diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 18:37:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 18:37:14 +0000 |
| commit | ea648e70a989cca190cd7403fe892fd2dcc290b4 (patch) | |
| tree | e2b6b1c647da68b0d4d66082835e256eb30970e8 /bin/tests/system/dnssec | |
| parent | Initial commit. (diff) | |
| download | bind9-ea648e70a989cca190cd7403fe892fd2dcc290b4.tar.xz bind9-ea648e70a989cca190cd7403fe892fd2dcc290b4.zip | |
Adding upstream version 1:9.11.5.P4+dfsg.upstream/1%9.11.5.P4+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/dnssec')
110 files changed, 7788 insertions, 0 deletions
diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README new file mode 100644 index 0000000..c45bd71 --- /dev/null +++ b/bin/tests/system/dnssec/README @@ -0,0 +1,19 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +The test setup for the DNSSEC tests has a secure root. + +ns1 is the root server. + +ns2 and ns3 are authoritative servers for the various test domains. + +ns4 is a caching-only server, configured with the correct trusted key +for the root. + +ns5 is a caching-only server, configured with the an incorrect trusted +key for the root. It is used for testing failure cases. + +ns6 is a caching-only server configured to use DLV. + +ns7 is used for checking non-cacheable answers. diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh new file mode 100644 index 0000000..1873c4b --- /dev/null +++ b/bin/tests/system/dnssec/clean.sh @@ -0,0 +1,95 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed +rm -f */example.bk +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f */named.secroots +rm -f */tmp* */*.jnl */*.bk */*.jbk +rm -f */trusted.conf */managed.conf */revoked.conf +rm -f Kexample.* +rm -f canonical?.* +rm -f delv.out* +rm -f delve.out* +rm -f dig.out.* +rm -f dsfromkey.out.* +rm -f keygen.err +rm -f named.secroots.test* +rm -f nosign.before +rm -f ns*/*.nta +rm -f ns*/named.lock +rm -f ns1/managed.key.id +rm -f ns1/root.db ns2/example.db ns3/secure.example.db +rm -f ns2/algroll.db +rm -f ns2/badparam.db ns2/badparam.db.bad +rm -f ns2/cdnskey-update.secure.db +rm -f ns2/cdnskey.secure.db +rm -f ns2/cds-auto.secure.db ns2/cds-auto.secure.db.jnl +rm -f ns2/cds-update.secure.db ns2/cds-update.secure.db.jnl +rm -f ns2/cds.secure.db +rm -f ns2/dlv.db +rm -f ns2/in-addr.arpa.db +rm -f ns2/nsec3chain-test.db +rm -f ns2/private.secure.example.db +rm -f ns2/single-nsec3.db +rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db +rm -f ns3/badds.example.db +rm -f ns3/dnskey-nsec3-unknown.example.db +rm -f ns3/dnskey-nsec3-unknown.example.db.tmp +rm -f ns3/dnskey-unknown.example.db +rm -f ns3/dnskey-unknown.example.db.tmp +rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl +rm -f ns3/expired.example.db ns3/update-nsec3.example.db +rm -f ns3/expiring.example.db ns3/nosign.example.db +rm -f ns3/future.example.db ns3/trusted-future.key +rm -f ns3/inline.example.db.signed +rm -f ns3/kskonly.example.db +rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower +rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db +rm -f ns3/nsec3.nsec3.example.db +rm -f ns3/nsec3.optout.example.db +rm -f ns3/optout-unknown.example.db ns3/optout.example.db +rm -f ns3/optout.nsec3.example.db +rm -f ns3/optout.optout.example.db +rm -f ns3/publish-inactive.example.db +rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db +rm -f ns3/secure.below-cname.example.db +rm -f ns3/secure.nsec3.example.db +rm -f ns3/secure.optout.example.db +rm -f ns3/siginterval.conf +rm -f ns3/siginterval.example.db +rm -f ns3/split-dnssec.example.db +rm -f ns3/split-smart.example.db +rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed +rm -f ns3/ttlpatch.example.db.patched +rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db +rm -f ns3/revkey.example.db +rm -f ns3/managed-future.example.db +rm -f ns4/managed-keys.bind* +rm -f ns4/named_dump.db +rm -f ns6/optout-tld.db +rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk +rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit +rm -f nsupdate.out* +rm -f rndc.out.* +rm -f signer/*.db +rm -f signer/example.db.after signer/example.db.before +rm -f signer/example.db.changed +rm -f signer/nsec3param.out +rm -f signer/signer.out.* +rm -f signer/general/signed.zone +rm -f signer/general/signer.out.* +rm -f signer/general/dsset* +rm -f signing.out* +rm -f signer/*.signed.pre* +rm -f signer/*.signed.post* diff --git a/bin/tests/system/dnssec/dnssec_update_test.pl b/bin/tests/system/dnssec/dnssec_update_test.pl new file mode 100644 index 0000000..6b7412e --- /dev/null +++ b/bin/tests/system/dnssec/dnssec_update_test.pl @@ -0,0 +1,97 @@ +#!/usr/bin/perl +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# DNSSEC Dynamic update test suite. +# +# Usage: +# +# perl update_test.pl [-s server] [-p port] zone +# +# The server defaults to 127.0.0.1. +# The port defaults to 53. +# +# Installation notes: +# +# This program uses the Net::DNS::Resolver module. +# You can install it by saying +# +# perl -MCPAN -e "install Net::DNS" +# + +use Getopt::Std; +use Net::DNS; +use Net::DNS::Update; +use Net::DNS::Resolver; + +$opt_s = "127.0.0.1"; +$opt_p = 53; + +getopt('s:p:'); + +$res = new Net::DNS::Resolver; +$res->nameservers($opt_s); +$res->port($opt_p); +$res->defnames(0); # Do not append default domain. + +@ARGV == 1 or die + "usage: perl update_test.pl [-s server] [-p port] zone\n"; + +$zone = shift @ARGV; + +my $failures = 0; + +sub assert { + my ($cond, $explanation) = @_; + if (!$cond) { + print "Test Failed: $explanation ***\n"; + $failures++ + } +} + +sub test { + my ($expected, @records) = @_; + + my $update = new Net::DNS::Update("$zone"); + + foreach $rec (@records) { + $update->push(@$rec); + } + + $reply = $res->send($update); + + # Did it work? + if (defined $reply) { + my $rcode = $reply->header->rcode; + assert($rcode eq $expected, "expected $expected, got $rcode"); + } else { + print "Update failed: ", $res->errorstring, "\n"; + } +} + +sub section { + my ($msg) = @_; + print "$msg\n"; +} + +section("Add a name"); +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]); + +section("Delete the name"); +test("NOERROR", ["update", rr_del("a.$zone")]); + +if ($failures) { + print "$failures update tests failed.\n"; +} else { + print "All update tests successful.\n"; +} + +exit $failures; diff --git a/bin/tests/system/dnssec/ns1/named.conf.in b/bin/tests/system/dnssec/ns1/named.conf.in new file mode 100644 index 0000000..4401f59 --- /dev/null +++ b/bin/tests/system/dnssec/ns1/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; + /* test that we can turn off trust-anchor-telemetry */ + trust-anchor-telemetry no; +}; + +zone "." { + type master; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in new file mode 100644 index 0000000..5ad5d9e --- /dev/null +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 +dlv. NS ns2.dlv. +ns2.dlv. A 10.53.0.2 +algroll NS ns2.algroll +ns2.algroll. A 10.53.0.2 +optout-tld NS ns6.optout-tld. +ns6.optout-tld. A 10.53.0.6 +in-addr.arpa. NS ns2.example. diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh new file mode 100644 index 0000000..198d60a --- /dev/null +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -0,0 +1,53 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL sign.sh ) +(cd ../ns6 && $SHELL sign.sh ) +(cd ../ns7 && $SHELL sign.sh ) + +cp ../ns2/dsset-example$TP . +cp ../ns2/dsset-dlv$TP . +cp ../ns2/dsset-in-addr.arpa$TP . + +grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP +cp ../ns6/dsset-optout-tld$TP . + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` + +cat $infile $keyname.key > $zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +# Configure the resolving server with a trusted key. +keyfile_to_trusted_keys $keyname > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf +cp trusted.conf ../ns6/trusted.conf +cp trusted.conf ../ns7/trusted.conf + +# ...or with a managed key. +keyfile_to_managed_keys $keyname > managed.conf +cp managed.conf ../ns4/managed.conf + +# +# Save keyid for managed key id test. +# +keyid=`expr $keyname : 'K.+001+\(.*\)'` +keyid=`expr $keyid + 0` +echo "$keyid" > managed.key.id diff --git a/bin/tests/system/dnssec/ns2/algroll.db.in b/bin/tests/system/dnssec/ns2/algroll.db.in new file mode 100644 index 0000000..73c0d6b --- /dev/null +++ b/bin/tests/system/dnssec/ns2/algroll.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 30 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 diff --git a/bin/tests/system/dnssec/ns2/badparam.db.in b/bin/tests/system/dnssec/ns2/badparam.db.in new file mode 100644 index 0000000..091e4ea --- /dev/null +++ b/bin/tests/system/dnssec/ns2/badparam.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2010081000 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in new file mode 100644 index 0000000..e42cb4a --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in new file mode 100644 index 0000000..e42cb4a --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in new file mode 100644 index 0000000..e42cb4a --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in new file mode 100644 index 0000000..e42cb4a --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in new file mode 100644 index 0000000..e42cb4a --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds.secure.db.in b/bin/tests/system/dnssec/ns2/cds.secure.db.in new file mode 100644 index 0000000..e42cb4a --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cds.secure.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/child.nsec3.example.db b/bin/tests/system/dnssec/ns2/child.nsec3.example.db new file mode 100644 index 0000000..8c7db65 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/child.nsec3.example.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/child.optout.example.db b/bin/tests/system/dnssec/ns2/child.optout.example.db new file mode 100644 index 0000000..8c7db65 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/child.optout.example.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/dlv.db.in b/bin/tests/system/dnssec/ns2/dlv.db.in new file mode 100644 index 0000000..836359d --- /dev/null +++ b/bin/tests/system/dnssec/ns2/dlv.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns2/dst.example.db.in b/bin/tests/system/dnssec/ns2/dst.example.db.in new file mode 100644 index 0000000..769d2b5 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/dst.example.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in new file mode 100644 index 0000000..0b831ec --- /dev/null +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -0,0 +1,160 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns3.secure +ns3.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A subdomain with a corrupt DS +badds NS ns.badds +ns.badds A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A subdomain with expired signatures +expired NS ns.expired +ns.expired A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +dnskey-unknown NS ns.dnskey-unknown +ns.dnskey-unknown A 10.53.0.3 + +dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown +ns.dnskey-nsec3-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 + +upper NS ns.upper +ns.upper A 10.53.0.3 + +LOWER NS NS.LOWER +NS.LOWER A 10.53.0.3 + +expiring NS ns.expiring +ns.expiring A 10.53.0.3 + +future NS ns.future +ns.future A 10.53.0.3 + +managed-future NS ns.managed-future +ns.managed-future A 10.53.0.3 + +revkey NS ns.revkey +ns.revkey A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in new file mode 100644 index 0000000..0884ad0 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. +; +; As we are testing empty zone behaviour ns3 doesn't need to be +; configured to serve 10.in-addr.arpa. +; +10 NS ns3.example. diff --git a/bin/tests/system/dnssec/ns2/insecure.secure.example.db b/bin/tests/system/dnssec/ns2/insecure.secure.example.db new file mode 100644 index 0000000..78f3325 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/insecure.secure.example.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in new file mode 100644 index 0000000..67cff87 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -0,0 +1,136 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; + notify-delay 1; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "dlv" { + type master; + file "dlv.db.signed"; +}; + +zone "example" { + type master; + file "example.db.signed"; + allow-update { any; }; +}; + +zone "private.secure.example" { + type master; + file "private.secure.example.db.signed"; + allow-update { any; }; +}; + +zone "insecure.secure.example" { + type master; + file "insecure.secure.example.db"; + allow-update { any; }; +}; + +zone "rfc2335.example" { + type master; + file "rfc2335.example.db"; +}; + +zone "child.nsec3.example" { + type master; + file "child.nsec3.example.db"; + allow-update { none; }; +}; + +zone "child.optout.example" { + type master; + file "child.optout.example.db"; + allow-update { none; }; +}; + +zone "badparam" { + type master; + file "badparam.db.bad"; +}; + +zone "single-nsec3" { + type master; + file "single-nsec3.db.signed"; +}; + +zone "algroll" { + type master; + file "algroll.db.signed"; +}; + +zone "nsec3chain-test" { + type master; + file "nsec3chain-test.db.signed"; + allow-update {any;}; +}; + +zone "in-addr.arpa" { + type master; + file "in-addr.arpa.db.signed"; +}; + +zone "cds.secure" { + type master; + file "cds.secure.db.signed"; +}; + +zone "cds-update.secure" { + type master; + file "cds-update.secure.db.signed"; + allow-update { any; }; +}; + +zone "cds-auto.secure" { + type master; + file "cds-auto.secure.db.signed"; + auto-dnssec maintain; + allow-update { any; }; +}; + +zone "cdnskey.secure" { + type master; + file "cdnskey.secure.db.signed"; +}; + +zone "cdnskey-update.secure" { + type master; + file "cdnskey-update.secure.db.signed"; + allow-update { any; }; +}; + +zone "cdnskey-auto.secure" { + type master; + file "cdnskey-auto.secure.db.signed"; + auto-dnssec maintain; + allow-update { any; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/private.secure.example.db.in b/bin/tests/system/dnssec/ns2/private.secure.example.db.in new file mode 100644 index 0000000..98b43a0 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/private.secure.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +private2secure-nxdomain CNAME r.example. +*.wild CNAME s.example. diff --git a/bin/tests/system/dnssec/ns2/rfc2335.example.db b/bin/tests/system/dnssec/ns2/rfc2335.example.db new file mode 100644 index 0000000..b8b477e --- /dev/null +++ b/bin/tests/system/dnssec/ns2/rfc2335.example.db @@ -0,0 +1,103 @@ +; File written on Fri Apr 30 12:19:15 2004 +; dnssec_signzone version 9.2.4rc3 +rfc2335.example. 300 IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + 300 SIG SOA 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + nGPJKIzF7X/hMJbZURRz59UeEi/6HRxCn9Er + GqSnpw0Ea9Yx5Axu6sLKnF7jXlkZ6NHMCIpJ + +Lv+FDHXTs/dQg== ) + 300 NS ns.rfc2335.example. + 300 SIG NS 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + Q234AL9dJYMvxdWG33lpww6AJ3GplKp+ace7 + MUaj0oqDdkx4DtJF2XaP2xcqq7kTOObdQ8ES + vVxNThqOx7LFzg== ) + 300 KEY 256 3 1 ( + AQPZhzXIabI8y5ihWUw7F0WxN2MabnYWkOcV + Fn11NgaGSdjBSYPRMMwMCasD5N2KYPRUP83W + y8mj+ofcoW1FurcZ + ) ; key id = 47799 + 300 NXT a.rfc2335.example. NS SOA SIG KEY NXT + 300 SIG NXT 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + Y587mqNy6pBEfbsU6+weM2XRSqLwLwRT9Sl7 + oNuOK9kV3TR4R2M54m2S0MgJCXbRAwU+fF8Q + UbZkSTVe2N8Nyg== ) +a.rfc2335.example. 300 IN A 10.0.0.1 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + FnfWrcw5ire8ut25504zti5l///BdDMUAkJZ + UCLFiTW4lBGMcq1pqz64zltDZXCgJ3xUeQ2i + nRt19/ZxO6Z1KA== ) + 300 NXT b.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + R6SpC3ndMVg4u/eZaaUsXSuMHV/hZXeaM/Op + bJLAe3KxMiOHfb6XgLy7wflAiC1xt6A9bWpy + kTc5T5gfic33kA== ) +b.rfc2335.example. 