mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 22:15:20 +00:00
Add two more nsec3 system tests
Add one more case that tests reconfiguring a zone to turn off inline-signing. It should still be a valid DNSSEC zone and the NSEC3 parameters should not change. Add another test to ensure that you cannot update the zone with a NSEC3 record.
This commit is contained in:
Matthijs Mekking
@@ -13,7 +13,7 @@
|
||||
|
||||
set -e
|
||||
|
||||
rm -f dig.out.* rndc.signing.* verify.out.*
|
||||
rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
|
||||
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
|
||||
rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
|
||||
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
|
||||
|
||||
@@ -185,10 +185,26 @@ zone "nsec3-fails-to-load.kasp" {
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
/* The zone switches from dynamic to inline-signing. */
|
||||
/* These zones switch from dynamic to inline-signing or vice versa. */
|
||||
zone "nsec3-dynamic-to-inline.kasp" {
|
||||
type primary;
|
||||
file "nsec3-dynamic-to-inline.kasp.db";
|
||||
dnssec-policy "nsec3";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "nsec3-inline-to-dynamic.kasp" {
|
||||
type primary;
|
||||
file "nsec3-inline-to-dynamic.kasp.db";
|
||||
inline-signing yes;
|
||||
dnssec-policy "nsec3";
|
||||
};
|
||||
|
||||
/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
|
||||
zone "nsec3-dynamic-update-inline.kasp" {
|
||||
type primary;
|
||||
file "nsec3-dynamic-update-inline.kasp.db";
|
||||
inline-signing yes;
|
||||
allow-update { any; };
|
||||
dnssec-policy "nsec";
|
||||
};
|
||||
|
||||
@@ -194,7 +194,7 @@ zone "nsec3-fails-to-load.kasp" {
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
/* The zone switches from dynamic to inline-signing. */
|
||||
/* These zones switch from dynamic to inline-signing or vice versa. */
|
||||
zone "nsec3-dynamic-to-inline.kasp" {
|
||||
type primary;
|
||||
file "nsec3-dynamic-to-inline.kasp.db";
|
||||
@@ -202,3 +202,11 @@ zone "nsec3-dynamic-to-inline.kasp" {
|
||||
dnssec-policy "nsec3";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "nsec3-inline-to-dynamic.kasp" {
|
||||
type primary;
|
||||
file "nsec3-inline-to-dynamic.kasp.db";
|
||||
inline-signing no;
|
||||
dnssec-policy "nsec3";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
@@ -26,7 +26,8 @@ setup() {
|
||||
|
||||
for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
|
||||
nsec3-to-optout nsec3-from-optout nsec3-dynamic \
|
||||
nsec3-dynamic-change nsec3-dynamic-to-inline
|
||||
nsec3-dynamic-change nsec3-dynamic-to-inline \
|
||||
nsec3-inline-to-dynamic nsec3-dynamic-update-inline
|
||||
do
|
||||
setup "${zn}.kasp"
|
||||
done
|
||||
|
||||
@@ -304,6 +304,13 @@ set_key_default_values "KEY1"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec3
|
||||
|
||||
# Zone: nsec3-inline-to-dynamic.kasp.
|
||||
set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
|
||||
set_nsec3param "0" "0" "0"
|
||||
set_key_default_values "KEY1"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec3
|
||||
|
||||
# Zone: nsec3-to-nsec.kasp.
|
||||
set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
|
||||
set_nsec3param "0" "0" "0"
|
||||
@@ -332,7 +339,26 @@ set_key_default_values "KEY1"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec3
|
||||
|
||||
# Zone: nsec3-dynamic-update-inline.kasp.
|
||||
set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600
|
||||
set_key_default_values "KEY1"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)"
|
||||
ret=0
|
||||
$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone ${ZONE}.
|
||||
update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG
|
||||
send
|
||||
END
|
||||
wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1
|
||||
check_nsec
|
||||
|
||||
# Reconfig named.
|
||||
ret=0
|
||||
echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
|
||||
copy_setports ns3/named2.conf.in ns3/named.conf
|
||||
rndc_reconfig ns3 10.53.0.3
|
||||
@@ -426,13 +452,20 @@ set_key_default_values "KEY1"
|
||||
echo_i "check zone ${ZONE} after reconfig"
|
||||
check_nsec3
|
||||
|
||||
# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured)
|
||||
# Zone: nsec3-dynamic-to-inline.kasp. (same)
|
||||
set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
|
||||
set_nsec3param "0" "0" "0"
|
||||
set_key_default_values "KEY1"
|
||||
echo_i "check zone ${ZONE} after reconfig"
|
||||
check_nsec3
|
||||
|
||||
# Zone: nsec3-inline-to-dynamic.kasp. (same)
|
||||
set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
|
||||
set_nsec3param "0" "0" "0"
|
||||
set_key_default_values "KEY1"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec3
|
||||
|
||||
# Zone: nsec3-to-nsec.kasp. (reconfigured)
|
||||
set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
|
||||
set_nsec3param "1" "11" "8"
|
||||
|
||||
Reference in New Issue
Block a user