From df1aecd5ffa4a2ffad0d1b392d3855e492087b7e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 4 May 2021 16:30:17 +0200 Subject: [PATCH] Add checkconf tests for [#2463] Add two tests to make sure named-checkconf catches key-directory issues where a zone in multiple views uses the same directory but has different dnssec-policies. One test sets the key-directory specifically, the other inherits the default key-directory (NULL, aka the working directory). Also update the good.conf test to allow zones in different views with the same key-directory if they use the same dnssec-policy. Also allow zones in different views with different key-directories if they use different dnssec-policies. Also allow zones in different views with the same key-directories if only one view uses a dnssec-policy (the other is set to "none"). Also allow zones in different views with the same key-directories if no views uses a dnssec-policy (zone in both views has the dnssec-policy set to "none"). --- .../system/checkconf/bad-kasp-keydir1.conf | 42 +++++++++++++++++ .../system/checkconf/bad-kasp-keydir2.conf | 40 ++++++++++++++++ bin/tests/system/checkconf/good.conf | 46 +++++++++++++++++++ bin/tests/system/checkconf/good.zonelist | 8 ++++ bin/tests/system/checkconf/tests.sh | 4 ++ 5 files changed, 140 insertions(+) create mode 100644 bin/tests/system/checkconf/bad-kasp-keydir1.conf create mode 100644 bin/tests/system/checkconf/bad-kasp-keydir2.conf diff --git a/bin/tests/system/checkconf/bad-kasp-keydir1.conf b/bin/tests/system/checkconf/bad-kasp-keydir1.conf new file mode 100644 index 0000000000..5be13a1feb --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir1.conf @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key "keyforview1" { + algorithm "hmac-sha1"; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm "hmac-sha1"; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + zone "example.net" { + type primary; + dnssec-policy "default"; + key-directory "."; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + key-directory "."; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir2.conf b/bin/tests/system/checkconf/bad-kasp-keydir2.conf new file mode 100644 index 0000000000..67161a8436 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir2.conf @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key "keyforview1" { + algorithm "hmac-sha1"; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm "hmac-sha1"; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + zone "example.net" { + type primary; + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index e09b9e802b..6b950996cc 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -192,7 +192,53 @@ view "fourth" { file "dnssec-none.db"; dnssec-policy "none"; }; + zone "dnssec-view1" { + type master; + file "dnssec-view41.db"; + dnssec-policy "test"; + }; + zone "dnssec-view2" { + type master; + file "dnssec-view42.db"; + }; + zone "dnssec-view3" { + type master; + file "dnssec-view43.db"; + dnssec-policy "none"; + key-directory "keys"; + }; + zone "dnssec-view4" { + type master; + file "dnssec-view44.db"; + dnssec-policy "none"; + }; dnssec-policy "default"; + key-directory "."; +}; +view "fifth" { + zone "dnssec-view1" { + type master; + file "dnssec-view51.db"; + dnssec-policy "test"; + }; + zone "dnssec-view2" { + type master; + file "dnssec-view52.db"; + dnssec-policy "test"; + key-directory "keys"; + }; + zone "dnssec-view3" { + type master; + file "dnssec-view53.db"; + dnssec-policy "default"; + key-directory "keys"; + }; + zone "dnssec-view4" { + type master; + file "dnssec-view54.db"; + dnssec-policy "none"; + }; + key-directory "."; }; view "chaos" chaos { zone "hostname.bind" chaos { diff --git a/bin/tests/system/checkconf/good.zonelist b/bin/tests/system/checkconf/good.zonelist index b33d2fc239..08a5665afd 100644 --- a/bin/tests/system/checkconf/good.zonelist +++ b/bin/tests/system/checkconf/good.zonelist @@ -13,4 +13,12 @@ dnssec-test IN fourth master dnssec-default IN fourth master dnssec-inherit IN fourth master dnssec-none IN fourth master +dnssec-view1 IN fourth master +dnssec-view2 IN fourth master +dnssec-view3 IN fourth master +dnssec-view4 IN fourth master +dnssec-view1 IN fifth master +dnssec-view2 IN fifth master +dnssec-view3 IN fifth master +dnssec-view4 IN fifth master hostname.bind chaos chaos master diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index e6b2e16e40..23d2c430f9 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -12,6 +12,8 @@ status=0 n=0 +mkdir keys + n=`expr $n + 1` echo_i "checking that named-checkconf handles a known good config ($n)" ret=0 @@ -549,5 +551,7 @@ grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` +rmdir keys + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1