300 IN A 10.0.0.2 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + zjRsYXMGyhDI6ipDtu8YXC9XPN+3hGamzzxL + 8uPE/LPo+x19MNdbzEgWzlajAf1/mkSGr2jN + BDMVBA5NMKpwAA== ) + 300 NXT d.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + aV87iZCYsC5Tqop827Zzb18TNqopGt0QynkR + gIF/lIHqZasNFRfaS1/nTnXdDKD8JS5IqxKb + oTJr5zswDAtCEw== ) +d.rfc2335.example. 300 IN A 10.0.0.4 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + NsKyvhUYZxTbOTBX4YwxTxevI5iGBpULKwmt + +D4l00ME4XRygOVmiqVDTT9dF1EgjDxOdfMT + hSjtCh5M1b2f6g== ) + 300 NXT ns.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + OGqlvSDZIZdHYigh4UAFzXfPze7vcQfgj7sN + +cAeoh4BL1gpa00DqANCxowNCYluDk3ZCDwt + UHZEJa8ZjNvv4g== ) +ns.rfc2335.example. 300 IN A 10.53.0.3 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + T6ZGeUWflLTku8jO23x/TeAPeUl8t0I18FCh + qHUZaHomLQasQ2jlZQn6cLpFd2uFJkBNxZ0G + I39aG7G1bObXdA== ) + 300 NXT x.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + l46mrf3/Ii5iRm3AiDjYeMg4ZXBgitHxXA2y + e/NhKpkxRRpCs7UQ94wT/RiSCjjK49E5FBe6 + 5bRxtWq0GI7zlg== ) +x.rfc2335.example. 300 IN CNAME a.rfc2335.example. + 300 SIG CNAME 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + L3IOluq+kboBd2gR2Mu54uJKCUzfmyHRiWKl + kfx+vuFr0I8mEHQRmJtouxNDrBzmzGp5vybK + SdabLWw0n6uQEA== ) + 300 NXT z.rfc2335.example. CNAME SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + CBKoJSkZzdpwiON7JS4yPFY5VVeBjfT19x/O + vx+5UK1JZUNKhTXWWgW1er+JlLzNf4Ot40+l + z9HUTyaeS0eWyw== ) +z.rfc2335.example. 300 IN A 10.0.0.26 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + ccqjVHnehvVwlNNd4+7n/GzGlRjj+ul0gCT3 + X3950LTccxHsOFyjNNm8v/Ho/aurSYdqXEjY + jwmjC6elwkzB7A== ) + 300 NXT rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + W42WoFyd9erysv8HjKo+CpHIH1x6+pAKwCDO + /hHnkEpQI3brewxl7cWOPYeA92Ns80Ody/ui + m2E28A5gnmWqPw== ) diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh new file mode 100644 index 0000000..9078459 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -0,0 +1,239 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example. +infile=example.db.in +zonefile=example.db + +# Have the child generate a zone key and pass it to us. + +( cd ../ns3 && $SHELL sign.sh ) + +for subdomain in secure badds bogus dynamic keyless nsec3 optout \ + nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ + kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-nsec3-unknown managed-future revkey +do + cp ../ns3/dsset-$subdomain.example$TP . +done + +keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# +# lower/uppercase the signature bits with the exception of the last characters +# changing the last 4 characters will lead to a bad base64 encoding. +# +$CHECKZONE -D -q -i local $zone $zonefile.signed | +awk ' +tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { + for (i = 1; i <= NF; i++ ) { + if (i <= 12) { + printf("%s ", $i); + continue; + } + prefix = substr($i, 1, length($i) - 4); + suffix = substr($i, length($i) - 4, 4); + if (i > 12 && tolower(prefix) != prefix) + printf("%s%s", tolower(prefix), suffix); + else if (i > 12 && toupper(prefix) != prefix) + printf("%s%s", toupper(prefix), suffix); + else + printf("%s%s ", prefix, suffix); + } + printf("\n"); + next; +} + +tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { + for (i = 1; i <= NF; i++ ) { + if (i <= 12) { + printf("%s ", $i); + continue; + } + prefix = substr($i, 1, length($i) - 4); + suffix = substr($i, length($i) - 4, 4); + if (i > 12 && tolower(prefix) != prefix) + printf("%s%s", tolower(prefix), suffix); + else if (i > 12 && toupper(prefix) != prefix) + printf("%s%s", toupper(prefix), suffix); + else + printf("%s%s ", prefix, suffix); + } + printf("\n"); + next; +} + +{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed + +# +# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. +# +zone=in-addr.arpa. +infile=in-addr.arpa.db.in +zonefile=in-addr.arpa.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# Sign the privately secure file + +privzone=private.secure.example. +privinfile=private.secure.example.db.in +privzonefile=private.secure.example.db + +privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` + +cat $privinfile $privkeyname.key >$privzonefile + +$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null + +# Sign the DLV secure zone. + + +dlvzone=dlv. +dlvinfile=dlv.db.in +dlvzonefile=dlv.db +dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP + +dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` + +cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile + +$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null + +# Sign the badparam secure file + +zone=badparam. +infile=badparam.db.in +zonefile=badparam.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -3 - -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad + +# Sign the single-nsec3 secure zone with optout + +zone=single-nsec3. +infile=single-nsec3.db.in +zonefile=single-nsec3.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# +# algroll has just has the old DNSKEY records removed and is waiting +# for them to be flushed from caches. We still need to generate +# RRSIGs for the old DNSKEY. +# +zone=algroll. +infile=algroll.db.in +zonefile=algroll.db + +keyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +keyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +keynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone` +keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + +cat $infile $keynew1.key $keynew2.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null + +# +# Make a zone big enough that it takes several seconds to generate a new +# nsec3 chain. +# +zone=nsec3chain-test +zonefile=nsec3chain-test.db +cat > $zonefile << 'EOF' +$TTL 10 +@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 +@ 10 NS ns2 +@ 10 NS ns3 +ns2 10 A 10.53.0.2 +ns3 10 A 10.53.0.3 +EOF +awk 'END { for (i = 0; i < 300; i++) + print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` +cat $key1.key $key2.key >> $zonefile +$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null + +zone=cds.secure +infile=cds.secure.db.in +zonefile=cds.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +$DSFROMKEY -C $key1.key > $key1.cds +cat $infile $key1.key $key2.key $key1.cds >$zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +zone=cds-update.secure +infile=cds-update.secure.db.in +zonefile=cds-update.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +cat $infile $key1.key $key2.key > $zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +zone=cds-auto.secure +infile=cds-auto.secure.db.in +zonefile=cds-auto.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +$DSFROMKEY -C $key1.key > $key1.cds +cat $infile $key1.cds > $zonefile.signed + +zone=cdnskey.secure +infile=cdnskey.secure.db.in +zonefile=cdnskey.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds +cat $infile $key1.key $key2.key $key1.cds >$zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +zone=cdnskey-update.secure +infile=cdnskey-update.secure.db.in +zonefile=cdnskey-update.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +cat $infile $key1.key $key2.key > $zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +zone=cdnskey-auto.secure +infile=cdnskey-auto.secure.db.in +zonefile=cdnskey-auto.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds +cat $infile $key1.cds > $zonefile.signed diff --git a/bin/tests/system/dnssec/ns2/single-nsec3.db.in b/bin/tests/system/dnssec/ns2/single-nsec3.db.in new file mode 100644 index 0000000..6fe1dd0 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/single-nsec3.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2.example. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +delegation NS ns3.example. diff --git a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in new file mode 100644 index 0000000..0e0e5e0 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in new file mode 100644 index 0000000..0e0e5e0 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bin/tests/system/dnssec/ns3/bogus.example.db.in new file mode 100644 index 0000000..8d49000 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/bogus.example.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in new file mode 100644 index 0000000..e1475c5 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in new file mode 100644 index 0000000..c9e7c2b --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bin/tests/system/dnssec/ns3/dynamic.example.db.in new file mode 100644 index 0000000..c7dab83 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dynamic.example.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This has the NS and glue at the apex because testing RT #2399 +; requires we have only one name in the zone at a certain point +; during the test. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS @ +@ A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/expired.example.db.in b/bin/tests/system/dnssec/ns3/expired.example.db.in new file mode 100644 index 0000000..af312f2 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/expired.example.db.in @@ -0,0 +1,42 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + MX 10 mx +ns A 10.53.0.3 +mx A 10.0.0.30 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 + + diff --git a/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bin/tests/system/dnssec/ns3/expiring.example.db.in new file mode 100644 index 0000000..4d8db53 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/expiring.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + MX 10 mx +ns A 10.53.0.3 +mx A 10.0.0.30 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/future.example.db.in b/bin/tests/system/dnssec/ns3/future.example.db.in new file mode 100644 index 0000000..ddda25d --- /dev/null +++ b/bin/tests/system/dnssec/ns3/future.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 +foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/generic.example.db.in b/bin/tests/system/dnssec/ns3/generic.example.db.in new file mode 100644 index 0000000..dd1778e --- /dev/null +++ b/bin/tests/system/dnssec/ns3/generic.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a.b A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/inline.example.db b/bin/tests/system/dnssec/ns3/inline.example.db new file mode 100644 index 0000000..8655214 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/inline.example.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db new file mode 100644 index 0000000..8655214 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db new file mode 100644 index 0000000..8655214 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure.example.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db new file mode 100644 index 0000000..8655214 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.optout.example.db b/bin/tests/system/dnssec/ns3/insecure.optout.example.db new file mode 100644 index 0000000..8655214 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure.optout.example.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bin/tests/system/dnssec/ns3/kskonly.example.db.in new file mode 100644 index 0000000..cbfb691 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/kskonly.example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/lower.example.db.in b/bin/tests/system/dnssec/ns3/lower.example.db.in new file mode 100644 index 0000000..7a3879f --- /dev/null +++ b/bin/tests/system/dnssec/ns3/lower.example.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA MNAME1. . ( + 2012042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS NS +NS A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/managed-future.example.db.in b/bin/tests/system/dnssec/ns3/managed-future.example.db.in new file mode 100644 index 0000000..ddda25d --- /dev/null +++ b/bin/tests/system/dnssec/ns3/managed-future.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 +foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/multiple.example.db.in b/bin/tests/system/dnssec/ns3/multiple.example.db.in new file mode 100644 index 0000000..c9e7c2b --- /dev/null +++ b/bin/tests/system/dnssec/ns3/multiple.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in new file mode 100644 index 0000000..14ebbc8 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -0,0 +1,298 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; + session-keyfile "session.key"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type slave; + masters { 10.53.0.2; }; + file "example.bk"; +}; + +zone "secure.example" { + type master; + file "secure.example.db.signed"; + allow-update { any; }; +}; + +zone "bogus.example" { + type master; + file "bogus.example.db.signed"; + allow-update { any; }; +}; + +zone "badds.example" { + type master; + file "badds.example.db.signed"; + allow-update { any; }; +}; + +zone "dynamic.example" { + type master; + file "dynamic.example.db.signed"; + allow-update { any; }; +}; + +zone "insecure.example" { + type master; + file "insecure.example.db"; + allow-update { any; }; +}; + +zone "insecure.nsec3.example" { + type master; + file "insecure.nsec3.example.db"; + allow-update { any; }; +}; + +zone "insecure.optout.example" { + type master; + file "insecure.optout.example.db"; + allow-update { any; }; +}; + +zone "keyless.example" { + type master; + file "keyless.example.db.signed"; +}; + +zone "nsec3.example" { + type master; + file "nsec3.example.db.signed"; +}; + +zone "optout.nsec3.example" { + type master; + file "optout.nsec3.example.db.signed"; +}; + +zone "nsec3.nsec3.example" { + type master; + file "nsec3.nsec3.example.db.signed"; +}; + +zone "secure.nsec3.example" { + type master; + file "secure.nsec3.example.db.signed"; +}; + +zone "optout.example" { + type master; + file "optout.example.db.signed"; +}; + +zone "secure.optout.example" { + type master; + file "secure.optout.example.db.signed"; +}; + +zone "nsec3.optout.example" { + type master; + file "nsec3.optout.example.db.signed"; +}; + +zone "optout.optout.example" { + type master; + file "optout.optout.example.db.signed"; +}; + +zone "nsec3-unknown.example" { + type master; + nsec3-test-zone yes; + file "nsec3-unknown.example.db.signed"; +}; + +zone "optout-unknown.example" { + type master; + nsec3-test-zone yes; + file "optout-unknown.example.db.signed"; +}; + +zone "dnskey-unknown.example" { + type master; + file "dnskey-unknown.example.db.signed"; +}; + +zone "dnskey-nsec3-unknown.example" { + type master; + nsec3-test-zone yes; + file "dnskey-nsec3-unknown.example.db.signed"; +}; + +zone "multiple.example" { + type master; + file "multiple.example.db.signed"; + allow-update { any; }; +}; + +zone "rfc2335.example" { + type slave; + masters { 10.53.0.2; }; + file "rfc2335.example.bk"; +}; + +zone "rsasha256.example" { + type master; + file "rsasha256.example.db.signed"; +}; + +zone "rsasha512.example" { + type master; + file "rsasha512.example.db.signed"; +}; + +zone "kskonly.example" { + type master; + file "kskonly.example.db.signed"; +}; + +zone "expired.example" { + type master; + allow-update { none; }; + file "expired.example.db.signed"; +}; + +zone "update-nsec3.example" { + type master; + allow-update { any; }; + file "update-nsec3.example.db.signed"; +}; + +zone "auto-nsec.example" { + type master; + auto-dnssec maintain; + allow-update { !0.0.0.0; }; + file "auto-nsec.example.db.signed"; +}; + +zone "auto-nsec3.example" { + type master; + auto-dnssec maintain; + allow-update { !0.0.0.0; }; + file "auto-nsec3.example.db.signed"; +}; + +zone "insecure.below-cname.example" { + type master; + file "insecure.below-cname.example.db"; +}; + +zone "secure.below-cname.example" { + type master; + file "secure.below-cname.example.db.signed"; +}; + +zone "ttlpatch.example" { + type master; + file "ttlpatch.example.db.patched"; +}; + +zone "split-dnssec.example" { + type master; + file "split-dnssec.example.db"; +}; + +zone "split-smart.example" { + type master; + file "split-smart.example.db"; +}; + +zone "nsec3chain-test" { + type slave; + file "nsec3chain-test.bk"; + masters { 10.53.0.2; }; +}; + +zone "expiring.example" { + type master; + allow-update { any; }; + file "expiring.example.db.signed"; +}; + +zone "nosign.example" { + type master; + allow-update { any; }; + dnssec-update-mode no-resign; + file "nosign.example.db.signed"; +}; + +zone "upper.example" { + type master; + file "upper.example.db.signed"; +}; + +zone "LOWER.EXAMPLE" { + type master; + file "lower.example.db.signed"; +}; + +zone "inline.example" { + type master; + file "inline.example.db"; + inline-signing yes; + auto-dnssec maintain; +}; + +zone "publish-inactive.example" { + type master; + file "publish-inactive.example.db"; + auto-dnssec maintain; + update-policy local; +}; + +zone "future.example" { + type master; + file "future.example.db.signed"; +}; + +zone "managed-future.example" { + type master; + file "managed-future.example.db.signed"; + allow-update { any; }; +}; + +zone "revkey.example" { + type master; + file "revkey.example.db.signed"; +}; + +include "siginterval.conf"; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/nosign.example.db.in b/bin/tests/system/dnssec/ns3/nosign.example.db.in new file mode 100644 index 0000000..f066e3c --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nosign.