mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-02 07:35:26 +00:00
Add two more nsec3 system tests
Add one more case that tests reconfiguring a zone to turn off inline-signing. It should still be a valid DNSSEC zone and the NSEC3 parameters should not change. Add another test to ensure that you cannot update the zone with a NSEC3 record.
This commit is contained in:
Matthijs Mekking
@@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
rm -f dig.out.* rndc.signing.* verify.out.*
|
rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
|
||||||
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
|
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
|
||||||
rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
|
rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
|
||||||
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
|
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
|
||||||
|
|||||||
@@ -185,10 +185,26 @@ zone "nsec3-fails-to-load.kasp" {
|
|||||||
allow-update { any; };
|
allow-update { any; };
|
||||||
};
|
};
|
||||||
|
|
||||||
/* The zone switches from dynamic to inline-signing. */
|
/* These zones switch from dynamic to inline-signing or vice versa. */
|
||||||
zone "nsec3-dynamic-to-inline.kasp" {
|
zone "nsec3-dynamic-to-inline.kasp" {
|
||||||
type primary;
|
type primary;
|
||||||
file "nsec3-dynamic-to-inline.kasp.db";
|
file "nsec3-dynamic-to-inline.kasp.db";
|
||||||
dnssec-policy "nsec3";
|
dnssec-policy "nsec3";
|
||||||
allow-update { any; };
|
allow-update { any; };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
zone "nsec3-inline-to-dynamic.kasp" {
|
||||||
|
type primary;
|
||||||
|
file "nsec3-inline-to-dynamic.kasp.db";
|
||||||
|
inline-signing yes;
|
||||||
|
dnssec-policy "nsec3";
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
|
||||||
|
zone "nsec3-dynamic-update-inline.kasp" {
|
||||||
|
type primary;
|
||||||
|
file "nsec3-dynamic-update-inline.kasp.db";
|
||||||
|
inline-signing yes;
|
||||||
|
allow-update { any; };
|
||||||
|
dnssec-policy "nsec";
|
||||||
|
};
|
||||||
|
|||||||
@@ -194,7 +194,7 @@ zone "nsec3-fails-to-load.kasp" {
|
|||||||
allow-update { any; };
|
allow-update { any; };
|
||||||
};
|
};
|
||||||
|
|
||||||
/* The zone switches from dynamic to inline-signing. */
|
/* These zones switch from dynamic to inline-signing or vice versa. */
|
||||||
zone "nsec3-dynamic-to-inline.kasp" {
|
zone "nsec3-dynamic-to-inline.kasp" {
|
||||||
type primary;
|
type primary;
|
||||||
file "nsec3-dynamic-to-inline.kasp.db";
|
file "nsec3-dynamic-to-inline.kasp.db";
|
||||||
@@ -202,3 +202,11 @@ zone "nsec3-dynamic-to-inline.kasp" {
|
|||||||
dnssec-policy "nsec3";
|
dnssec-policy "nsec3";
|
||||||
allow-update { any; };
|
allow-update { any; };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
zone "nsec3-inline-to-dynamic.kasp" {
|
||||||
|
type primary;
|
||||||
|
file "nsec3-inline-to-dynamic.kasp.db";
|
||||||
|
inline-signing no;
|
||||||
|
dnssec-policy "nsec3";
|
||||||
|
allow-update { any; };
|
||||||
|
};
|
||||||
|
|||||||
@@ -26,7 +26,8 @@ setup() {
|
|||||||
|
|
||||||
for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
|
for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
|
||||||
nsec3-to-optout nsec3-from-optout nsec3-dynamic \
|
nsec3-to-optout nsec3-from-optout nsec3-dynamic \
|
||||||
nsec3-dynamic-change nsec3-dynamic-to-inline
|
nsec3-dynamic-change nsec3-dynamic-to-inline \
|
||||||
|
nsec3-inline-to-dynamic nsec3-dynamic-update-inline
|
||||||
do
|
do
|
||||||
setup "${zn}.kasp"
|
setup "${zn}.kasp"
|
||||||
done
|
done
|
||||||
|
|||||||
@@ -304,6 +304,13 @@ set_key_default_values "KEY1"
|
|||||||
echo_i "initial check zone ${ZONE}"
|
echo_i "initial check zone ${ZONE}"
|
||||||
check_nsec3
|
check_nsec3
|
||||||
|
|
||||||
|
# Zone: nsec3-inline-to-dynamic.kasp.
|
||||||
|
set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
|
||||||
|
set_nsec3param "0" "0" "0"
|
||||||
|
set_key_default_values "KEY1"
|
||||||
|
echo_i "initial check zone ${ZONE}"
|
||||||
|
check_nsec3
|
||||||
|
|
||||||
# Zone: nsec3-to-nsec.kasp.
|
# Zone: nsec3-to-nsec.kasp.
|
||||||
set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
|
set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
|
||||||
set_nsec3param "0" "0" "0"
|
set_nsec3param "0" "0" "0"
|
||||||
@@ -332,7 +339,26 @@ set_key_default_values "KEY1"
|
|||||||
echo_i "initial check zone ${ZONE}"
|
echo_i "initial check zone ${ZONE}"
|
||||||
check_nsec3
|
check_nsec3
|
||||||
|
|
||||||
|
# Zone: nsec3-dynamic-update-inline.kasp.
|
||||||
|
set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600
|
||||||
|
set_key_default_values "KEY1"
|
||||||
|
echo_i "initial check zone ${ZONE}"
|
||||||
|
check_nsec
|
||||||
|
|
||||||
|
n=$((n+1))
|
||||||
|
echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)"
|
||||||
|
ret=0
|
||||||
|
$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
zone ${ZONE}.
|
||||||
|
update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG
|
||||||
|
send
|
||||||
|
END
|
||||||
|
wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1
|
||||||
|
check_nsec
|
||||||
|
|
||||||
# Reconfig named.
|
# Reconfig named.
|
||||||
|
ret=0
|
||||||
echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
|
echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
|
||||||
copy_setports ns3/named2.conf.in ns3/named.conf
|
copy_setports ns3/named2.conf.in ns3/named.conf
|
||||||
rndc_reconfig ns3 10.53.0.3
|
rndc_reconfig ns3 10.53.0.3
|
||||||
@@ -426,13 +452,20 @@ set_key_default_values "KEY1"
|
|||||||
echo_i "check zone ${ZONE} after reconfig"
|
echo_i "check zone ${ZONE} after reconfig"
|
||||||
check_nsec3
|
check_nsec3
|
||||||
|
|
||||||
# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured)
|
# Zone: nsec3-dynamic-to-inline.kasp. (same)
|
||||||
set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
|
set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
|
||||||
set_nsec3param "0" "0" "0"
|
set_nsec3param "0" "0" "0"
|
||||||
set_key_default_values "KEY1"
|
set_key_default_values "KEY1"
|
||||||
echo_i "check zone ${ZONE} after reconfig"
|
echo_i "check zone ${ZONE} after reconfig"
|
||||||
check_nsec3
|
check_nsec3
|
||||||
|
|
||||||
|
# Zone: nsec3-inline-to-dynamic.kasp. (same)
|
||||||
|
set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
|
||||||
|
set_nsec3param "0" "0" "0"
|
||||||
|
set_key_default_values "KEY1"
|
||||||
|
echo_i "initial check zone ${ZONE}"
|
||||||
|
check_nsec3
|
||||||
|
|
||||||
# Zone: nsec3-to-nsec.kasp. (reconfigured)
|
# Zone: nsec3-to-nsec.kasp. (reconfigured)
|
||||||
set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
|
set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
|
||||||
set_nsec3param "1" "11" "8"
|
set_nsec3param "1" "11" "8"
|
||||||
|
|||||||
Reference in New Issue
Block a user