From ad91a70d155ee27a97ed9a7edad60c4d49d55789 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Apr 2023 13:49:32 +1000 Subject: [PATCH] Check removal of ENT when subdomains are removed Empty-non-terminal NSEC records where not always removed when the delegations generating them where removed via update. Check that they now are. --- bin/tests/system/autosign/clean.sh | 3 +- bin/tests/system/autosign/ns2/keygen.sh | 8 ++++ bin/tests/system/autosign/ns2/named.conf.in | 9 ++++ .../system/autosign/ns2/optout-with-ent.db.in | 22 +++++++++ bin/tests/system/autosign/tests.sh | 45 ++++++++++++++++++- 5 files changed, 84 insertions(+), 3 deletions(-) create mode 100644 bin/tests/system/autosign/ns2/optout-with-ent.db.in diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 091cf0ed3e..81589d7885 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -23,14 +23,13 @@ rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f dig.out.* rm -f digcomp.out.test* -rm -f digcomp.out.test* rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key rm -f nopriv.key vanishing.key del1.key del2.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock -rm -f ns*/named.lock rm -f ns1/root.db rm -f ns2/example.db +rm -f ns2/optout-with-ent.db rm -f ns2/private.secure.example.db ns2/bar.db rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 25b5faaf6b..8061adb6a5 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -54,3 +54,11 @@ do done $KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null $DSFROMKEY Kbar.+013+60101.key > dsset-bar. + +# a zone with empty non-terminals. +zone=optout-with-ent +zonefile=optout-with-ent.db +infile=optout-with-ent.db.in +cat $infile > $zonefile +kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in index 32c565d682..c155a3bb7d 100644 --- a/bin/tests/system/autosign/ns2/named.conf.in +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -97,4 +97,13 @@ zone "child.optout.example" { auto-dnssec maintain; }; +zone "optout-with-ent" { + type primary; + file "optout-with-ent.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns2/optout-with-ent.db.in b/bin/tests/system/autosign/ns2/optout-with-ent.db.in new file mode 100644 index 0000000000..5a3e207f2c --- /dev/null +++ b/bin/tests/system/autosign/ns2/optout-with-ent.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2.example. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +sub1.ent NS . +sub2.ent NS . diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 043626c462..d490adb381 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -160,7 +160,7 @@ do $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 done - for z in bar. example. private.secure.example. + for z in bar. example. private.secure.example. optout-with-ent. do $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 @@ -180,6 +180,9 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "done"; fi status=$((status + ret)) +echo_i "Convert optout-with-ent from nsec to nsec3" +($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 + echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" for z in . do @@ -1566,5 +1569,45 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)" +ret=0 +zone=optout-with-ent +hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL +# check that NSEC3 for ENT is present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +# remove first delegation of two delegations, NSEC3 for ENT should remain. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub1.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is still present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n +grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +# remove second delegation of two delegations, NSEC3 for ENT should be deleted. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub2.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is gone present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n +grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n +grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1