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in new file mode 100644 index 0000000..c9e7c2b --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.example.db.in new file mode 100644 index 0000000..8761ebb --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nsec3.example.db.in @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in new file mode 100644 index 0000000..3f10748 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in new file mode 100644 index 0000000..3f10748 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in new file mode 100644 index 0000000..c9e7c2b --- /dev/null +++ b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.example.db.in new file mode 100644 index 0000000..ddda25d --- /dev/null +++ b/bin/tests/system/dnssec/ns3/optout.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 +foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in new file mode 100644 index 0000000..3f10748 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in new file mode 100644 index 0000000..3f10748 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in new file mode 100644 index 0000000..8655214 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in new file mode 100644 index 0000000..862dadb --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in new file mode 100644 index 0000000..862dadb --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in new file mode 100644 index 0000000..8655214 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in new file mode 100644 index 0000000..9d310d8 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -0,0 +1,46 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 +e A 10.0.0.5 +f A 10.0.0.6 +g A 10.0.0.7 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns2.insecure +ns2.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 + +cnameandkey CNAME @ +cnamenokey CNAME @ +dnameandkey DNAME @ diff --git a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in new file mode 100644 index 0000000..3f10748 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in new file mode 100644 index 0000000..3f10748 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bin/tests/system/dnssec/ns3/siginterval.example.db.in new file mode 100644 index 0000000..703a306 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval.example.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns +ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf new file mode 100644 index 0000000..092dcfa --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval1.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "siginterval.example" { + type master; + allow-update { any; }; + sig-validity-interval 1 23; + auto-dnssec maintain; + file "siginterval.example.db"; +}; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf new file mode 100644 index 0000000..9fab130 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval2.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "siginterval.example" { + type master; + allow-update { any; }; + sig-validity-interval 35 28; + auto-dnssec maintain; + file "siginterval.example.db"; +}; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh new file mode 100644 index 0000000..330abf7 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -0,0 +1,545 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=secure.example. +infile=secure.example.db.in +zonefile=secure.example.db + +cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone` +dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` + +cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +zone=bogus.example. +infile=bogus.example.db.in +zonefile=bogus.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +zone=dynamic.example. +infile=dynamic.example.db.in +zonefile=dynamic.example.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +zone=keyless.example. +infile=generic.example.db.in +zonefile=keyless.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# Change the signer field of the a.b.keyless.example SIG A +# to point to a provably nonexistent KEY record. +mv $zonefile.signed $zonefile.tmp +<$zonefile.tmp $PERL -p -e 's/ keyless.example/ b.keyless.example/ + if /^a.b.keyless.example/../NXT/;' >$zonefile.signed +rm -f $zonefile.tmp + +# +# NSEC3/NSEC test zone +# +zone=secure.nsec3.example. +infile=secure.nsec3.example.db.in +zonefile=secure.nsec3.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# NSEC3/NSEC3 test zone +# +zone=nsec3.nsec3.example. +infile=nsec3.nsec3.example.db.in +zonefile=nsec3.nsec3.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# OPTOUT/NSEC3 test zone +# +zone=optout.nsec3.example. +infile=optout.nsec3.example.db.in +zonefile=optout.nsec3.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A nsec3 zone (non-optout). +# +zone=nsec3.example. +infile=nsec3.example.db.in +zonefile=nsec3.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# OPTOUT/NSEC test zone +# +zone=secure.optout.example. +infile=secure.optout.example.db.in +zonefile=secure.optout.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# OPTOUT/NSEC3 test zone +# +zone=nsec3.optout.example. +infile=nsec3.optout.example.db.in +zonefile=nsec3.optout.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# OPTOUT/OPTOUT test zone +# +zone=optout.optout.example. +infile=optout.optout.example.db.in +zonefile=optout.optout.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A optout nsec3 zone. +# +zone=optout.example. +infile=optout.example.db.in +zonefile=optout.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). +# +zone=nsec3-unknown.example. +infile=nsec3-unknown.example.db.in +zonefile=nsec3-unknown.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). +# +zone=optout-unknown.example. +infile=optout-unknown.example.db.in +zonefile=optout-unknown.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone with a unknown DNSKEY algorithm. +# Algorithm 7 is replaced by 100 in the zone and dsset. +# +zone=dnskey-unknown.example. +infile=dnskey-unknown.example.db.in +zonefile=dnskey-unknown.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 + +awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed + +DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP +$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE + +# +# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). +# Algorithm 7 is replaced by 100 in the zone and dsset. +# +zone=dnskey-nsec3-unknown.example. +infile=dnskey-nsec3-unknown.example.db.in +zonefile=dnskey-nsec3-unknown.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 + +awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed + +DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP +$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE + +# +# A multiple parameter nsec3 zone. +# +zone=multiple.example. +infile=multiple.example.db.in +zonefile=multiple.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +mv $zonefile.signed $zonefile +$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +mv $zonefile.signed $zonefile +$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +mv $zonefile.signed $zonefile +$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +mv $zonefile.signed $zonefile +$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +mv $zonefile.signed $zonefile +$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A RSASHA256 zone. +# +zone=rsasha256.example. +infile=rsasha256.example.db.in +zonefile=rsasha256.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A RSASHA512 zone. +# +zone=rsasha512.example. +infile=rsasha512.example.db.in +zonefile=rsasha512.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone with the DNSKEY set only signed by the KSK +# +zone=kskonly.example. +infile=kskonly.example.db.in +zonefile=kskonly.example.db + +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone with the expired signatures +# +zone=expired.example. +infile=expired.example.db.in +zonefile=expired.example.db + +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1 +rm -f $kskname.* $zskname.* + +# +# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE. +# +zone=update-nsec3.example. +infile=update-nsec3.example.db.in +zonefile=update-nsec3.example.db + +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A NSEC signed zone that will have auto-dnssec enabled and +# extra keys not in the initial signed zone. +# +zone=auto-nsec.example. +infile=auto-nsec.example.db.in +zonefile=auto-nsec.example.db + +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A NSEC3 signed zone that will have auto-dnssec enabled and +# extra keys not in the initial signed zone. +# +zone=auto-nsec3.example. +infile=auto-nsec3.example.db.in +zonefile=auto-nsec3.example.db + +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# Secure below cname test zone. +# +zone=secure.below-cname.example. +infile=secure.below-cname.example.db.in +zonefile=secure.below-cname.example.db +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +cat $infile $keyname.key >$zonefile +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# Patched TTL test zone. +# +zone=ttlpatch.example. +infile=ttlpatch.example.db.in +zonefile=ttlpatch.example.db +signedfile=ttlpatch.example.db.signed +patchedfile=ttlpatch.example.db.patched + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 +$CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \ + awk '{$2 = "3600"; print}' > $patchedfile + +# +# Seperate DNSSEC records. +# +zone=split-dnssec.example. +infile=split-dnssec.example.db.in +zonefile=split-dnssec.example.db +signedfile=split-dnssec.example.db.signed + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +cat $infile $keyname.key >$zonefile +echo '$INCLUDE "'"$signedfile"'"' >> $zonefile +: > $signedfile +$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 + +# +# Seperate DNSSEC records smart signing. +# +zone=split-smart.example. +infile=split-smart.example.db.in +zonefile=split-smart.example.db +signedfile=split-smart.example.db.signed + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +cp $infile $zonefile +echo '$INCLUDE "'"$signedfile"'"' >> $zonefile +: > $signedfile +$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 + +# +# Zone with signatures about to expire, but no private key to replace them +# +zone="expiring.example." +infile="expiring.example.db.in" +zonefile="expiring.example.db" +signedfile="expiring.example.db.signed" +kskname=`$KEYGEN -q -r $RANDFILE $zone` +zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +cp $infile $zonefile +$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 +mv -f ${zskname}.private ${zskname}.private.moved +mv -f ${kskname}.private ${kskname}.private.moved + +# +# A zone where the signer's name has been forced to uppercase. +# +zone="upper.example." +infile="upper.example.db.in" +zonefile="upper.example.db" +lower="upper.example.db.lower" +signedfile="upper.example.db.signed" +kskname=`$KEYGEN -q -r $RANDFILE $zone` +zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +cp $infile $zonefile +$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>/dev/null +$CHECKZONE -D upper.example $lower 2>/dev/null | \ + sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile + +# +# Check that the signer's name is in lower case when zone name is in +# upper case. +# +zone="LOWER.EXAMPLE." +infile="lower.example.db.in" +zonefile="lower.example.db" +signedfile="lower.example.db.signed" +kskname=`$KEYGEN -q -r $RANDFILE $zone` +zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +cp $infile $zonefile +$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# Zone with signatures about to expire, and dynamic, but configured +# not to resign with 'auto-resign no;' +# +zone="nosign.example." +infile="nosign.example.db.in" +zonefile="nosign.example.db" +signedfile="nosign.example.db.signed" +kskname=`$KEYGEN -q -r $RANDFILE $zone` +zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +cp $infile $zonefile +$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 +# preserve a normalized copy of the NS RRSIG for comparison later +$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ + awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ + sed 's/[ ][ ]*/ /g'> ../nosign.before + +# +# An inline signing zone +# +zone=inline.example. +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` + +# +# publish a new key while deactivating another key at the same time. +# +zone=publish-inactive.example +infile=publish-inactive.example.db.in +zonefile=publish-inactive.example.db +now=`date -u +%Y%m%d%H%M%S` +kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cp $infile $zonefile +$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone which will change its sig-validity-interval +# +zone=siginterval.example +infile=siginterval.example.db.in +zonefile=siginterval.example.db +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +cp $infile $zonefile + +# +# A zone with a bad DS in the parent +# (sourced from bogus.example.db.in) +# +zone=badds.example. +infile=bogus.example.db.in +zonefile=badds.example.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP + +# +# A zone with future signatures. +# +zone=future.example +infile=future.example.db.in +zonefile=future.example.db +kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 +cp -f $kskname.key trusted-future.key + +# +# A zone with future signatures. +# +zone=managed-future.example +infile=managed-future.example.db.in +zonefile=managed-future.example.db +kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone with a revoked key +# +zone=revkey.example. +infile=generic.example.db.in +zonefile=revkey.example.db + +ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone` +ksk1=`$REVOKE $ksk1` +ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone` +zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone` + +cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in new file mode 100644 index 0000000..8761ebb --- /dev/null +++ b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/split-smart.example.db.in b/bin/tests/system/dnssec/ns3/split-smart.example.db.in new file mode 100644 index 0000000..8761ebb --- /dev/null +++ b/bin/tests/system/dnssec/ns3/split-smart.example.db.in @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in new file mode 100644 index 0000000..8655214 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in new file mode 100644 index 0000000..0e0e5e0 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/upper.example.db.in b/bin/tests/system/dnssec/ns3/upper.example.db.in new file mode 100644 index 0000000..703a306 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/upper.example.