diff --git a/bin/tests/system/dnssec/ns1/root.db b/bin/tests/system/dnssec/ns1/root.db.in similarity index 100% rename from bin/tests/system/dnssec/ns1/root.db rename to bin/tests/system/dnssec/ns1/root.db.in diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 6bc92470fe..c499988276 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -7,7 +7,9 @@ $TTL 300 ; 5 minutes 3600 ; minimum (1 hour) ) NS ns2 + NS ns3 ns2 A 10.53.0.2 +ns3 A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 @@ -18,7 +20,12 @@ secure NS ns.secure ns.secure A 10.53.0.3 ; An insecure subdomain -insecure NS ns.secure +insecure NS ns.insecure ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf index 70a29feea8..6d9209e8c8 100644 --- a/bin/tests/system/dnssec/ns2/named.conf +++ b/bin/tests/system/dnssec/ns2/named.conf @@ -16,3 +16,5 @@ zone "example" { allow-update { any; }; }; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index fa8dda9a82..984d4f9e0b 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -13,27 +13,28 @@ keyname=`$KEYGEN -a RSA -b 768 -n zone $zone` cp ../ns3/secure.example.keyset . -$KEYSIGNER -v 9 secure.example.keyset $keyname +echo $KEYSIGNER secure.example.keyset $keyname +$KEYSIGNER secure.example.keyset $keyname # This will leave two copies of the child's zone key in the signed db file; # that shouldn't cause any problems. cat secure.example.signedkey >>../ns3/secure.example.db.signed +cp ../ns3/bogus.example.keyset . + +echo $KEYSIGNER bogus.example.keyset $keyname +$KEYSIGNER bogus.example.keyset $keyname + +# This will leave two copies of the child's zone key in the signed db file; +# that shouldn't cause any problems. +cat bogus.example.signedkey >>../ns3/bogus.example.db.signed + +echo $KEYSETTOOL $keyname $KEYSETTOOL $keyname cat $infile $keyname.key >$zonefile -$SIGNER -v 1 -o $zone $zonefile +echo $SIGNER -o $zone $zonefile +$SIGNER -o $zone $zonefile -# Configure the resolving server with a trusted key. - -cat $keyname.key | perl -n -e ' -my ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; -my $key = join("", @rest); -print <../ns4/trusted.conf diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index 2644fec9bb..3a00d45d0f 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -10,15 +10,28 @@ zone "." { file "root.hint"; }; +zone "example" { + type slave; + file "example.bk"; +} + zone "secure.example" { type master; file "secure.example.db.signed"; allow-update { any; }; }; +zone "bogus.example" { + type master; + file "bogus.example.db.signed"; + allow-update { any; }; +}; + zone "insecure.example" { type master; file "insecure.example.db"; allow-update { any; }; }; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index c17be7edc7..c506c6ddf9 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -6,9 +6,24 @@ zonefile=secure.example.db keyname=`$KEYGEN -a RSA -b 768 -n zone $zone` +echo $KEYSETTOOL $keyname.key $KEYSETTOOL $keyname.key cat $infile $keyname.key >$zonefile -$SIGNER -v 1 -o $zone $zonefile +echo $SIGNER -o $zone $zonefile +$SIGNER -o $zone $zonefile +zone=bogus.example. +infile=bogus.example.db.in +zonefile=bogus.example.db + +keyname=`$KEYGEN -a RSA -b 768 -n zone $zone` + +echo $KEYSETTOOL $keyname.key +$KEYSETTOOL $keyname.key + +cat $infile $keyname.key >$zonefile + +echo $SIGNER -o $zone $zonefile +$SIGNER -o $zone $zonefile diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf index aa108e2c28..a9b159acdf 100644 --- a/bin/tests/system/dnssec/ns4/named.conf +++ b/bin/tests/system/dnssec/ns4/named.conf @@ -3,7 +3,6 @@ options { pid-file "named.pid"; listen-on { 10.53.0.4; }; recursion yes; - notify yes; }; zone "." { diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 4f684f4dcf..84d0c55301 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -1,17 +1,5 @@ #!/bin/sh -cd ns2 && sh sign.sh +cd ns1 && sh sign.sh -if [ $# -gt 0 ] -then - case $1 in - --badsig) - echo "injecting bogus data to force signature checking to fail..." >&2 - echo "a.secure.example. A 10.0.0.22" >>../ns3/secure.example.db.signed - ;; - - *) - echo "unknown option $1" >&2; exit 1 - ;; - esac -fi +#echo "a.bogus.example. A 10.0.0.22" >>../ns3/secure.example.db.signed diff --git a/bin/tests/system/start.sh b/bin/tests/system/start.sh index c583dc3ded..cf87cf90c4 100644 --- a/bin/tests/system/start.sh +++ b/bin/tests/system/start.sh @@ -3,6 +3,8 @@ # Start name servers for running system tests. # + +. ./conf.sh cd $1 for d in ns*