diff options
Diffstat (limited to 'bin/tests/system/dnssec/ns7')
-rw-r--r-- | bin/tests/system/dnssec/ns7/named.conf.in | 76 | ||||
-rw-r--r-- | bin/tests/system/dnssec/ns7/named.nosoa | 12 | ||||
-rw-r--r-- | bin/tests/system/dnssec/ns7/nosoa.secure.example.db | 22 | ||||
-rw-r--r-- | bin/tests/system/dnssec/ns7/sign.sh | 44 | ||||
-rw-r--r-- | bin/tests/system/dnssec/ns7/split-rrsig.db.in | 21 |
5 files changed, 175 insertions, 0 deletions
diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in new file mode 100644 index 0000000..55cbec9 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/named.conf.in @@ -0,0 +1,76 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; + minimal-responses yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "nsec3.example" { + type secondary; + primaries { 10.53.0.3; }; + file "nsec3.example.bk"; +}; + +zone "optout.example" { + type secondary; + primaries { 10.53.0.3; }; + file "optout.example.bk"; +}; + +zone "nsec3-unknown.example" { + type secondary; + primaries { 10.53.0.3; }; + file "nsec3-unknown.example.bk"; +}; + +zone "optout-unknown.example" { + type secondary; + primaries { 10.53.0.3; }; + file "optout-unknown.example.bk"; +}; + +zone "multiple.example" { + type secondary; + primaries { 10.53.0.3; }; + file "multiple.example.bk"; +}; + +zone "nosoa.secure.example" { + type primary; + file "nosoa.secure.example.db"; +}; + +zone "split-rrsig" { + type primary; + file "split-rrsig.db.signed"; + allow-update { any; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns7/named.nosoa b/bin/tests/system/dnssec/ns7/named.nosoa new file mode 100644 index 0000000..caefbbb --- /dev/null +++ b/bin/tests/system/dnssec/ns7/named.nosoa @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Add -T nosoa. diff --git a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db new file mode 100644 index 0000000..d3c9878 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2010062400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns +ns IN A 10.53.0.7 +a IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh new file mode 100644 index 0000000..55c1988 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -0,0 +1,44 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +echo_i "ns7/sign.sh" + +zone=split-rrsig +infile=split-rrsig.db.in +zonefile=split-rrsig.db + +k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$k1.key" "$k2.key" > "$zonefile" + +# The awk script below achieves two goals: +# +# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so +# that these two records (forming a single RRset) are not placed immediately +# next to each other; the test then checks if RRSIG RRsets split this way are +# correctly added to resigning heaps, +# +# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the +# zone apex; the test then checks whether such signatures are automatically +# removed from the zone after it is loaded. +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1 +awk 'BEGIN { r = ""; } + $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } + { print } + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns7/split-rrsig.db.in b/bin/tests/system/dnssec/ns7/split-rrsig.db.in new file mode 100644 index 0000000..48c2f87 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/split-rrsig.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +split-rrsig. 3660 IN SOA . . ( + 1 ; serial + 3600 ; refresh (1 hour) + 3600 ; retry (1 hour) + 3600 ; expire (1 hour) + 3600 ; minimum (1 hour) + ) + 3660 NS ns.example. +a.split-rrsig. 3660 IN A 192.0.2.2 +b.split-rrsig. 3660 IN A 192.0.2.2 |