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns +ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in new file mode 100644 index 0000000..d3e221e --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4 dscp 1; + notify-source 10.53.0.4 dscp 2; + transfer-source 10.53.0.4 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation yes; + dnssec-must-be-secure mustbesecure.example yes; + + nta-lifetime 12s; + nta-recheck 9s; + + # Note: We only reference the bind.keys file here to confirm that it + # is *not* being used. It contains the real root key, and we're + # using a local toy root zone for the tests, so it wouldn't work. + # But since dnssec-validation is set to "yes" not "auto", that + # won't matter. + bindkeys-file "../../../../../bind.keys"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in new file mode 100644 index 0000000..da6f831 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4 dscp 4; + notify-source 10.53.0.4 dscp 5; + transfer-source 10.53.0.4 dscp 6; + dscp 16; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation auto; + bindkeys-file "managed.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in new file mode 100644 index 0000000..d6cfd45 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation auto; + bindkeys-file "managed.conf"; + dnssec-accept-expired yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in new file mode 100644 index 0000000..017c540 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable no; + dnssec-enable yes; + dnssec-validation auto; + bindkeys-file "managed.conf"; + dnssec-accept-expired yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in new file mode 100644 index 0000000..0878c15 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named5.conf.in @@ -0,0 +1,76 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key auth { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +include "trusted.conf"; + +view rec { + match-recursive-only yes; + recursion yes; + acache-enable yes; + dnssec-validation yes; + dnssec-accept-expired yes; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone secure.example { + type static-stub; + server-addresses { 10.53.0.4; }; + }; + + zone insecure.secure.example { + type static-stub; + server-addresses { 10.53.0.4; }; + }; +}; + +view auth { + recursion no; + allow-recursion { none; }; + + zone secure.example { + type slave; + masters { 10.53.0.3; }; + }; + + zone insecure.secure.example { + type slave; + masters { 10.53.0.2; }; + }; +}; diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in new file mode 100644 index 0000000..ddd0343 --- /dev/null +++ b/bin/tests/system/dnssec/ns5/named1.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns5/named2.conf.in b/bin/tests/system/dnssec/ns5/named2.conf.in new file mode 100644 index 0000000..8aa4e69 --- /dev/null +++ b/bin/tests/system/dnssec/ns5/named2.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; 127.0.0.1; }; + listen-on-v6 { none; }; + recursion yes; +}; + +view root { + match-destinations { 127.0.0.1; }; + + zone "." { + type master; + file "root.db.signed"; + }; +}; + +view other { +include "revoked.conf"; + + zone "." { + type static-stub; + server-addresses { 127.0.0.1; }; + }; +}; diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh new file mode 100644 index 0000000..93ca676 --- /dev/null +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -0,0 +1,29 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=../ns1/root.db.in +zonefile=root.db.signed + +keyname=`$KEYGEN -r $RANDFILE -qfk $zone` + +# copy the KSK out first, then revoke it +keyfile_to_managed_keys $keyname > revoked.conf + +$SETTIME -R now ${keyname}.key > /dev/null + +# create a current set of keys, and sign the root zone +$KEYGEN -r $RANDFILE -q $zone > /dev/null +$KEYGEN -r $RANDFILE -qfk $zone > /dev/null +$SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad new file mode 100644 index 0000000..ed30460 --- /dev/null +++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trusted-keys { + "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; +}; diff --git a/bin/tests/system/dnssec/ns6/named.args b/bin/tests/system/dnssec/ns6/named.args new file mode 100644 index 0000000..04cf949 --- /dev/null +++ b/bin/tests/system/dnssec/ns6/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -X named.lock -g -T nonearest -T clienttest -T tat=1 diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in new file mode 100644 index 0000000..0fb1091 --- /dev/null +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + notify yes; + disable-algorithms . { DSA; }; + dnssec-enable yes; + dnssec-validation yes; + dnssec-lookaside . trust-anchor dlv; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "optout-tld" { + type master; + file "optout-tld.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns6/optout-tld.db.in b/bin/tests/system/dnssec/ns6/optout-tld.db.in new file mode 100644 index 0000000..b90c9ea --- /dev/null +++ b/bin/tests/system/dnssec/ns6/optout-tld.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +optout-tld. 60 IN SOA example. . 0 0 0 0 0 +optout-tld. 60 IN NS ns6.optout-tld. +ns6.optout-tld. 60 IN A 10.53.0.6 +a 60 PTR example. +b 60 PTR example. +a.b.c.d 60 NS example. +e 60 PTR example. +f 60 PTR example. +g 60 PTR example. +h 60 PTR example. diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh new file mode 100644 index 0000000..3092b5f --- /dev/null +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -0,0 +1,23 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=optout-tld +infile=optout-tld.db.in +zonefile=optout-tld.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` + +cat $infile $keyname.key >$zonefile + +$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in new file mode 100644 index 0000000..2dc2a9c --- /dev/null +++ b/bin/tests/system/dnssec/ns7/named.conf.in @@ -0,0 +1,75 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; + minimal-responses yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "nsec3.example" { + type slave; + masters { 10.53.0.3; }; + file "nsec3.example.bk"; +}; + +zone "optout.example" { + type slave; + masters { 10.53.0.3; }; + file "optout.example.bk"; +}; + +zone "nsec3-unknown.example" { + type slave; + masters { 10.53.0.3; }; + file "nsec3-unknown.example.bk"; +}; + +zone "optout-unknown.example" { + type slave; + masters { 10.53.0.3; }; + file "optout-unknown.example.bk"; +}; + +zone "multiple.example" { + type slave; + masters { 10.53.0.3; }; + file "multiple.example.bk"; +}; + +zone "nosoa.secure.example" { + type master; + file "nosoa.secure.example.db"; +}; + +zone "split-rrsig" { + type master; + file "split-rrsig.db.signed"; + allow-update { any; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns7/named.nosoa b/bin/tests/system/dnssec/ns7/named.nosoa new file mode 100644 index 0000000..a7af1dd --- /dev/null +++ b/bin/tests/system/dnssec/ns7/named.nosoa @@ -0,0 +1,5 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +Add -T nosoa. diff --git a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db new file mode 100644 index 0000000..e894947 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2010062400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns +ns IN A 10.53.0.7 +a IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh new file mode 100644 index 0000000..a4cf78f --- /dev/null +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=split-rrsig +infile=split-rrsig.db.in +zonefile=split-rrsig.db + +k1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` +k2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` + +cat $infile $k1.key $k2.key >$zonefile + +$SIGNER -P -3 - -A -r $RANDFILE -o $zone -O full -f $zonefile.unsplit -e now-3600 -s now-7200 $zonefile > /dev/null 2>&1 +awk 'BEGIN { r = ""; } + $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } + { print } + END { print r }' $zonefile.unsplit > $zonefile.signed diff --git a/bin/tests/system/dnssec/ns7/split-rrsig.db.in b/bin/tests/system/dnssec/ns7/split-rrsig.db.in new file mode 100644 index 0000000..14300c3 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/split-rrsig.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +split-rrsig. 3660 IN SOA . . ( + 1 ; serial + 3600 ; refresh (1 hour) + 3600 ; retry (1 hour) + 3600 ; expire (1 hour) + 3600 ; minimum (1 hour) + ) + 3660 NS ns.example. +a.split-rrsig. 3660 IN A 192.0.2.2 +b.split-rrsig. 3660 IN A 192.0.2.2 diff --git a/bin/tests/system/dnssec/ntadiff.pl b/bin/tests/system/dnssec/ntadiff.pl new file mode 100755 index 0000000..e49ae14 --- /dev/null +++ b/bin/tests/system/dnssec/ntadiff.pl @@ -0,0 +1,22 @@ +#!/usr/bin/perl -w +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use Time::Piece; +use Time::Seconds; + +exit 1 if (scalar(@ARGV) != 2); + +my $actual = Time::Piece->strptime($ARGV[0], '%d-%b-%Y %H:%M:%S.000 %z'); +my $expected = Time::Piece->strptime($ARGV[1], '%s') + ONE_WEEK; +my $diff = abs($actual - $expected); + +print($diff . "\n"); diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh new file mode 100644 index 0000000..9c1d276 --- /dev/null +++ b/bin/tests/system/dnssec/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null + then + : + else + echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2 + exit 1 + fi +fi + +exec $SHELL ../testcrypto.sh diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh new file mode 100644 index 0000000..6bf41a0 --- /dev/null +++ b/bin/tests/system/dnssec/setup.sh @@ -0,0 +1,41 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +copy_setports ns4/named1.conf.in ns4/named.conf +copy_setports ns5/named1.conf.in ns5/named.conf + +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf + +cd ns1 +$SHELL sign.sh + +echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed +echo "b.bogus.example. A 10.0.0.23" >>../ns3/bogus.example.db.signed +echo "c.bogus.example. A 10.0.0.23" >>../ns3/bogus.example.db.signed + +cd ../ns3 +cp -f siginterval1.conf siginterval.conf + +cd ../ns5 +cp -f trusted.conf.bad trusted.conf +$SHELL sign.sh diff --git a/bin/tests/system/dnssec/signer/example.db.in b/bin/tests/system/dnssec/signer/example.db.in new file mode 100644 index 0000000..dbf60c1 --- /dev/null +++ b/bin/tests/system/dnssec/signer/example.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +example. 60 IN SOA example. . 0 0 0 0 0 +example. 60 IN NS example. +example. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key new file mode 100644 index 0000000..e4bdce2 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key @@ -0,0 +1 @@ +example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpZ diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private new file mode 100644 index 0000000..db928c5 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: oXTPXsN2QEAqJhJxU2rOypfDtXP8LHk4LDtP/pGdT8qIa/zXmSUfahvLBFlfZlwSD1HxJTNCI/3KBjSzXEXkgViLfYexZ+01XtX+A3A2sycYLSBXZ7c5rCxDYJhZllXA5uv9+Zwohe5jp5F0m3I6KUxGGW+ugl1dnDUJB2JzGlk= +PublicExponent: AQAB +PrivateExponent: QrbJmRabHiFlSSYFvbo8iGn9bFTotlfAZkZ732y72+SMSlLHo3g7atThJoLncJxKuhnZ0s1DXyvW9omAM3iN2lxfVDW58at1amj/lWRDYkjI0fM8z6eyrF4U2lHKDM2YEstg+sGAAs5DUZBbli4Y7+zHjhxSKLYvRf4AJvX8aoE= +Prime1: 0259CgdF0JW+miedRZXC6tn3FijZJ4/j5edzd8IpTpdUSZupQg9hMP1ot7crreNq7MnzO0Z2ImbowUx8CDOuXQ== +Prime2: w31/WLM2275Z1tsHEOhrntUQCUk55B4PNOCmM4hjp0vAvA/SVSgAYRNb7rc/ujaLf0DnxnDsnVsFAS2PmvQELQ== +Exponent1: yKPhJNMh/X8dEUzmglJMVnHheLXq3RA/RL0PZmZqrJoO8os1Y+sUYFkaNr0sRie6IFrE50tGb/8YgdcDHQVuQQ== +Exponent2: lVhDuGy5RSjnk1eiz0zwIthctutlOZupPFk/P3E7yGv74vAnXH0BxSe3/Oer3MOc0GuyZYyRhyko6px28AbpRQ== +Coefficient: Hjup1nDnPFkQrxU2qLQBJrDz+ipw0RkNhsjWs6IgAq1Mq4sFV50bR9hOTLDd9oNhhtAwVjF+Oc0WIq+M1Mi6Ow== diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key new file mode 100644 index 0000000..6f4fec8 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key @@ -0,0 +1 @@ +example.com. IN DNSKEY 257 3 5 AwEAAbuWh5W3eGwixISqPwxszotQ0246KqhUB2Mb6JqNMJd6cWR66IrX YnevpIHsb6oanqJmVzOcJ6Yj3rXOIYtYYXgLbT7EJ8x7BNCZPHxG+w5C 7I1WsDbT6eGf//FLn2c4odKLOXaWCVITeNy61w43IlteIT9Q1egKdt+8 a7X9605j diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private new file mode 100644 index 0000000..2d299d0 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: u5aHlbd4bCLEhKo/DGzOi1DTbjoqqFQHYxvomo0wl3pxZHroitdid6+kgexvqhqeomZXM5wnpiPetc4hi1hheAttPsQnzHsE0Jk8fEb7DkLsjVawNtPp4Z//8UufZzih0os5dpYJUhN43LrXDjciW14hP1DV6Ap237xrtf3rTmM= +PublicExponent: AQAB +PrivateExponent: XZSssv3CL3/wtZYQuewV5d4+e8C8wxiYTtL/aQqCcS7+HnhKRelJEBgpYz9GPX/mH3Iakn6WMQW39s6MYW2HwXUnqhsvHoyabGX0Dbc/1LcY4J2VPgzVHwSXYm+j4unOByOOS4KoBtUAQxJsTBokVZrZ5pKsLUK9X2gdywYw+PE= +Prime1: 9fB7PaygjKoT1nbbeEMy1KYNqetg3zmN49Mk6ilEWxzJXKSSjTIhdkiLGXtYmE8rDBLBiYm8YWNe7YdA9PbQ7Q== +Prime2: w0L7mTOLDecH3XAkC/wvALv8K9KSoZ31ajidKBxV15u8awj5AxDG7gjerYgCLjU1fq1GulMr11j8r4ftQn3Cjw== +Exponent1: Up52yEE1rgt0npdPIxdv+//Ml0h7QoITKHXF8OPsEq+Y9YZTtRsiIpo8IFNPb9somuWyHoImxpCbUzAcoi5IAQ== +Exponent2: uYTbvYx+UsAt9dOFPCnnkqAJEK3qCUomET0m/CQn30mldGC7DpGTIDgnMeLmh3agk/IYIBHDtsBinHfeEe2guw== +Coefficient: FiHAet8On9Yaz1ksEAlCWulwck3zPWIsgqJBM2J4kHhgHTm17mZyxtVxIzLAMBNMIBcFl40FCpmPmTLY5QK5mw== diff --git a/bin/tests/system/dnssec/signer/general/bogus-ksk.key b/bin/tests/system/dnssec/signer/general/bogus-ksk.key new file mode 100644 index 0000000..af4640b --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/bogus-ksk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 7091 +; +example.com. IN DNSKEY 257 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz diff --git a/bin/tests/system/dnssec/signer/general/bogus-zsk.key b/bin/tests/system/dnssec/signer/general/bogus-zsk.key new file mode 100644 index 0000000..2e53d5c --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/bogus-zsk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 7092 +; +example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz diff --git a/bin/tests/system/dnssec/signer/general/test1.zone b/bin/tests/system/dnssec/signer/general/test1.zone new file mode 100644 index 0000000..8c11a0e --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test1.zone @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+07065.key +$include Kexample.com.+005+23362.key diff --git a/bin/tests/system/dnssec/signer/general/test2.zone b/bin/tests/system/dnssec/signer/general/test2.zone new file mode 100644 index 0000000..b603931 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test2.zone @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one non-KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically and the zone +; correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+07065.key diff --git a/bin/tests/system/dnssec/signer/general/test3.zone b/bin/tests/system/dnssec/signer/general/test3.zone new file mode 100644 index 0000000..70f2a86 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test3.zone @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically. As there +; is no non-KSK DNSKEY the resulting zone should be rejected. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+23362.key diff --git a/bin/tests/system/dnssec/signer/general/test4.zone b/bin/tests/system/dnssec/signer/general/test4.zone new file mode 100644 index 0000000..fb5b6c4 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test4.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK + ZSK) of +; which have existing private key files available. The third is a +; pre-published ZSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+07065.key +$include Kexample.com.+005+23362.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test5.zone b/bin/tests/system/dnssec/signer/general/test5.zone new file mode 100644 index 0000000..7f33e27 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test5.zone @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which +; have existing private key files available. The third is a KSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+07065.key +$include Kexample.com.+005+23362.key +$include bogus-ksk.key diff --git a/bin/tests/system/dnssec/signer/general/test6.zone b/bin/tests/system/dnssec/signer/general/test6.zone new file mode 100644 index 0000000..aad2838 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test6.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has four DNSKEY records, two (KK + ZSK) of which +; have existing private key files available. There are also a KSK and ZSK +; for which there will be no signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+07065.key +$include Kexample.com.+005+23362.key +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test7.zone b/bin/tests/system/dnssec/signer/general/test7.zone new file mode 100644 index 0000000..e804f81 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test7.zone @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, none of which have +; existing private key files available. The resulting zone should fail +; the consistancy tests. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test8.zone b/bin/tests/system/dnssec/signer/general/test8.zone new file mode 100644 index 0000000..abfc58f --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test8.zone @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, one of which, +; the KSK, has a private key. The resulting zone should be rejected as +; it has no ZSK signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+23362.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/remove.db.in b/bin/tests/system/dnssec/signer/remove.db.in new file mode 100644 index 0000000..8e0fccd --- /dev/null +++ b/bin/tests/system/dnssec/signer/remove.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +remove. 60 IN AAAA ::ffff:1.2.3.4 +remove. 60 IN MX 0 remove. +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssec/signer/remove2.db.in b/bin/tests/system/dnssec/signer/remove2.db.in new file mode 100644 index 0000000..aa1d2f5 --- /dev/null +++ b/bin/tests/system/dnssec/signer/remove2.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh new file mode 100644 index 0000000..434869a --- /dev/null +++ b/bin/tests/system/dnssec/tests.sh @@ -0,0 +1,3529 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=1 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" +ADDITIONALOPTS="+noall +additional +dnssec -p ${PORT}" +ANSWEROPTS="+noall +answer +dnssec -p ${PORT}" +DELVOPTS="-a ns1/trusted.conf -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +# convert private-type records to readable form +showprivate () { + echo "-- $@ --" + $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | + while read record; do + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); + die "invalid record" unless length($rdata) == 5; + my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); + my $action = "signing"; + $action = "removing" if $remove; + my $state = " (incomplete)"; + $state = " (complete)" if $complete; + print ("$action: alg: $alg, key: $key$state\n");' $record + done +} + +# check that signing records are marked as complete +checkprivate () { + ret=0 + x=`showprivate "$@"` + echo $x | grep incomplete >/dev/null 2>&1 && ret=1 + [ $ret = 1 ] && { + echo "$x" + echo_i "failed" + } + return $ret +} + +# check that a zone file is raw format, version 0 +israw0 () { + cat $1 | $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 0);' + return $? +} + +# check that a zone file is raw format, version 1 +israw1 () { + cat $1 | $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 1);' + return $? +} + +# strip NS and RRSIG NS from input +stripns () { + awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' $1 +} + +# Check that for a query against a validating resolver where the +# authoritative zone is unsigned (insecure delegation), glue is returned +# in the additional section +echo_i "checking that additional glue is returned for unsigned delegation ($n)" +ret=0 +$DIG +tcp +dnssec -p ${PORT} a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ns\.insecure\.example\..*A.10\.53\.0\.3" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the example. domain + +echo_i "checking that zone transfer worked ($n)" +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 + $DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 + [ $ret = 0 ] && break + sleep 1 +done +digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# test AD bit: +# - dig +adflag asks for authentication (ad in response) +echo_i "checking AD bit asking for validation ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# test AD bit: +# - dig +noadflag +echo_i "checking that AD is not set without +adflag or +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for AD in authoritative answer ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive validation NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking postive validation NSEC using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + grep "a.example..*.RRSIG.A 3 2 300 .*" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking positive validation NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking positive validation NSEC3 using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 + grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking positive validation OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking positive validation OPTOUT using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.optout.example > delv.out$n || ret=1 + grep "a.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + grep "a.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking positive wildcard validation NSEC ($n)" +ret=0 +$DIG $DIGOPTS a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 +grep "\*\.wild\.example\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 +grep "\*\.wild\.example\..*NSEC z\.example" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking positive wildcard validation NSEC using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.wild.example > delv.out$n || ret=1 + grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 + grep "a.wild.example..*RRSIG.A 3 2 300.*" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking positive wildcard answer NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive wildcard answer NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive wildcard validation NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 + grep "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 + grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking positive wildcard validation OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS a.wild.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS a.wild.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 + grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 + grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative validation NXDOMAIN NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative validation NODATA NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative validation NODATA NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative validation NODATA OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative wildcard validation NSEC ($n)" +ret=0 +$DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative wildcard validation NSEC using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative wildcard validation NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking negative wildcard validation OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS b.wild.optout.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS b.wild.optout.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +# Check the insecure.example domain + +echo_i "checking 1-server insecurity proof NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 + grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking 1-server insecurity proof NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 + grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking 1-server insecurity proof OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 + grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking 1-server negative insecurity proof NSEC ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" + $DELV $DELVOPTS @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" +ret=0 +$DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the secure.example domain + +echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking empty NODATA OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth empty.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth empty.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the bogus domain + +echo_i "checking failed validation ($n)" +ret=0 +$DIG $DIGOPTS a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking failed validation using dns_client ($n)" + $DELV $DELVOPTS +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +# Try validating with a bad trusted key. +# This should fail. + +echo_i "checking that validation fails with a misconfigured trusted key ($n)" +ret=0 +$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" +ret=0 +$DIG $DIGOPTS example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" +ret=0 +$DIG $DIGOPTS a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that validation fails when key record is missing ($n)" +ret=0 +$DIG $DIGOPTS a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking that validation fails when key record is missing using dns_client ($n)" + $DELV $DELVOPTS +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: broken trust chain" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking that validation succeeds when a revoked key is encountered ($n)" +ret=0 +$DIG $DIGOPTS revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" + $DELV $DELVOPTS +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 + grep "fully validated" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" +ret=0 +#prime +$DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +#check: requery with +CD. pending data should be returned even if it's bogus +expect="a.example. +10.0.0.1" +ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +#check: requery without +CD. bogus cached data should be rejected. +$DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" +ret=0 +#prime +$DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +#check: requery with +CD. pending data should be returned even if it's bogus +expect="example. +a.example. +10.0.0.1" +ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +#check: requery without +CD. bogus cached data should be rejected. +$DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the insecure.secure.example domain (insecurity proof) + +echo_i "checking 2-server insecurity proof ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check a negative response in insecure.secure.example + +echo_i "checking 2-server insecurity proof with a negative answer ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ + || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ + || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" +ret=0 +$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ + || ret=1 +$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ + || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check that the query for a security root is successful and has ad set + +echo_i "checking security root query ($n)" +ret=0 +$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check that the setting the cd bit works + +echo_i "checking cd bit on a positive answer ($n)" +ret=0 +$DIG $DIGOPTS +noauth example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth +cdflag example. soa @10.53.0.5 \ + > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking cd bit on a negative answer ($n)" +ret=0 +$DIG $DIGOPTS q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive validation RSASHA256 NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive validation RSASHA512 NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking cd bit on a query that should fail ($n)" +ret=0 +$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +cdflag a.bogus.example. soa @10.53.0.5 \ + > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking cd bit on an insecurity proof ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ + > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - these are looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking cd bit on a negative insecurity proof ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \ + > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - these are looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that validation of an ANY query works ($n)" +ret=0 +$DIG $DIGOPTS +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# 2 records in the zone, 1 NXT, 3 SIGs +grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that validation of a query returning a CNAME works ($n)" +ret=0 +$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# the CNAME & its sig, the TXT and its SIG +grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that validation of a query returning a DNAME works ($n)" +ret=0 +$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. +# It would be nice to test that the CNAME is being synthesized by the +# recursive server and not cached, but I don't know how. +grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that validation of an ANY query returning a CNAME works ($n)" +ret=0 +$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# The CNAME, NXT, and their SIGs +grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that validation of an ANY query returning a DNAME works ($n)" +ret=0 +$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that positive validation in a privately secure zone works ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that negative validation in a privately secure zone works ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that lookups succeed after disabling a algorithm works ($n)" +ret=0 +$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \ + > dig.out.ns6.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking privately secure to nxdomain works ($n)" +ret=0 +$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking privately secure wildcard to nxdomain works ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking a non-cachable NODATA works ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.7 \ + > dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking a non-cachable NXDOMAIN works ($n)" +ret=0 +$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.7 \ + > dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# +# private.secure.example is served by the same server as its +# grand parent and there is not a secure delegation from secure.example +# to private.secure.example. In addition secure.example is using a +# algorithm which the validation does not support. +# +echo_i "checking dnssec-lookaside-validation works ($n)" +ret=0 +$DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \ + > dig.out.ns6.