns4.reconfigure(log=False) -def test_accept_expired(servers): - ns4 = servers["ns4"] - +def test_accept_expired(ns4): # test TTL of about-to-expire rrsets with accept-expired ns4.rndc("flush", log=False) msg = isctest.query.create("expiring.example", "SOA") diff --git a/bin/tests/system/dnssec/tests_validation_managed_keys.py b/bin/tests/system/dnssec/tests_validation_managed_keys.py index 7195818d4b..a72c35ea44 100644 --- a/bin/tests/system/dnssec/tests_validation_managed_keys.py +++ b/bin/tests/system/dnssec/tests_validation_managed_keys.py @@ -18,8 +18,7 @@ import isctest @pytest.fixture(scope="module", autouse=True) -def reconfigure(servers, templates): - ns4 = servers["ns4"] +def reconfigure(ns4, templates): assert os.path.exists("ns4/managed-keys.bind.jnl") is False shutil.copyfile("ns4/managed-keys.bind.in", "ns4/managed-keys.bind") templates.render("ns4/named.conf", {"managed_key": True}) @@ -32,7 +31,7 @@ def getfrom(file): return f.read().strip() -def test_secure_root_managed(servers): +def test_secure_root_managed(ns4): # check that a query for a secure root validates msg = isctest.query.create(".", "KEY") res = isctest.query.tcp(msg, "10.53.0.4") @@ -40,7 +39,6 @@ def test_secure_root_managed(servers): isctest.check.adflag(res) # check that "rndc secroots" dumps the trusted keys - ns4 = servers["ns4"] key = int(getfrom("ns1/managed.key.id")) alg = os.environ["DEFAULT_ALGORITHM"] expected = f"./{alg}/{key} ; managed" @@ -101,8 +99,7 @@ def test_ds_managed(): isctest.check.noerror(res2) -def test_keydata_storage(servers): - ns4 = servers["ns4"] +def test_keydata_storage(ns4): ns4.rndc("managed-keys sync", log=False) with isctest.log.WatchLogFromStart("ns4/managed-keys.bind") as watcher: watcher.wait_for_line(["KEYDATA", "next refresh:"]) diff --git a/bin/tests/system/dnssec/tests_validation_many_anchors.py b/bin/tests/system/dnssec/tests_validation_many_anchors.py index 47c3277ca5..fd6e10eb16 100644 --- a/bin/tests/system/dnssec/tests_validation_many_anchors.py +++ b/bin/tests/system/dnssec/tests_validation_many_anchors.py @@ -16,8 +16,7 @@ import isctest @pytest.fixture(scope="module", autouse=True) -def reconfigure(servers, templates): - ns5 = servers["ns5"] +def reconfigure(ns5, templates): templates.render("ns5/named.conf", {"many_anchors": True}) with ns5.watch_log_from_here() as watcher: ns5.reconfigure(log=False) diff --git a/bin/tests/system/dnssec/tests_validation_multiview.py b/bin/tests/system/dnssec/tests_validation_multiview.py index e8d21681f4..a1edf64be0 100644 --- a/bin/tests/system/dnssec/tests_validation_multiview.py +++ b/bin/tests/system/dnssec/tests_validation_multiview.py @@ -18,8 +18,7 @@ import isctest @pytest.fixture(scope="module", autouse=True) -def reconfigure(servers, templates): - ns4 = servers["ns4"] +def reconfigure(ns4, templates): templates.render("ns4/named.conf", {"multi_view": True}) ns4.reconfigure(log=False)