mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 07:35:26 +00:00
Code Issues Releases Wiki Activity

Regression check for missing RRSIGs

Browse Source 
When transitioning from NSEC3 to NSEC the added records where not
being signed because the wrong time was being used to determine if
a key should be used or not.  Check that these records are actually
signed.
This commit is contained in:
Mark Andrews
2023-12-18 11:23:21 +11:00
parent 6066e41948
commit bdb42d3838
2 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bin/tests/system/autosign/ns3/named.conf.in
View File

@@ -261,7 +261,8 @@ zone "nsec3-to-nsec.example" {
file "nsec3-to-nsec.example.db"; file "nsec3-to-nsec.example.db";
allow-update { any; }; allow-update { any; };
inline-signing no; inline-signing no;
dnssec-policy nsec3; max-journal-size 10M;
dnssec-policy autosign;
}; };
zone "oldsigs.example" { zone "oldsigs.example" {

11
bin/tests/system/autosign/tests.sh
View File

@@ -1324,5 +1324,16 @@ n=$((n + 1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret)) status=$((status + ret))
echo_i "check that the startup change from NSEC3 to NSEC is properly signed ($n)"
ret=0
$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \
| awk 'BEGIN { count=0; ok=0 }
$1 == "del" && $5 == "SOA" { count++; if (count == 2) { if (ok) { exit(0); } else { exit(1); } } }
$1 == "add" && $5 == "RRSIG" && $6 == "TYPE65534" { ok=1 }
' || ret=1
n=$((n + 1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1