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that we can load a rfc2535 signed zone ($n)" +ret=0 +$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that we can transfer a rfc2535 signed zone ($n)" +ret=0 +$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "basic dnssec-signzone checks:" +echo_i " two DNSKEYs ($n)" +ret=0 +( +cd signer/general +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n 2>&1 +test -f signed.zone +) || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i " one non-KSK DNSKEY ($n)" +ret=0 +( +cd signer/general +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n 2>&1 +test -f signed.zone +) && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i " one KSK DNSKEY ($n)" +ret=0 +( +cd signer/general +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n 2>&1 +test -f signed.zone +) && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i " three DNSKEY ($n)" +ret=0 +( +cd signer/general +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n 2>&1 +test -f signed.zone +) || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i " three DNSKEY, one private key missing ($n)" +ret=0 +( +cd signer/general +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n 2>&1 +test -f signed.zone +) || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i " four DNSKEY ($n)" +ret=0 +( +cd signer/general +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n 2>&1 +test -f signed.zone +) || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i " two DNSKEY, both private keys missing ($n)" +ret=0 +( +cd signer/general +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n 2>&1 +test -f signed.zone +) && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i " two DNSKEY, one private key missing ($n)" +ret=0 +( +cd signer/general +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n 2>&1 +test -f signed.zone +) && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that we can sign a zone with out-of-zone records ($n)" +ret=0 +zone=example +key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` +key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` +( +cd signer +cat example.db.in $key1.key $key2.key > example.db +$SIGNER -o example -f example.db example.db > /dev/null 2>&1 +) || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" +ret=0 +zone=example +key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` +key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` +( +cd signer +cat example.db.in $key1.key $key2.key > example.db +$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1 +awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + +grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null +) || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" +ret=0 +zone=example +key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` +key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` +( +cd signer +cat example.db.in $key1.key $key2.key > example3.db +echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db +$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1 +awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + +grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null +) || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that dnsssec-signzone updates originalttl on ttl changes ($n)" +ret=0 +zone=example +key1=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone` +( +cd signer +cat example.db.in $key1.key $key2.key > example.db +$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1 +sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed +$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1 +) +grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" +ret=0 +zone=example +key1=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone` +key2=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +keyid2=`echo $key2 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'` +key3=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +keyid3=`echo $key3 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'` +( +cd signer +cat example.db.in $key1.key $key2.key > example.db +$SIGNER -D -o example example.db > /dev/null 2>&1 + +# now switch out key2 for key3 and resign the zone +cat example.db.in $key1.key $key3.key > example.db +echo '$INCLUDE "example.db.signed"' >> example.db +$SIGNER -D -o example example.db > /dev/null 2>&1 +) || ret=1 +grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1 +grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" +ret=0 +( +cd signer +$SIGNER -RD -o example example.db > /dev/null 2>&1 +) || ret=1 +grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1 +grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" +ret=0 +zone=example +( +cd signer +cp -f example.db.in example.db +$SIGNER -SD -o example example.db > /dev/null 2>&1 +echo '$INCLUDE "example.db.signed"' >> example.db +# now retire key2 and resign the zone +$SETTIME -I now $key2 > /dev/null 2>&1 +$SIGNER -SD -o example example.db > /dev/null 2>&1 +) || ret=1 +grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1 +grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" +ret=0 +( +cd signer +$SIGNER -SDQ -o example example.db > /dev/null 2>&1 +) || ret=1 +grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1 +grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone retains unexpired signatures ($n)" +ret=0 +( +cd signer +$SIGNER -Sxt -o example example.db > signer.out.1 2>&1 +$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1 +) || ret=1 +gen1=`awk '/generated/ {print $3}' signer/signer.out.1` +retain1=`awk '/retained/ {print $3}' signer/signer.out.1` +drop1=`awk '/dropped/ {print $3}' signer/signer.out.1` +gen2=`awk '/generated/ {print $3}' signer/signer.out.2` +retain2=`awk '/retained/ {print $3}' signer/signer.out.2` +drop2=`awk '/dropped/ {print $3}' signer/signer.out.2` +[ "$retain2" -eq `expr "$gen1" + "$retain1"` ] || ret=1 +[ "$gen2" -eq 0 ] || ret=1 +[ "$drop2" -eq 0 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" +ret=0 +( +cd signer +# remove NSEC-only keys +rm -f Kexample.+005* +cp -f example.db.in example2.db +cat << EOF >> example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF +echo '$INCLUDE "example2.db.signed"' >> example2.db +touch example2.db.signed +$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +) || ret=1 +grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +( +cd signer +cp -f example.db.in example2.db +cat << EOF >> example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF +echo '$INCLUDE "example2.db.signed"' >> example2.db +$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +) || ret=1 +grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" +ret=0 +( +cd signer +rm -f example2.db.signed +cp -f example.db.in example2.db +cat << EOF >> example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF +echo '$INCLUDE "example2.db.signed"' >> example2.db +touch example2.db.signed +$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +) || ret=1 +grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +( +cd signer +cp -f example.db.in example2.db +cat << EOF >> example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF +echo '$INCLUDE "example2.db.signed"' >> example2.db +$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +) || ret=1 +grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone output format ($n)" +ret=0 +( +cd signer +$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null +$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null +$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1 +$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1 +$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null +) || ret=1 +awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 +awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1 +israw1 signer/signer.out.5 || ret=1 +israw0 signer/signer.out.6 || ret=1 +israw1 signer/signer.out.7 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone output format ($n)" +ret=0 +( +cd signer +$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2>&1 +$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2>&1 +) || ret=1 +awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 +awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" +ret=0 +( +cd signer +$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1 +) || ret=1 +awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnssec-signzone -N date ($n)" +ret=0 +( +cd signer +$SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null 2>&1 +) || ret=1 +now=`$PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];'` +serial=`awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9` +[ "$now" -eq "$serial" ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking validated data are not cached longer than originalttl ($n)" +ret=0 +$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 +grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 +grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test that "rndc secroots" is able to dump trusted keys +echo_i "checking rndc secroots ($n)" +ret=0 +$RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i +keyid=`cat ns1/managed.key.id` +cp ns4/named.secroots named.secroots.test$n +linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l` +[ "$linecount" -eq 1 ] || ret=1 +linecount=`cat named.secroots.test$n | wc -l` +[ "$linecount" -eq 10 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check direct query for RRSIG. If we first ask for normal (non RRSIG) +# record, the corresponding RRSIG should be cached and subsequent query +# for RRSIG will be returned with the cached record. +echo_i "checking RRSIG query from cache ($n)" +ret=0 +$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 +ans=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.4 rrsig` || ret=1 +expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1 +test "$ans" = "$expect" || ret=1 +# also check that RA is set +$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check direct query for RRSIG: If it's not cached with other records, +# it should result in an empty response. +echo_i "checking RRSIG query not in cache ($n)" +ret=0 +ans=`$DIG $DIGOPTS +short rrsigonly.secure.example. @10.53.0.4 rrsig` || ret=1 +test -z "$ans" || ret=1 +# also check that RA is cleared +$DIG $DIGOPTS rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# +# RT21868 regression test. +# +echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" +ret=0 +$DIG $DIGOPTS non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# +# RT22007 regression test. +# +echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" +ret=0 +$DIG $DIGOPTS +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" +ret=0 +$DIG $DIGOPTS +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi + +status=`expr $status + $ret` +echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" +ret=0 +$DIG $DIGOPTS +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)" +ret=0 +$DIG $DIGOPTS ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive and negative validation with negative trust anchors ($n)" +ret=0 + +# +# check correct initial behavior +# +$DIG $DIGOPTS a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed - checking initial state"; fi +status=`expr $status + $ret` +ret=0 + +# +# add negative trust anchors +# +$RNDCCMD 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i +$RNDCCMD 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i +# reconfig should maintain NTAs +$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +lines=`wc -l < rndc.out.ns4.test$n.1` +[ "$lines" -eq 2 ] || ret=1 +$RNDCCMD 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i +$RNDCCMD 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i +# reload should maintain NTAs +$RNDCCMD 10.53.0.4 reload 2>&1 | sed 's/^/ns4 /' | cat_i +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +lines=`wc -l < rndc.out.ns4.test$n.2` +[ "$lines" -eq 4 ] || ret=1 +start=`$PERL -e 'print time()."\n";'` + +if [ $ret != 0 ]; then echo_i "failed - adding NTA's failed"; fi +status=`expr $status + $ret` +ret=0 + +# +# check behavior with NTA's in place +# +$DIG $DIGOPTS a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 +$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1 +$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1 +$DIG $DIGOPTS a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1 +echo_i "dumping secroots" +$RNDCCMD 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i +grep "bogus.example: expiry" ns4/named.secroots > /dev/null || ret=1 +grep "badds.example: expiry" ns4/named.secroots > /dev/null || ret=1 +grep "secure.example: expiry" ns4/named.secroots > /dev/null || ret=1 +grep "fakenode.secure.example: expiry" ns4/named.secroots > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed - with NTA's in place failed"; fi +status=`expr $status + $ret` +ret=0 + +echo_i "waiting for NTA rechecks/expirations" + +# +# secure.example and badds.example used default nta-duration +# (configured as 10s in ns4/named1.conf), but nta recheck interval +# is configured to 7s, so at t=8 the NTAs for secure.example and +# fakenode.secure.example should both be lifted, but badds.example +# should still be going. +# +$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +$DIG $DIGOPTS b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1 +$DIG $DIGOPTS b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1 +$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1 + +if [ $ret != 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi +status=`expr $status + $ret` +ret=0 + +# +# bogus.example was set to expire in 20s, so at t=11 +# it should still be NTA'd, but badds.example used the default +# lifetime of 10s, so it should revert to SERVFAIL now. +# +$PERL -e 'my $delay = '$start' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# check nta table +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n._11 +lines=`wc -l < rndc.out.ns4.test$n._11` +[ "$lines" -le 2 ] || ret=1 +grep "bogus.example: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1 +grep "badds.example: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1 +$DIG $DIGOPTS b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1 +$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1 +$DIG $DIGOPTS c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi +status=`expr $status + $ret` +ret=0 + +# +# at t=21, all the NTAs should have expired. +# +$PERL -e 'my $delay = '$start' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# check correct behavior after bogus.example expiry +$DIG $DIGOPTS d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1 +$DIG $DIGOPTS c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1 +# check nta table has been cleaned up now +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +lines=`wc -l < rndc.out.ns4.test$n.3` +[ "$lines" -eq 0 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi +status=`expr $status + $ret` +ret=0 + +echo_i "testing NTA removals ($n)" +$RNDCCMD 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +grep "badds.example: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1 +grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1 +$RNDCCMD 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2 +grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1 +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +grep "badds.example: expiry" rndc.out.ns4.test$n.3 > /dev/null && ret=1 +$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +ret=0 + +echo_i "remove non-existent NTA three times" +$RNDCCMD 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1 +$RNDCCMD 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1 +$RNDCCMD 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1 +grep "'nta' failed: not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +ret=0 + +n=`expr $n + 1` +echo_i "testing NTA with bogus lifetimes ($n)" +echo_i "check with no nta lifetime specified" +$RNDCCMD 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +ret=0 + +echo_i "check with bad nta lifetime" +$RNDCCMD 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +ret=0 + +echo_i "check with too long nta lifetime" +$RNDCCMD 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 +grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +ret=0 + +# +# check NTA persistence across restarts +# +n=`expr $n + 1` +echo_i " testing NTA persistence across restarts ($n)" +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +lines=`wc -l < rndc.out.ns4.test$n.1` +[ "$lines" -eq 0 ] || ret=1 +$RNDCCMD 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/I:ns4 /' +$RNDCCMD 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/I:ns4 /' +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +lines=`wc -l < rndc.out.ns4.test$n.2` +[ "$lines" -eq 2 ] || ret=1 +start=`$PERL -e 'print time()."