diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 2985f1699a..4728e81c69 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -15,11 +15,12 @@ # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.11 2001/11/06 19:32:54 bwelling Exp $ +# $Id: clean.sh,v 1.12 2002/01/22 22:27:23 gson Exp $ rm -f */K* */keyset-* */signedkey-* */*.signed */trusted.conf */tmp* rm -f ns1/root.db ns2/example.db ns3/secure.example.db rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db +rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl rm -f dig.out.* rm -f random.data diff --git a/bin/tests/system/dnssec/dnssec_update_test.pl b/bin/tests/system/dnssec/dnssec_update_test.pl new file mode 100644 index 0000000000..0d40c4e581 --- /dev/null +++ b/bin/tests/system/dnssec/dnssec_update_test.pl @@ -0,0 +1,105 @@ +#!/usr/bin/perl +# +# Copyright (C) 2000, 2001 Internet Software Consortium. +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM +# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING +# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +# +# DNSSEC Dynamic update test suite. +# +# Usage: +# +# perl update_test.pl [-s server] [-p port] zone +# +# The server defaults to 127.0.0.1. +# The port defaults to 53. +# +# Installation notes: +# +# This program uses the Net::DNS::Resolver module. +# You can install it by saying +# +# perl -MCPAN -e "install Net::DNS" +# +# $Id: dnssec_update_test.pl,v 1.1 2002/01/22 22:27:24 gson Exp $ +# + +use Getopt::Std; +use Net::DNS; +use Net::DNS::Update; +use Net::DNS::Resolver; + +$opt_s = "127.0.0.1"; +$opt_p = 53; + +getopt('s:p:'); + +$res = new Net::DNS::Resolver; +$res->nameservers($opt_s); +$res->port($opt_p); +$res->defnames(0); # Do not append default domain. + +@ARGV == 1 or die + "usage: perl update_test.pl [-s server] [-p port] zone\n"; + +$zone = shift @ARGV; + +my $failures = 0; + +sub assert { + my ($cond, $explanation) = @_; + if (!$cond) { + print "I:Test Failed: $explanation ***\n"; + $failures++ + } +} + +sub test { + my ($expected, @records) = @_; + + my $update = new Net::DNS::Update("$zone"); + + foreach $rec (@records) { + $update->push(@$rec); + } + + $reply = $res->send($update); + + # Did it work? + if (defined $reply) { + my $rcode = $reply->header->rcode; + assert($rcode eq $expected, "expected $expected, got $rcode"); + } else { + print "I:Update failed: ", $res->errorstring, "\n"; + } +} + +sub section { + my ($msg) = @_; + print "I:$msg\n"; +} + +section("Add a name"); +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]); + +section("Delete the name"); +test("NOERROR", ["update", rr_del("a.$zone")]); + +if ($failures) { + print "I:$failures tests failed.\n"; +} else { + print "I:All tests successful.\n"; +} + +exit $failures; diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index ada6cdef3a..d4d1bd58fc 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -13,7 +13,7 @@ ; NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION ; WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.9 2001/09/19 21:19:50 gson Exp $ +; $Id: example.db.in,v 1.10 2002/01/22 22:27:25 gson Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -58,11 +58,14 @@ ns.secure A 10.53.0.3 insecure NS ns.insecure ns.insecure A 10.53.0.3 - ; A secure subdomain we're going to inject bogus data into bogus NS ns.bogus ns.bogus A 10.53.0.3 +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + z A 10.0.0.26 keyless NS ns.keyless diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf index 35512780a6..c9a251ce29 100644 --- a/bin/tests/system/dnssec/ns2/named.conf +++ b/bin/tests/system/dnssec/ns2/named.conf @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.17 2001/01/11 20:41:32 gson Exp $ */ +/* $Id: named.conf,v 1.18 2002/01/22 22:27:26 gson Exp $ */ // NS2 @@ -54,5 +54,4 @@ zone "insecure.secure.example" { allow-update { any; }; }; - include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 8e2d561390..dc6e710a94 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -15,7 +15,7 @@ # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.16 2001/09/17 17:47:18 bwelling Exp $ +# $Id: sign.sh,v 1.17 2002/01/22 22:27:27 gson Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -33,21 +33,16 @@ keyname=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` ( cd ../ns3 && sh sign.sh ) -cp ../ns3/keyset-secure.example. . +for subdomain in secure bogus +do + cp ../ns3/keyset-$subdomain.example. . -$KEYSIGNER -r $RANDFILE keyset-secure.example. $keyname > /dev/null + $KEYSIGNER -r $RANDFILE keyset-$subdomain.example. $keyname > /dev/null -# This will leave two copies of the child's zone key in the signed db file; -# that shouldn't cause any problems. -cat signedkey-secure.example. >>../ns3/secure.example.db.signed - -cp ../ns3/keyset-bogus.example. . - -$KEYSIGNER -r $RANDFILE keyset-bogus.example. $keyname > /dev/null - -# This will leave two copies of the child's zone key in the signed db file; -# that shouldn't cause any problems. -cat signedkey-bogus.example. >>../ns3/bogus.example.db.signed + # This will leave two copies of the child's zone key in the signed db file; + # that shouldn't cause any problems. + cat signedkey-$subdomain.example. >>../ns3/$subdomain.example.db.signed +done $KEYSETTOOL -r $RANDFILE -t 3600 $keyname > /dev/null diff --git a/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bin/tests/system/dnssec/ns3/dynamic.example.db.in new file mode 100644 index 0000000000..fb122ec363 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dynamic.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2000, 2001 Internet Software Consortium. +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM +; DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL +; IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +; INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING +; FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +; NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +; WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +; $Id: dynamic.example.db.in,v 1.1 2002/01/22 22:27:28 gson Exp $ + +; This has the NS and glue at the apex because testing RT #2399 +; requires we have only one name in the zone at a certain point +; during the test. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS @ +@ A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index cc29500d1e..66ab8dd509 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.19 2001/09/19 21:19:51 gson Exp $ */ +/* $Id: named.conf,v 1.20 2002/01/22 22:27:28 gson Exp $ */ // NS3 @@ -54,6 +54,12 @@ zone "bogus.example" { allow-update { any; }; }; +zone "dynamic.example" { + type master; + file "dynamic.example.db.signed"; + allow-update { any; }; +}; + zone "insecure.example" { type master; file "insecure.example.db"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 538da201a9..d7a9784380 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -15,7 +15,7 @@ # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.14 2001/09/19 21:19:52 gson Exp $ +# $Id: sign.sh,v 1.15 2002/01/22 22:27:29 gson Exp $ RANDFILE=../random.data @@ -43,6 +43,18 @@ cat $infile $keyname.key >$zonefile $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null +zone=dynamic.example. +infile=dynamic.example.db.in +zonefile=dynamic.example.db + +keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone` + +$KEYSETTOOL -r $RANDFILE -t 3600 $keyname.key > /dev/null + +cat $infile $keyname.key >$zonefile + +$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null + zone=keyless.example. infile=keyless.example.db.in zonefile=keyless.example.db diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 62ac3922be..f987d7d64b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.35 2001/09/19 21:19:48 gson Exp $ +# $Id: tests.sh,v 1.36 2002/01/22 22:27:24 gson Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -304,5 +304,27 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking positive validation of dynamic zone ($n)" +ret=0 +$DIG $DIGOPTS +noauth dynamic.example. SOA @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth dynamic.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +# XXX why does this fail? +# grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# Run a minimal update test if possible. This is really just +# a regression test for RT #2399; more tests should be added. + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + echo "I:running DNSSEC update test" + $PERL dnssec_update_test.pl -s 10.53.0.3 -p 5300 dynamic.example. || status=1 +else + echo "I:The DNSSEC update test requires the Net::DNS library." >&2 +fi + echo "I:exit status: $status" exit $status