diff --git a/bin/tests/system/dnssec/ns3/expired.example.db.in b/bin/tests/system/dnssec/ns3/expired.example.db.in new file mode 100644 index 0000000000..8077ca66a8 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/expired.example.db.in @@ -0,0 +1,46 @@ +; Copyright (C) 2004, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2000, 2001 Internet Software Consortium. +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: expired.example.db.in,v 1.1 2011/02/08 03:47:02 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index 7513368358..a55cce609d 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.38 2010/07/11 01:18:24 each Exp $ */ +/* $Id: named.conf,v 1.39 2011/02/08 03:47:02 marka Exp $ */ // NS3 @@ -166,4 +166,10 @@ zone "kskonly.example" { file "kskonly.example.db.signed"; }; +zone "expired.example" { + type master; + allow-update { none; }; + file "expired.example.db.signed"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index c63b8a3493..069e406c84 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.32 2010/01/18 23:48:40 tbox Exp $ +# $Id: sign.sh,v 1.33 2011/02/08 03:47:02 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -260,3 +260,16 @@ kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` zskname=`$KEYGEN -q -r $RANDFILE $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone with the expired signatures +# +zone=expired.example. +infile=expired.example.db.in +zonefile=expired.example.db + +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -r $RANDFILE -o $zone -s -3h -e +1h $zonefile > /dev/null 2>&1 +rm -f $kskname.* $zskname.* diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index f9129f9fbf..39f1c20b28 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.73 2011/01/04 23:47:13 tbox Exp $ +# $Id: tests.sh,v 1.74 2011/02/08 03:47:02 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -1107,5 +1107,13 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" +ret=0 +$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns2.test$n || ret=1 +grep "RRSIG.SOA" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status