\n";'` + +if [ $ret != 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi +status=`expr $status + $ret` +ret=0 + +echo_i "killing ns4 with SIGTERM" +cd ns4 +$KILL -TERM `cat named.pid` +rm -f named.pid +cd .. + +# +# ns4 has now shutdown. wait until t=14 when badds.example's NTA +# (lifetime=10s) would have expired, and then restart ns4. +# +echo_i "waiting till 14s have passed since NTAs were added before restarting ns4" +$PERL -e 'my $delay = '$start' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' + +if + $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns4 +then + echo_i "restarted server ns4" +else + echo_i "could not restart server ns4" + exit 1 +fi + +echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" +sleep 4 + +# +# ns4 should be back up now. The NTA for bogus.example should still be +# valid, whereas badds.example should not have been added during named +# startup (as it had already expired), the fact that it's ignored should +# be logged. +# +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +lines=`wc -l < rndc.out.ns4.test$n.3` +[ "$lines" -eq 1 ] || ret=1 +grep "bogus.example: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1 +$DIG $DIGOPTS b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 +$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1 +grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1 + +# cleanup +$RNDCCMD 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6 + +if [ $ret != 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi +status=`expr $status + $ret` +ret=0 + +# +# check "regular" attribute in NTA file works as expected at named +# startup. +# +n=`expr $n + 1` +echo_i "testing loading regular attribute from NTA file ($n)" +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +lines=`wc -l < rndc.out.ns4.test$n.1` +[ "$lines" -eq 0 ] || ret=1 +# initially, secure.example. validates with AD=1 +$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 + +echo_i "killing ns4 with SIGTERM" +cd ns4 +$KILL -TERM `cat named.pid` +rm -f named.pid +cd .. + +echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" +sleep 4 + +# +# ns4 has now shutdown. add NTA for secure.example. directly into the +# _default.nta file with the regular attribute and some future timestamp. +# +year=`date +%Y` +future="`expr 20 + ${year}`0101010000" +echo "secure.example. regular $future" > ns4/_default.nta +start=`$PERL -e 'print time()."\n";'` + +if + $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns4 +then + echo_i "restarted server ns4" +else + echo_i "could not restart server ns4" + exit 1 +fi + +# nta-recheck is configured as 7s, so at t=10 the NTAs for +# secure.example. should be lifted as it is not a forced NTA. +echo_i "waiting till 10s have passed after ns4 was restarted" +$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' + +# secure.example. should now return an AD=1 answer (still validates) as +# the NTA has been lifted. +$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 + +# cleanup +$RNDCCMD 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null + +if [ $ret != 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi +status=`expr $status + $ret` +ret=0 + +# +# check "forced" attribute in NTA file works as expected at named +# startup. +# +n=`expr $n + 1` +echo_i "testing loading forced attribute from NTA file ($n)" +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +lines=`wc -l < rndc.out.ns4.test$n.1` +[ "$lines" -eq 0 ] || ret=1 +# initially, secure.example. validates with AD=1 +$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 + +echo_i "killing ns4 with SIGTERM" +cd ns4 +$KILL -TERM `cat named.pid` +rm -f named.pid +cd .. + +echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" +sleep 4 + +# +# ns4 has now shutdown. add NTA for secure.example. directly into the +# _default.nta file with the forced attribute and some future timestamp. +# +echo "secure.example. forced $future" > ns4/_default.nta +start=`$PERL -e 'print time()."\n";'` + +if + $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns4 +then + echo_i "restarted server ns4" +else + echo_i "could not restart server ns4" + exit 1 +fi + +# nta-recheck is configured as 7s, but even at t=10 the NTAs for +# secure.example. should not be lifted as it is a forced NTA. +echo_i "waiting till 10s have passed after ns4 was restarted" +$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' + +# secure.example. should now return an AD=0 answer (non-authenticated) +# as the NTA is still there. +$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1 + +# cleanup +$RNDCCMD 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null + +if [ $ret != 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi +status=`expr $status + $ret` +ret=0 + +# +# check that NTA lifetime read from file is clamped to 1 week. +# +n=`expr $n + 1` +echo_i "testing loading out of bounds lifetime from NTA file ($n)" + +echo_i "killing ns4 with SIGTERM" +cd ns4 +$KILL -TERM `cat named.pid` +rm -f named.pid +cd .. + +echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" +sleep 4 + +# +# ns4 has now shutdown. add NTA for secure.example. directly into the +# _default.nta file with a lifetime well into the future. +# +echo "secure.example. forced $future" > ns4/_default.nta +added=`$PERL -e 'print time()."\n";'` + +if + $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns4 +then + echo_i "restarted server ns4" +else + echo_i "could not restart server ns4" + exit 1 +fi + +echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" +sleep 4 + +# dump the NTA to a file +$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +lines=`wc -l < rndc.out.ns4.test$n.1` +[ "$lines" -eq 1 ] || ret=1 +ts=`awk '{print $3" "$4}' < rndc.out.ns4.test$n.1` +# rndc nta outputs localtime, so append the timezone +ts_with_zone="$ts `date +%z`" +echo "ts=$ts" > rndc.out.ns4.test$n.2 +echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2 +echo "added=$added" >> rndc.out.ns4.test$n.2 +if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null +then + # ntadiff.pl computes $ts_with_zone - ($added + 1week) + d=`$PERL ./ntadiff.pl "$ts_with_zone" "$added"` + echo "d=$d" >> rndc.out.ns4.test$n.2 + # diff from $added(now) + 1week to the clamped NTA lifetime should be + # less than a few seconds (handle daylight saving changes by adding 3600). + [ $d -lt 3610 ] || ret=1 +else + echo_i "skipped ntadiff test; install PERL module Time::Piece" +fi + +# cleanup +$RNDCCMD 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null + +if [ $ret != 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi +status=`expr $status + $ret` +ret=0 + +echo_i "completed NTA tests" + +# Run a minimal update test if possible. This is really just +# a regression test for RT #2399; more tests should be added. + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + echo_i "running DNSSEC update test" + ret=0 + { + $PERL dnssec_update_test.pl -s 10.53.0.3 -p ${PORT} dynamic.example. || ret=1 + } | cat_i + [ $ret -eq 1 ] && status=1 +else + echo_i "The DNSSEC update test requires the Net::DNS library." >&2 +fi + +n=`expr $n + 1` +echo_i "checking managed key maintenance has not started yet ($n)" +ret=0 +[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Reconfigure caching server to use "dnssec-validation auto", and repeat +# some of the DNSSEC validation tests to ensure that it works correctly. +echo_i "switching to automatic root key configuration" +copy_setports ns4/named2.conf.in ns4/named.conf +$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 5 + +echo_i "checking managed key maintenance timer has now started ($n)" +ret=0 +[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive validation NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive validation NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking positive validation OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking negative validation ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that root DS queries validate ($n)" +ret=0 +$DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" +ret=0 +$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 +grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" +ret=0 +$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 +grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi + +status=`expr $status + $ret` +echo_i "checking expired signatures do not validate ($n)" +ret=0 +$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" +ret=0 +( +cd ns3 +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example` +( +echo zone update-nsec3.example +echo server 10.53.0.3 ${PORT} +grep DNSKEY ${kskname}.key | sed -e 's/^/update add /' -e 's/IN/300 IN/' +echo send +) | $NSUPDATE +) +$DIG $DIGOPTS +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that signing records have been marked as complete ($n)" +ret=0 +checkprivate dynamic.example 10.53.0.3 || ret=1 +checkprivate update-nsec3.example 10.53.0.3 || ret=1 +checkprivate auto-nsec3.example 10.53.0.3 || ret=1 +checkprivate expiring.example 10.53.0.3 || ret=1 +checkprivate auto-nsec.example 10.53.0.3 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing' without arguments is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -list' without zone is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + if [ "$salt" = "FFFF" ]; then + break; + fi + echo_i "sleeping ...." + sleep 1 +done; +[ "$salt" = "FFFF" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + if [ "$salt" = "-" ]; then + break; + fi + echo_i "sleeping ...." + sleep 1 +done; +[ "$salt" = "-" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + [ -n "$salt" -a "$salt" != "-" ] && break + echo_i "sleeping ...." + sleep 1 +done; +[ "$salt" != "-" ] || ret=1 +[ `expr "${salt}" : ".*"` -eq 16 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" +ret=0 +oldsalt=$salt +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + [ -n "$salt" -a "$salt" != "$oldsalt" ] && break + echo_i "sleeping ...." + sleep 1 +done; +[ "$salt" != "$oldsalt" ] || ret=1 +[ `expr "$salt" : ".*"` -eq 16 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check rndc signing -list output ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -list dynamic.example 2>&1 > signing.out +grep "No signing records found" signing.out > /dev/null 2>&1 || { + ret=1 + sed 's/^/ns3 /' signing.out | cat_i +} +$RNDCCMD 10.53.0.3 signing -list update-nsec3.example 2>&1 > signing.out +grep "Done signing with key .*/NSEC3RSASHA1" signing.out > /dev/null 2>&1 || { + ret=1 + sed 's/^/ns3 /' signing.out | cat_i +} +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "clear signing records ($n)" +$RNDCCMD 10.53.0.3 signing -clear all update-nsec3.example > /dev/null || ret=1 +sleep 1 +$RNDCCMD 10.53.0.3 signing -list update-nsec3.example 2>&1 > signing.out +grep "No signing records found" signing.out > /dev/null 2>&1 || { + ret=1 + sed 's/^/ns3 /' signing.out | cat_i +} +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that a insecure zone beneath a cname resolves ($n)" +ret=0 +$DIG $DIGOPTS soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that a secure zone beneath a cname resolves ($n)" +ret=0 +$DIG $DIGOPTS soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking dnskey query with no data still gets put in cache ($n)" +ret=0 +myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT} @10.53.0.4" +firstVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'` +sleep 1 +secondVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'` +if [ ${firstVal:-0} -eq ${secondVal:-0} ] +then + sleep 1 + thirdVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '$1 != ";;" { print $2 }'` + if [ ${firstVal:-0} -eq ${thirdVal:-0} ] + then + echo_i "cannot confirm query answer still in cache" + ret=1 + fi +fi +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that a split dnssec dnssec-signzone work ($n)" +ret=0 +$DIG $DIGOPTS soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that a smart split dnssec dnssec-signzone work ($n)" +ret=0 +$DIG $DIGOPTS soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" +ret=0 +( +echo zone nsec3chain-test +echo server 10.53.0.2 ${PORT} +echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 +echo send +) | $NSUPDATE +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 +do + $DIG $DIGOPTS nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 + if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null + then + break; + fi + echo_i "sleeping ...." + sleep 3 +done; +grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "nsec3 chain generation not complete"; fi +$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 +s2=`awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n` +for i in 1 2 3 4 5 6 7 8 9 10 +do + $DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 + s3=`awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n` + test "$s2" = "$s3" && break + sleep 1 +done +digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check dnssec-dsfromkey from stdin ($n)" +ret=0 +$DIG $DIGOPTS dnskey algroll. @10.53.0.2 | \ + $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 +NF=`awk '{print NF}' dig.out.ns2.test$n | sort -u` +[ "${NF}" = 7 ] || ret=1 +# make canonical +awk '{ + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' < dig.out.ns2.test$n > canonical1.$n || ret=1 +awk '{ + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' < ns1/dsset-algroll$TP > canonical2.$n || ret=1 +diff -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Intentionally strip ".key" from keyfile name to ensure the error message +# includes it anyway to avoid confusion (RT #21731) +echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" +ret=0 +key=`$KEYGEN -q -r $RANDFILE example.` || ret=1 +mv $key.key $key +$DSFROMKEY $key > dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" +ret=0 +$DIG $ANSWEROPTS +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 +# there must be a signature here +[ -s dig.out.ns3.test$n ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing new records are signed with 'no-resign' ($n)" +ret=0 +( +echo zone nosign.example +echo server 10.53.0.3 ${PORT} +echo update add new.nosign.example 300 in txt "hi there" +echo send +) | $NSUPDATE +sleep 1 +$DIG $ANSWEROPTS +nottlid txt new.nosign.example @10.53.0.3 \ + > dig.out.ns3.test$n 2>&1 +grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" +ret=0 +$DIG $ANSWEROPTS +nottlid nosign.example ns @10.53.0.3 | \ + grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 +# the NS RRSIG should not be changed +cmp -s nosign.before dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing updates fail with no private key ($n)" +ret=0 +rm -f ns3/Knosign.example.*.private +( +echo zone nosign.example +echo server 10.53.0.3 ${PORT} +echo update add fail.nosign.example 300 in txt "reject me" +echo send +) | $NSUPDATE > /dev/null 2>&1 && ret=1 +$DIG $ANSWEROPTS +nottlid fail.nosign.example txt @10.53.0.3 \ + > dig.out.ns3.test$n 2>&1 +[ -s dig.out.ns3.test$n ] && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing legacy upper case signer name validation ($n)" +ret=0 +$DIG +tcp +noadd +noauth +dnssec -p ${PORT} soa upper.example @10.53.0.4 \ + > dig.out.ns4.test$n 2>&1 +grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1 +grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing that we lower case signer name ($n)" +ret=0 +$DIG +tcp +noadd +noauth +dnssec -p ${PORT} soa LOWER.EXAMPLE @10.53.0.4 \ + > dig.out.ns4.test$n 2>&1 +grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1 +grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing TTL is capped at RRSIG expiry time ($n)" +ret=0 +$RNDCCMD 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i +( +cd ns3 +for file in K*.moved; do + mv $file `basename $file .moved` +done +$SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1 +) || ret=1 +$RNDCCMD 10.53.0.3 reload expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i + +$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +$DIG $ANSWEROPTS +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ANSWEROPTS expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` +ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +for ttl in ${ttls:-0}; do + [ ${ttl:-0} -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ ${ttl:-0} -le 60 ] || ret=1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" +ret=0 +$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 1 +$DIG $ADDITIONALOPTS +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ADDITIONALOPTS expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n +ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` +ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +for ttl in ${ttls:-300}; do + [ ${ttl:-0} -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ ${ttl:-0} -le 60 ] || ret=1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" +ret=0 +$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 1 +$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` +ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +for ttl in ${ttls:-300}; do + [ ${ttl:-0} -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ ${ttl:-0} -le 60 ] || ret=1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +copy_setports ns4/named3.conf.in ns4/named.conf +$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 3 + +echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" +ret=0 +$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +$DIG $ANSWEROPTS +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ANSWEROPTS expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` +ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +for ttl in ${ttls:-0}; do + [ $ttl -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" +ret=0 +$DIG $ANSWEROPTS +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ANSWEROPTS expired.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` +ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +for ttl in ${ttls:-0}; do + [ $ttl -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +copy_setports ns4/named4.conf.in ns4/named.conf +$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/I:ns4 /' +sleep 3 + +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" +ret=0 +$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` +ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +for ttl in ${ttls:-300}; do + [ $ttl -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with acache off; ($n)" +ret=0 +$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` +ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +for ttl in ${ttls:-300}; do + [ $ttl -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing DNSKEY lookup via CNAME ($n)" +ret=0 +$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ + @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ + @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing KEY lookup at CNAME (present) ($n)" +ret=0 +$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing KEY lookup at CNAME (not present) ($n)" +ret=0 +$DIG $DIGOPTS +noauth cnamenokey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth cnamenokey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing DNSKEY lookup via DNAME ($n)" +ret=0 +$DIG $DIGOPTS a.dnameandkey.secure.example. \ + @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS a.dnameandkey.secure.example. \ + @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing KEY lookup via DNAME ($n)" +ret=0 +$DIG $DIGOPTS b.dnameandkey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS b.dnameandkey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that named doesn't loop when all private keys are not available ($n)" +ret=0 +lines=`grep "reading private key file expiring.example" ns3/named.run | wc -l` +test ${lines:-1000} -lt 15 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check against against missing nearest provable proof ($n)" +$DIG $DIGOPTS +norec b.c.d.optout-tld. \ + @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1 +nsec3=`grep "IN.NSEC3" dig.out.ds.ns6.test$n | wc -l` +[ $nsec3 -eq 2 ] || ret=1 +$DIG $DIGOPTS +norec b.c.d.optout-tld. \ + @10.53.0.6 A > dig.out.ns6.test$n || ret=1 +nsec3=`grep "IN.NSEC3" dig.out.ns6.test$n | wc -l` +[ $nsec3 -eq 1 ] || ret=1 +$DIG $DIGOPTS optout-tld. \ + @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS b.c.d.optout-tld. \ + @10.53.0.4 A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that key id are logged when dumping the cache ($n)" +ret=0 +$RNDCCMD 10.53.0.4 dumpdb 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 1 +grep "; key id = " ns4/named_dump.db > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" +# force the managed-keys zone to be written out +$RNDCCMD 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + if test -f ns4/managed-keys.bind + then + grep KEYDATA ns4/managed-keys.bind > /dev/null && + grep "next refresh:" ns4/managed-keys.bind > /dev/null && + break + fi + ret=1 + sleep 1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check dig's +nocrypto flag ($n)" +ret=0 +$DIG $DIGOPTS +norec +nocrypto DNSKEY . \ + @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 +grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec +nocrypto DS example \ + @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 +grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" +ret=0 +cnt=0 +while : +do +$DIG $DIGOPTS publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n +keys=`awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l` +test $keys -gt 2 && break +cnt=`expr $cnt + 1` +test $cnt -gt 120 && break +sleep 1 +done +test $keys -gt 2 || ret=1 +sigs=`grep RRSIG dig.out.ns3.test$n | wc -l` +sigs=`expr $sigs + 0` +n=`expr $n + 1` +test $sigs -eq 2 || ret=1 +if test $ret != 0 ; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that increasing the sig-validity-interval resigning triggers re-signing" +ret=0 +before=`$DIG axfr siginterval.example -p ${PORT} @10.53.0.3 | grep RRSIG.SOA` +cp ns3/siginterval2.conf ns3/siginterval.conf +$RNDCCMD 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +for i in 1 2 3 4 5 6 7 8 9 0 +do +after=`$DIG axfr siginterval.example -p ${PORT} @10.53.0.3 | grep RRSIG.SOA` +test "$before" != "$after" && break +sleep 1 +done +n=`expr $n + 1` +if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +copy_setports ns4/named4.conf.in ns4/named.conf +$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/I:ns4 /' +sleep 3 + +echo_i "check insecure delegation between static-stub zones ($n)" +ret=0 +$DIG $DIGOPTS ns insecure.secure.example \ + @10.53.0.4 > dig.out.ns4.1.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS ns secure.example \ + @10.53.0.4 > dig.out.ns4.2.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check the acceptance of seconds as inception and expiration times ($n)" +ret=0 +in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo=" + +exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo=" + +out=`echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//'` +[ "$out" = "$exp" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check the correct resigning time is reported in zonestatus ($n)" +ret=0 +$RNDCCMD 10.53.0.3 \ + zonestatus secure.example > rndc.out.ns3.test$n +# next resign node: secure.example/DNSKEY +name=`awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's;/; ;'` +# next resign time: Thu, 24 Apr 2014 10:38:16 GMT +time=`awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; + m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06"; + m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; + m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} + /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g'` +$DIG $DIGOPTS +noall +answer $name @10.53.0.3 > dig.out.test$n +expire=`awk '$4 == "RRSIG" { print $9 }' dig.out.test$n` +inception=`awk '$4 == "RRSIG" { print $10 }' dig.out.test$n` +$PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that split rrsigs are handled ($n)" +ret=0 +$DIG $DIGOPTS split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 +awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" +ret=0 +alg=1 +until test $alg = 256 +do + size= + case $alg in + 1) size="-b 512";; + 2) # Diffie Helman + alg=`expr $alg + 1` + continue;; + 3) size="-b 512";; + 5) size="-b 512";; + 6) size="-b 512";; + 7) size="-b 512";; + 8) size="-b 512";; + 10) size="-b 1024";; + 157|160|161|162|163|164|165) # private - non standard + alg=`expr $alg + 1` + continue;; + esac + key1=`$KEYGEN -a $alg $size -n zone -r $RANDFILE example 2> keygen.err` + if grep "unsupported algorithm" keygen.err > /dev/null + then + alg=`expr $alg + 1` + continue + fi + if test -z "$key1" + then + echo_i "'$KEYGEN -a $alg': failed" + cat keygen.err + ret=1 + alg=`expr $alg + 1` + continue + fi + $SETTIME -I now+4d $key1.private > /dev/null + key2=`$KEYGEN -v 10 -r $RANDFILE -i 3d -S $key1.private 2> /dev/null` + test -f $key2.key -a -f $key2.private || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=`expr $alg + 1` +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" +ret=0 +$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n +lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# +# Test for +sigchase with a null set of trusted keys. +# +$DIG $DIGOPTS @10.53.0.3 +sigchase +trusted-key=/dev/null > dig.out.ns3.test$n 2>&1 +if grep "Invalid option: +sigchase" dig.out.ns3.test$n > /dev/null +then + echo_i "Skipping 'dig +sigchase' tests" + n=`expr $n + 1` +else + echo_i "checking that 'dig +sigchase' doesn't loop with future inception ($n)" + ret=0 + $DIG $DIGOPTS @10.53.0.3 dnskey future.example +sigchase \ + +trusted-key=ns3/trusted-future.key > dig.out.ns3.test$n & + pid=$! + sleep 1 + $KILL -9 $pid 2> /dev/null + wait $pid + grep ";; No DNSKEY is valid to check the RRSIG of the RRset: FAILED" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` +fi + +echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" +ret=0 +$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n +lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that a lone non matching CDS record is rejected ($n)" +ret=0 +( +echo zone cds-update.secure +echo server 10.53.0.2 ${PORT} +echo update delete cds-update.secure CDS +$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure | +grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | +$DSFROMKEY -C -A -f - -T 1 cds-update.secure | +sed "s/^/update add /" +echo send +) | $NSUPDATE > nsupdate.out.test$n 2>&1 +grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l` +test ${lines:-10} -eq 0 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" +ret=0 +( +echo zone cds-update.secure +echo server 10.53.0.2 ${PORT} +echo update delete cds-update.secure CDS +echo send +$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure | +grep "DNSKEY.257" | +$DSFROMKEY -C -f - -T 1 cds-update.secure | +sed "s/^/update add /" +echo send +) | $NSUPDATE +$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" +ret=0 +( +echo zone cds-update.secure +echo server 10.53.0.2 ${PORT} +echo update delete cds-update.secure CDS +echo send +$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure | +grep "DNSKEY.257" | +$DSFROMKEY -C -f - -T 1 cds-update.secure | +sed "s/^/update add /" +$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure | +grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | +$DSFROMKEY -C -A -f - -T 1 cds-update.secure | +sed "s/^/update add /" +echo send +) | $NSUPDATE +$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 4 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" +ret=0 +$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n +lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" +ret=0 +$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n +lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that a lone non matching CDNSKEY record is rejected ($n)" +ret=0 +( +echo zone cdnskey-update.secure +echo server 10.53.0.2 ${PORT} +echo update delete cdnskey-update.secure CDNSKEY +echo send +$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' +echo send +) | $NSUPDATE > nsupdate.out.test$n 2>&1 +grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l` +test ${lines:-10} -eq 0 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" +ret=0 +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n +$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" +ret=0 +( +echo zone cdnskey-update.secure +echo server 10.53.0.2 ${PORT} +echo update delete cdnskey-update.secure CDNSKEY +$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' +echo send +) | $NSUPDATE +$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking initialization with a revoked managed key ($n)" +ret=0 +copy_setports ns5/named2.conf.in ns5/named.conf +$RNDCCMD 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i +sleep 3 +$DIG $DIGOPTS +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n +grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" +ret=0 +( +echo zone cdnskey-update.secure +echo server 10.53.0.2 ${PORT} +echo update delete cdnskey-update.secure CDNSKEY +$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' +$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' +echo send +) | $NSUPDATE +$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( +cd signer +$KEYGEN -q -r $RANDFILE -3 -fK remove > /dev/null +$KEYGEN -q -r $RANDFILE -3 remove > /dev/null +echo > remove.db.signed +$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 +) +grep "RRSIG MX" signer/remove.db.signed > /dev/null || { + ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +} +# re-generate signed zone without MX and AAAA records at apex. +( +cd signer +$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1 +) +grep "RRSIG MX" signer/remove.db.signed > /dev/null && { + ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +} +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( +cd signer +echo > remove.db.signed +$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 +) +grep "RRSIG MX" signer/remove.db.signed > /dev/null || { + ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +} +# re-generate signed zone without MX and AAAA records at apex. +( +cd signer +$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1 +) +grep "RRSIG MX" signer/remove.db.signed > /dev/null && { + ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +} +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" +ret=0 +$DIG $DIGOPTS managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that trust-anchor-telemetry queries are logged ($n)" +ret=0 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" +ret=0 +grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" +ret=0 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" +ret=0 +$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" +ret=0 +$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +$PERL $SYSTEMTESTTOP/stop.pl . ns1 || ret=1 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns1 || ret=1 +n=$(($n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |