diff options
Diffstat (limited to 'bin/tests/system/nsec3/ns3')
| -rw-r--r-- | bin/tests/system/nsec3/ns3/named.conf.in | 218 | ||||
| -rw-r--r-- | bin/tests/system/nsec3/ns3/named2.conf.in | 212 | ||||
| -rw-r--r-- | bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in | 19 | ||||
| -rw-r--r-- | bin/tests/system/nsec3/ns3/setup.sh | 60 | ||||
| -rw-r--r-- | bin/tests/system/nsec3/ns3/template.db.in | 27 |
5 files changed, 536 insertions, 0 deletions
diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in new file mode 100644 index 0000000..de09774 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -0,0 +1,218 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "rsasha1" { + keys { + csk lifetime unlimited algorithm rsasha1; + }; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "optout" { + nsec3param optout yes; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 11 optout yes salt-length 8; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ +zone "nsec-to-nsec3.kasp" { + type primary; + file "nsec-to-nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec"; +}; + +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should work despite the incompatible RSAHSHA1 algorithm, + * because the DS is still in hidden state. + */ +zone "rsasha1-to-nsec3.kasp" { + type primary; + file "rsasha1-to-nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should block because RSASHA1 is not compatible with NSEC3, + * and the DS is published. + */ +zone "rsasha1-to-nsec3-wait.kasp" { + type primary; + file "rsasha1-to-nsec3-wait.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 + * algorithm, because the DS is still in hidden state. + */ +zone "nsec3-to-rsasha1.kasp" { + type primary; + file "nsec3-to-rsasha1.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should also be fine because we are allowed + * to change to NSEC with any algorithm, then we can also publish the new + * DNSKEY and signatures of the RSASHA1 algorithm. + */ +zone "nsec3-to-rsasha1-ds.kasp" { + type primary; + file "nsec3-to-rsasha1-ds.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + + +/* These zones use the default NSEC3 settings. */ +zone "nsec3.kasp" { + type primary; + file "nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic.kasp" { + type primary; + file "nsec3-dynamic.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* This zone uses non-default NSEC3 settings. */ +zone "nsec3-other.kasp" { + type primary; + file "nsec3-other.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3-other"; +}; + +/* These zones will be reconfigured to use other NSEC3 settings. */ +zone "nsec3-change.kasp" { + type primary; + file "nsec3-change.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic-change.kasp" { + type primary; + file "nsec3-dynamic-change.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* The zone will be reconfigured to use opt-out. */ +zone "nsec3-to-optout.kasp" { + type primary; + file "nsec3-to-optout.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* The zone will be reconfigured to disable opt-out. */ +zone "nsec3-from-optout.kasp" { + type primary; + file "nsec3-from-optout.kasp.db"; + inline-signing yes; + dnssec-policy "optout"; +}; + +/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ +zone "nsec3-to-nsec.kasp" { + type primary; + file "nsec3-to-nsec.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* The zone fails to load, this should not prevent shutdown. */ +zone "nsec3-fails-to-load.kasp" { + type primary; + file "nsec3-fails-to-load.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* These zones switch from dynamic to inline-signing or vice versa. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ +zone "nsec3-dynamic-update-inline.kasp" { + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + inline-signing yes; + allow-update { any; }; + dnssec-policy "nsec"; +}; + +zone "nsec3-xfr-inline.kasp" { + type secondary; + file "nsec3-xfr-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec"; + primaries { 10.53.0.2; }; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in new file mode 100644 index 0000000..084bba3 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -0,0 +1,212 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "rsasha1" { + keys { + csk lifetime unlimited algorithm rsasha1; + }; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "optout" { + nsec3param optout yes; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 11 optout yes salt-length 0; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ +zone "nsec-to-nsec3.kasp" { + type primary; + file "nsec-to-nsec3.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec"; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should work despite the incompatible RSAHSHA1 algorithm, + * because the DS is still in hidden state. + */ +zone "rsasha1-to-nsec3.kasp" { + type primary; + file "rsasha1-to-nsec3.kasp.db"; + inline-signing yes; + //dnssec-policy "rsasha1"; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should block because RSASHA1 is not compatible with NSEC3, + * and the DS is published. + */ +zone "rsasha1-to-nsec3-wait.kasp" { + type primary; + file "rsasha1-to-nsec3-wait.kasp.db"; + inline-signing yes; + //dnssec-policy "rsasha1"; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 + * algorithm, because the DS is still in hidden state. + */ +zone "nsec3-to-rsasha1.kasp" { + type primary; + file "nsec3-to-rsasha1.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should also be fine because we are allowed + * to change to NSEC with any algorithm, then we can also publish the new + * DNSKEY and signatures of the RSASHA1 algorithm. + */ +zone "nsec3-to-rsasha1-ds.kasp" { + type primary; + file "nsec3-to-rsasha1-ds.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "rsasha1"; +}; + +/* These zones use the default NSEC3 settings. */ +zone "nsec3.kasp" { + type primary; + file "nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic.kasp" { + type primary; + file "nsec3-dynamic.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* This zone uses non-default NSEC3 settings. */ +zone "nsec3-other.kasp" { + type primary; + file "nsec3-other.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3-other"; +}; + +/* These zone will be reconfigured to use other NSEC3 settings. */ +zone "nsec3-change.kasp" { + type primary; + file "nsec3-change.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "nsec3-other"; +}; + +zone "nsec3-dynamic-change.kasp" { + type primary; + file "nsec3-dynamic-change.kasp.db"; + //dnssec-policy "nsec3"; + dnssec-policy "nsec3-other"; + allow-update { any; }; +}; + +/* The zone will be reconfigured to use opt-out. */ +zone "nsec3-to-optout.kasp" { + type primary; + file "nsec3-to-optout.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "optout"; +}; + +/* The zone will be reconfigured to disable opt-out. */ +zone "nsec3-from-optout.kasp" { + type primary; + file "nsec3-from-optout.kasp.db"; + inline-signing yes; + //dnssec-policy "optout"; + dnssec-policy "nsec3"; +}; + +/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ +zone "nsec3-to-nsec.kasp" { + type primary; + file "nsec3-to-nsec.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "nsec"; +}; + +/* The zone fails to load, but is fixed after a reload. */ +zone "nsec3-fails-to-load.kasp" { + type primary; + file "nsec3-fails-to-load.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* These zones switch from dynamic to inline-signing or vice versa. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing no; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in new file mode 100644 index 0000000..77b0d10 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ IN SOA kasp. nsec3-fails-to-load.kasp. ( + 1 ; serial + 30 ; refresh (30 seconds) + 10 ; retry (10 seconds) + 3600000 ; expire (5 weeks 6 days 16 hours) + 300 ; minimum (5 minutes) + ) + NS nsec3-fails-to-load.kasp. diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh new file mode 100644 index 0000000..68bc2e4 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -0,0 +1,60 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns3/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in "$zonefile" +} + +for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ + nsec3-to-optout nsec3-from-optout nsec3-dynamic \ + nsec3-dynamic-change nsec3-dynamic-to-inline \ + nsec3-inline-to-dynamic nsec3-dynamic-update-inline +do + setup "${zn}.kasp" +done + +if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) +then + for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \ + nsec3-to-rsasha1-ds + do + setup "${zn}.kasp" + done + + longago="now-1y" + keytimes="-P ${longago} -A ${longago}" + O="omnipresent" + + zone="rsasha1-to-nsec3-wait.kasp" + CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2> keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 + + zone="nsec3-to-rsasha1-ds.kasp" + CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2> keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 +else + echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported" +fi + +cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db diff --git a/bin/tests/system/nsec3/ns3/template.db.in b/bin/tests/system/nsec3/ns3/template.db.in new file mode 100644 index 0000000..010b05b --- /dev/null +++ b/bin/tests/system/nsec3/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + |