summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/rsabigexponent
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--bin/tests/system/rsabigexponent/README.md39
-rw-r--r--bin/tests/system/rsabigexponent/bigkey.c157
-rw-r--r--bin/tests/system/rsabigexponent/clean.sh23
-rw-r--r--bin/tests/system/rsabigexponent/conf/bad01.conf16
-rw-r--r--bin/tests/system/rsabigexponent/conf/bad02.conf16
-rw-r--r--bin/tests/system/rsabigexponent/conf/bad03.conf16
-rw-r--r--bin/tests/system/rsabigexponent/conf/good01.conf16
-rw-r--r--bin/tests/system/rsabigexponent/conf/good02.conf16
-rw-r--r--bin/tests/system/rsabigexponent/conf/good03.conf16
-rw-r--r--bin/tests/system/rsabigexponent/ns1/named.conf.in34
-rw-r--r--bin/tests/system/rsabigexponent/ns1/root.db.in24
-rwxr-xr-xbin/tests/system/rsabigexponent/ns1/sign.sh33
-rw-r--r--bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key5
-rw-r--r--bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private13
-rw-r--r--bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key2
-rw-r--r--bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private10
-rw-r--r--bin/tests/system/rsabigexponent/ns2/dsset-example.in1
-rw-r--r--bin/tests/system/rsabigexponent/ns2/example.db.bad156
-rw-r--r--bin/tests/system/rsabigexponent/ns2/example.db.in23
-rw-r--r--bin/tests/system/rsabigexponent/ns2/named.conf.in39
-rwxr-xr-xbin/tests/system/rsabigexponent/ns2/sign.sh28
-rw-r--r--bin/tests/system/rsabigexponent/ns3/named.conf.in35
-rw-r--r--bin/tests/system/rsabigexponent/setup.sh20
-rw-r--r--bin/tests/system/rsabigexponent/tests.sh58
-rw-r--r--bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py14
25 files changed, 810 insertions, 0 deletions
diff --git a/bin/tests/system/rsabigexponent/README.md b/bin/tests/system/rsabigexponent/README.md
new file mode 100644
index 0000000..44afdbd
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/README.md
@@ -0,0 +1,39 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The `rsabigexponent` test is used to `check max-rsa-exponent-size`.
+
+We only run this test on builds without PKCS#11, as we have control over
+the RSA exponent size with plain OpenSSL. We have not explored how to do
+this with PKCS#11, which would require generating such a key and then
+signing a zone with it. Additionally, even with control of the exponent
+size with PKCS#11, generating a DNSKEY with this property and signing
+such a zone would be slow and undesirable for each test run; instead, we
+use a pregenerated DNSKEY and a saved signed zone. These are located in
+`rsabigexponent/ns2` and currently use RSASHA1 for the `DNSKEY`
+algorithm; however, that may need to be changed in the future.
+
+To generate the `DNSKEY` used in this test, we used `bigkey.c`, as
+dnssec-keygen is not capable of generating such keys.
+
+Do **not** remove `bigkey.c` as it may be needed to generate a new
+`DNSKEY` for testing purposes.
+
+`bigkey` is used to both test that we are not running under PKCS#11 and
+generate a `DNSKEY` key with a large RSA exponent.
+
+To regenerate `ns2/example.db.bad` comment out the range test in
+opensslrsa_parse before signing the zone with a ZSK key generated
+by `bigkey`.
+
+ if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
+ DST_RET(ISC_R_RANGE);
+ }
diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
new file mode 100644
index 0000000..19fc9ba
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/bigkey.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define DST_KEY_INTERNAL
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+
+#include <isc/result.h>
+
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+dst_key_t *key;
+dns_fixedname_t fname;
+dns_name_t *name;
+unsigned int bits = 2048U;
+isc_mem_t *mctx;
+isc_log_t *log_;
+isc_logconfig_t *logconfig;
+int level = ISC_LOG_WARNING;
+isc_logdestination_t destination;
+char filename[255];
+isc_result_t result;
+isc_buffer_t buf;
+RSA *rsa;
+BIGNUM *e;
+EVP_PKEY *pkey;
+
+#define CHECK(op, msg) \
+ do { \
+ result = (op); \
+ if (result != ISC_R_SUCCESS) { \
+ fprintf(stderr, \
+ "fatal error: %s returns %s at file %s line " \
+ "%d\n", \
+ msg, isc_result_totext(result), __FILE__, \
+ __LINE__); \
+ ERR_clear_error(); \
+ exit(1); \
+ } \
+ } while (0)
+
+int
+main(int argc, char **argv) {
+ UNUSED(argc);
+ UNUSED(argv);
+
+ rsa = RSA_new();
+ e = BN_new();
+ pkey = EVP_PKEY_new();
+
+ if ((rsa == NULL) || (e == NULL) || (pkey == NULL) ||
+ !EVP_PKEY_set1_RSA(pkey, rsa))
+ {
+ fprintf(stderr, "fatal error: basic OpenSSL failure\n");
+ ERR_clear_error();
+ exit(1);
+ }
+
+ /* e = 0x1000000000001 */
+ BN_set_bit(e, 0);
+ BN_set_bit(e, 48);
+
+ if (RSA_generate_key_ex(rsa, bits, e, NULL)) {
+ BN_free(e);
+ RSA_free(rsa);
+ } else {
+ fprintf(stderr,
+ "fatal error: RSA_generate_key_ex() fails "
+ "at file %s line %d\n",
+ __FILE__, __LINE__);
+ ERR_clear_error();
+ exit(1);
+ }
+
+ isc_mem_create(&mctx);
+ CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()");
+ isc_log_create(mctx, &log_, &logconfig);
+ isc_log_setcontext(log_);
+ dns_log_init(log_);
+ dns_log_setcontext(log_);
+ isc_log_settag(logconfig, "bigkey");
+
+ destination.file.stream = stderr;
+ destination.file.name = NULL;
+ destination.file.versions = ISC_LOG_ROLLNEVER;
+ destination.file.maximum_size = 0;
+ isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC, level,
+ &destination,
+ ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL);
+
+ CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL), "isc_log_"
+ "usechannel("
+ ")");
+ name = dns_fixedname_initname(&fname);
+ isc_buffer_constinit(&buf, "example.", strlen("example."));
+ isc_buffer_add(&buf, strlen("example."));
+ CHECK(dns_name_fromtext(name, &buf, dns_rootname, 0, NULL), "dns_name_"
+ "fromtext("
+ "\"example."
+ "\")");
+
+ CHECK(dst_key_buildinternal(name, DNS_KEYALG_RSASHA256, bits,
+ DNS_KEYOWNER_ZONE, DNS_KEYPROTO_DNSSEC,
+ dns_rdataclass_in, pkey, mctx, &key),
+ "dst_key_buildinternal(...)");
+
+ CHECK(dst_key_tofile(key, DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, NULL),
+ "dst_key_tofile()");
+ isc_buffer_init(&buf, filename, sizeof(filename) - 1);
+ isc_buffer_clear(&buf);
+ CHECK(dst_key_buildfilename(key, 0, NULL, &buf), "dst_key_"
+ "buildfilename()");
+ printf("%s\n", filename);
+ dst_key_free(&key);
+
+ isc_log_destroy(&log_);
+ isc_log_setcontext(NULL);
+ dns_log_setcontext(NULL);
+ dst_lib_destroy();
+ isc_mem_destroy(&mctx);
+ return (0);
+}
+
+/*! \file */
diff --git a/bin/tests/system/rsabigexponent/clean.sh b/bin/tests/system/rsabigexponent/clean.sh
new file mode 100644
index 0000000..22ea41a
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f K* */K* */dsset-*. */*.signed */trusted.conf */tmp*
+rm -f ns*/dsset-example
+rm -f ns*/named.run
+rm -f ns*/named.memstats
+rm -f ns1/root.db
+rm -f ns2/signer.err
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/rsabigexponent/conf/bad01.conf b/bin/tests/system/rsabigexponent/conf/bad01.conf
new file mode 100644
index 0000000..720d197
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/bad01.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ max-rsa-exponent-size 1;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/bad02.conf b/bin/tests/system/rsabigexponent/conf/bad02.conf
new file mode 100644
index 0000000..bd1e827
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/bad02.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ max-rsa-exponent-size 34;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/bad03.conf b/bin/tests/system/rsabigexponent/conf/bad03.conf
new file mode 100644
index 0000000..4331b52
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/bad03.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ max-rsa-exponent-size 4097;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/good01.conf b/bin/tests/system/rsabigexponent/conf/good01.conf
new file mode 100644
index 0000000..1d2cd01
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/good01.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ max-rsa-exponent-size 0;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/good02.conf b/bin/tests/system/rsabigexponent/conf/good02.conf
new file mode 100644
index 0000000..861e054
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/good02.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ max-rsa-exponent-size 35;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/good03.conf b/bin/tests/system/rsabigexponent/conf/good03.conf
new file mode 100644
index 0000000..14a98f8
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/good03.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ max-rsa-exponent-size 4096;
+};
diff --git a/bin/tests/system/rsabigexponent/ns1/named.conf.in b/bin/tests/system/rsabigexponent/ns1/named.conf.in
new file mode 100644
index 0000000..4a9822d
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns1/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type primary;
+ file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rsabigexponent/ns1/root.db.in b/bin/tests/system/rsabigexponent/ns1/root.db.in
new file mode 100644
index 0000000..a85d814
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns1/root.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2012050600 ; serial
+ 3600 ; refresh
+ 1200 ; retry
+ 604800 ; expire
+ 60 ; minimum
+ )
+@ NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+;
+example. NS ns2.example.
+ns2.example. A 10.53.0.2
diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh
new file mode 100755
index 0000000..8a2f6b9
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns1/sign.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../../conf.sh
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+cp ../ns2/dsset-example.in dsset-example.
+
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+
+cat $infile $keyname.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds $keyname > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+
+cd ../ns2 && $SHELL -e ./sign.sh
diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key
new file mode 100644
index 0000000..60ff187
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 51650, for example.
+; Created: 20220721024334 (Thu Jul 21 12:43:34 2022)
+; Publish: 20220721024334 (Thu Jul 21 12:43:34 2022)
+; Activate: 20220721024334 (Thu Jul 21 12:43:34 2022)
+example. IN DNSKEY 257 3 8 AwEAAeeXAGBcXxSNj5X/PWT8XDBk4U9OUkZ7YKQBf2IN3V6OZomt/s3F UWIh70Wot+z1Ld3Rfswq1DjCaWNRFOMhs+9j3Fhc46wMZ4pnsDW1nLHk 2TnQRdrbiuhLkQy5oNMjSRxu924XLw5ylsuqjxE7vXcCeKSFe674roSq wo39atWsTJMDz0FQGxlPucnXai0nHoCeC7+u1s+wLaGcpNSZlsab7Zny FD4HZ3HKUCJw/Jjr5CZjqal9KdmWSC1SINRtlAN6PX5VSiNEncnYMCdj iv+ZhRGn+aHh1BmEWomGbAm2Jjw5mrYMgDs9lJRc5Vtg0YXb9OkYvxNF V4QGw1oeF+M=
diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private
new file mode 100644
index 0000000..d38a0b3
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 55cAYFxfFI2Plf89ZPxcMGThT05SRntgpAF/Yg3dXo5mia3+zcVRYiHvRai37PUt3dF+zCrUOMJpY1EU4yGz72PcWFzjrAxnimewNbWcseTZOdBF2tuK6EuRDLmg0yNJHG73bhcvDnKWy6qPETu9dwJ4pIV7rviuhKrCjf1q1axMkwPPQVAbGU+5yddqLScegJ4Lv67Wz7AtoZyk1JmWxpvtmfIUPgdnccpQInD8mOvkJmOpqX0p2ZZILVIg1G2UA3o9flVKI0SdydgwJ2OK/5mFEaf5oeHUGYRaiYZsCbYmPDmatgyAOz2UlFzlW2DRhdv06Ri/E0VXhAbDWh4X4w==
+PublicExponent: AQAB
+PrivateExponent: QaMgBa+YeRxIElS1g14tCMBGxXHmyrgkI0eTYWiZkbedYy8v1QU0NDJ2/NC9VEkHF2PNYrNO08lyEiaEW32NYG92n4qwMm6PmAAcRpSzFQ5N7N9VNRrdK0pjkW45IS5Shd8DfK3QdfFPQOkVxGYgpE7Mf6Cfde9gkxRMsO6erXEud6KyBm8kwBR/ipDeUQvpyGkZEQPjLxJG6REjMVhPKTzCV+82DWEf+Ok/3Uxa94+ocAbySHAV3j4YcWpVGWT002gc6CGk8c6TsPYnDkfKQ3moPQZijH7F8zrARtoobCX9TsMFhBqReceZrbzN7en2cZGR5MSISzoTNSr4rGo6aQ==
+Prime1: 8AV9EllWtclD62XHo95Z3h7JJ9t2gY7fUFG0WMbkI0Wj6kcr7k3bFfLj7GEJ1qgVW4Qpu7XnBvPB9hnqoCkbHLzc8ws1D2tY+PsXzvw9IxoXNM/eCobeulu/rYhJl2PcpY9bPcaaR0hldGoCHdFYSo8oi+C5hfRtIMVjnDtHSmk=
+Prime2: 9wHRxgyHjtl8ro9HAkvujxFkhChm4xLxIRM8pfZ+D1VHpzFRD3/RK8CVYVRB8GsQoFRygHBMOW1oHqynN9jddvJrQbHOqFZAbQQlesp0jRPd9Mm6q0cDwYcD4apscB2CUrUswMzoD3H4saIjGnitCsG/t+sLTvuK/giuMdS2Tms=
+Exponent1: pnSH+pOuiL+dtMCPJVvsoxhilJukodD9mewv0GmOic+gD7dwBgJEcAJUgvgBJLbIqQENGDrcj3u5Bf2PM6eOP+3SpVMeZyUhPPqV1lwj4hYUBfIqoM5L5J4AXk5oCu+cc8zpj/wNvmW8xnFGKnumaX7Ctc8Rmo6ap+F8ZTrPBBE=
+Exponent2: txXZKIRnAkJAwZ6f0pr3w4Hv0GmmAZArvQlmPdncDH94sfvDCssB/v0rfE4Y5hxl4YFWsc8LINHwiDQPajzLwvvi9nnWJT5xWJznLwHbrCparbPNMmFb7lmmTeGlqOCmlamG942qQLCI1xnIDTn/gWalNaz539xhZPSIMZVqX+s=
+Coefficient: eK9cQKFRLaU4udqB8t8KSQxlNl0x9J+9bcaEzn0+579LrZUZvspfiR4DNGwr9qK+PWk+CU7/6xsWbq2zbKIEWucoR97t+E8Zhx00GCDbiu/QI2wviEcYbB2udznRv1WSIDoCWf2TXeh5G2E2ugt5F4+b56qMXmT7IudxYGPtQCY=
+Created: 20220721024334
+Publish: 20220721024334
+Activate: 20220721024334
diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key
new file mode 100644
index 0000000..a1f14c9
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key
@@ -0,0 +1,2 @@
+; This is a zone-signing key, keyid 52810, for example.
+example. IN DNSKEY 256 3 8 BwEAAAAAAAHYYy161+wCg6yFHRlyex8oVkcK+K2SBUryI1+DEKzjusH6 yLfzzlJCPGrubmD+jseKYwXfzelJkRQbMDjWbMYLHKytuPtwnJMSeVh+ a/Ore6oVPXy716EYpsEBSmVjfQyS0mGHpwrYk4QaKjJDM7Q173EFl/sE eXjHqInlzOgJbXqsCrSfA94anSt42DGhJeeIfQ8b3vqD/nCnA6C7khIt AWlfJto7d42Ev8tckjr3CrTW9tn9pHb2DKeh85rKeJBBLMYQU3jfF5KH EEsjztLGMnPLlXTteh8wKrk/0IJrot17w0FR0H2v8oG3xDXxfhJ0OeTW 7dtBHD6ISgqeJ9zt
diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private
new file mode 100644
index 0000000..bbb5ad9
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 2GMtetfsAoOshR0ZcnsfKFZHCvitkgVK8iNfgxCs47rB+si3885SQjxq7m5g/o7HimMF383pSZEUGzA41mzGCxysrbj7cJyTEnlYfmvzq3uqFT18u9ehGKbBAUplY30MktJhh6cK2JOEGioyQzO0Ne9xBZf7BHl4x6iJ5czoCW16rAq0nwPeGp0reNgxoSXniH0PG976g/5wpwOgu5ISLQFpXybaO3eNhL/LXJI69wq01vbZ/aR29gynofOayniQQSzGEFN43xeShxBLI87SxjJzy5V07XofMCq5P9CCa6Lde8NBUdB9r/KBt8Q18X4SdDnk1u3bQRw+iEoKnifc7Q==
+PublicExponent: AQAAAAAAAQ==
+PrivateExponent: aD+JLNdCtAk1++UwcGdPslSoWq2szZHGrY+I+YfhfcBZrPP13exC40hgUgRNuYJOaJ3WMpgsKI4p8YDVNttF6LI7WNBURQhmBSwquB5BWWkoh7uR4PfKWGB0ZkDwUQcA2IdMVS4+QAKVQMmUXGnXhQI1p8duAORZp0gE71VsHTEzwf5AIEG2+f/oCjDsMJN0J7X3qktJr5ho64aMHyHf5+yKk6fFcy7wfC175SkIZ53uBfpCsFXkgq8YukXfcyoG5o4FUHheGnDwkVOzviEUHk8xweJnNNRbV6n/ck9AXzq3VSA9BbrXtRzZmre/L6tJvEnbH0EycwDkxCMlOSqGbQ==
+Prime1: /hnW5M2vzAoAjx2wum98YZZ6gv1IpV88c4HDLA3vY79Qxd8FYanldxPNjgQJEPjHD5hG6tGN+cjZdXv/X+sk5j3fmCB7RKwMKcoD8A/jyH2JaQLTbXm6EBd1BCMIN+w3W+A2E6evYYyINLwMUwqRlUcAaD8HoDLK8iz6iAUhFss=
+Prime2: 2gEuuug1PDnbWWFVzzMUrVXiRiFqJVTTvR3AjJVJNZPwAL4FMenh98rtI3s1zSB6P4RSyvRJ6YMOAT0ZrMxviJy76EExGgCB5F4w7g67I7VGPuA1tLn5kt5j9j5wQmdq1yMG5QpCJWr7bxjSDYvIzy2sZjZ/KTuHGtUzFUnHrCc=
+Exponent1: MaDlpmDYxZ2QvM+cp58Bj160u+21qIA/UZ2ysh6102uQmYHm92481z2+AvCJuq2PpkuROMd/4i2w7L0RbfZ2MYzUFndLZ8NgmNDjNDfUzeRQl2KQdAOLK4DNXmf3mKwLO0Sbj/pxgj0vYAe9gcU4Pe8ukVuSX0nkehbDi4cjfr0=
+Exponent2: cNHFlVCwvEPNVnpQCZS3iqF/D3HN8FtP2st0CrYbjQI8DYpcQUWVMqUqdqFOkYM0/qadpkX+JMlPJTjJZ8YDYYWIZGSC2ruMPIxB7DayVDBbgugmsC1isZjyApdQ44xtdNVyMYmcYeHUz5gR1x/eWdGNyjzMEvfbEjXIKbRykAM=
+Coefficient: ovH/7MP64Dai8draXD3t+jl6UTchig+LDwXA2GvlZY0HVP+9yvE49VSKhoYxolL/ZmabIgzzOAyJ66SyYq31ozxbpKrBGiFdzAbgkJgFIbdYMgfLHXNkH1vissGeY0KdS5ee6sKDfk1VmE94UOVHi11oslvnTiG2RF/I3koYV7Q=
diff --git a/bin/tests/system/rsabigexponent/ns2/dsset-example.in b/bin/tests/system/rsabigexponent/ns2/dsset-example.in
new file mode 100644
index 0000000..9ad254b
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/dsset-example.in
@@ -0,0 +1 @@
+example. IN DS 51650 8 2 F225122667540159A30620B2D0888036BDF76276D245DE3453C883F0C3276705
diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.bad b/bin/tests/system/rsabigexponent/ns2/example.db.bad
new file mode 100644
index 0000000..b105978
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/example.db.bad
@@ -0,0 +1,156 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example. 300 IN SOA mname1. . (
+ 2012050601 ; serial
+ 3600 ; refresh (1 hour)
+ 600 ; retry (10 minutes)
+ 604800 ; expire (1 week)
+ 3600 ; minimum (1 hour)
+ )
+ 300 RRSIG SOA 8 1 300 (
+ 20361231235959 20000101000000 52810 example.
+ IfZrUTjdr4Ull5MSQW4eHxrub6X5O8VWB3vG
+ kg6TBT8f2Aw4hLcwT0X47xRqL9nU1kKA3qpu
+ mi71wqiZPbYI+suHYGuqRO/V6YujdQRpLhGS
+ gTpLmETa46unkMDY6sze41AlCyzR79yaDxVS
+ +pS2V1AVYzQzzeswJXHwSLO5HKtClPL3izpV
+ AJD1+dL0UZRs9yOqbxU1RgvASPFEt+1Wd2p6
+ qwyeadJ7PB0PL7QQXSDsQ09Ms1BGoKq5p6Os
+ HtgXPo+aZQR2gczm3Yals9I1tZnk/ZM86aS0
+ 63NrEEUQycMNCr100WgWzYQzO90SmJMqpdeZ
+ fxzlRQbY7jN4qRbM7A== )
+ 300 NS ns2.example.
+ 300 RRSIG NS 8 1 300 (
+ 20361231235959 20000101000000 52810 example.
+ VUPhDucH6rlx93V13b7OSAQ6fE/9jlxhCTXv
+ peBD69WOa4jZHMZf60gqy10gLVMx35gZdEaU
+ cJqaBcAniSwPY3a7mxclMja7fmuCB9wcSbiP
+ pwk5KIYSgIvoWp3ro2I19C0IDQDVWtH1xqdQ
+ Dv+3MV39Zpf0AnXB05mBopI2DQI9mYHCnmis
+ F3pfcfs+h/ipyodE5kccBBRvtfKWHly342Xe
+ azHKM4eyuGj9NLwuwsoVgnyQ3I9hrKVAiUjS
+ fQ4cxyBVhh+Wb1/VrVSbX+X9VNzQ04mcREHS
+ yXIPoIQBNju3dyOSTQ+VIeasRvRU8nqMS/1f
+ oeqj5ehTjtfejF6Jfw== )
+ 300 NSEC a.example. NS SOA RRSIG NSEC DNSKEY
+ 300 RRSIG NSEC 8 1 300 (
+ 20361231235959 20000101000000 52810 example.
+ bG90DOCaN7BhihvtCUs2eJhSHkRaV582ROQi
+ AbamawevX8NQGJeVpHb3t5ekQuK5EWjLFr6i
+ bga5TpeP8HOv3lDb8w7kb7xOrHycw5Sizws5
+ PZTvtuty9nT6dZ9h4pfLNTbW+SBV904xv3JT
+ ZlXoxtm4JAdmKUcGiCFLjMvwbQ5SKEZq27uN
+ 9xCeY0CPkQmiGbTrySYFyNZsBBsL2OI5ec2V
+ TbQVSDhnnEhbVdMb8Yh2sTt9H/CT1yG2s4U9
+ a9ccxguFzt6mk+f5ZL+WKgxkTOMOrZW3dyiI
+ x53dNQyZN/tczibox/LLG/SaET5wR/V5gDsh
+ 9DObfc9u1+of/H0lhg== )
+ 300 DNSKEY 257 3 8 (
+ AwEAAeeXAGBcXxSNj5X/PWT8XDBk4U9OUkZ7
+ YKQBf2IN3V6OZomt/s3FUWIh70Wot+z1Ld3R
+ fswq1DjCaWNRFOMhs+9j3Fhc46wMZ4pnsDW1
+ nLHk2TnQRdrbiuhLkQy5oNMjSRxu924XLw5y
+ lsuqjxE7vXcCeKSFe674roSqwo39atWsTJMD
+ z0FQGxlPucnXai0nHoCeC7+u1s+wLaGcpNSZ
+ lsab7ZnyFD4HZ3HKUCJw/Jjr5CZjqal9KdmW
+ SC1SINRtlAN6PX5VSiNEncnYMCdjiv+ZhRGn
+ +aHh1BmEWomGbAm2Jjw5mrYMgDs9lJRc5Vtg
+ 0YXb9OkYvxNFV4QGw1oeF+M=
+ ) ; KSK; alg = RSASHA256 ; key id = 51650
+ 300 DNSKEY 256 3 8 (
+ BwEAAAAAAAHYYy161+wCg6yFHRlyex8oVkcK
+ +K2SBUryI1+DEKzjusH6yLfzzlJCPGrubmD+
+ jseKYwXfzelJkRQbMDjWbMYLHKytuPtwnJMS
+ eVh+a/Ore6oVPXy716EYpsEBSmVjfQyS0mGH
+ pwrYk4QaKjJDM7Q173EFl/sEeXjHqInlzOgJ
+ bXqsCrSfA94anSt42DGhJeeIfQ8b3vqD/nCn
+ A6C7khItAWlfJto7d42Ev8tckjr3CrTW9tn9
+ pHb2DKeh85rKeJBBLMYQU3jfF5KHEEsjztLG
+ MnPLlXTteh8wKrk/0IJrot17w0FR0H2v8oG3
+ xDXxfhJ0OeTW7dtBHD6ISgqeJ9zt
+ ) ; ZSK; alg = RSASHA256 ; key id = 52810
+ 300 RRSIG DNSKEY 8 1 300 (
+ 20361231235959 20000101000000 52810 example.
+ O4q1oueEgPoWHhrLiobGvMQLS2KHN+xxSddf
+ y6fqksqivRLgj0633fnEZrFtc44YueV+L4gQ
+ kaoWCCpR0yQH4BOw4p3FVjEgl+jXLzIc7amw
+ ZfKAnSOtMoTaBCQ2hN8b2ducUHgKV7ta9bca
+ lO0wuqqp2OOO/n9S3YMBVfrCW4jL2w1QPC+b
+ lm/4ka8OwqKKGAcO0d/nGeOPJZnfbddSzqEQ
+ C3j1tGavwBC4RAGilxw3XoyoICDp0LQR7M9a
+ tWAxYmMfilEEfpip9R3HhCa+ynIVsHP8yTXE
+ dlWM3LUZePm44aV38YeObJpRMkb8sO5VrbZn
+ 8hJoIs3eyguC4HKKTg== )
+ 300 RRSIG DNSKEY 8 1 300 (
+ 20361231235959 20000101000000 51650 example.
+ Eaw79mOoImGg+ymMJ+9paoanUgR/Od0Pxv/X
+ mevid1TRbssSc2KynAToxSXRcOQwRQjto9sC
+ qj0pOekPPmW1I6DRlMOGDS6l0Uuk51GvUuRD
+ Xbr19BG73mcPuKfYHNbx6cUHvBlPilnjM803
+ m9E8DK6Ba9uo/MNhgtWoWj8wQxqP2YS+HW3v
+ bOv/p4en9Dc5ft6ATtSYj84ejuPAKnfVbleI
+ fJW+qIQ7q9A24xEZ4QlWuRovjsoASVsuLnX+
+ X4sQYlWBIPMQYQ8RIN1CgSRPGb603pAq9ru6
+ ySpjlxHQRtdOGBNJleg9Wz612rHRd3x7BM+8
+ /Lvz31Ot/JSh3u4DSQ== )
+a.example. 300 IN A 10.0.0.1
+ 300 RRSIG A 8 2 300 (
+ 20361231235959 20000101000000 52810 example.
+ zp4L0Um0guehtT+4GQaMeYx5PiwEbSRyi7sg
+ Xv2uFn/wFML/Df0PgCxCYkWKL2Db/j15IZON
+ uz2CNRG7lDMZsb+JgyLZ6R3OuSKjwzA++kUu
+ 8ExPpdrFHxZFMPefkU1vjf7E1yt4/aSaO23T
+ m0F6yFHcVfBE1DElG1vLWO6cWtSIMKjXOo15
+ Zy2hHhT/7jKhqcHnwwCBHLuV9/e9OmI34H7I
+ Sd3Ik8dnNEjRTVbLem3tQMfQ9ZfYDHPHli+z
+ Z5dGgPmpyNPq5bfs7O5uCO5cNCbouFdEnc6O
+ DA9QiyOGba8w7vI1gHMvA+rWPpA+fTGgrVRq
+ 7bTfa0jTOsybR8rZjg== )
+ 300 NSEC ns2.example. A RRSIG NSEC
+ 300 RRSIG NSEC 8 2 300 (
+ 20361231235959 20000101000000 52810 example.
+ oh6oqdC9OIoO0jIN0x9MIBlYlzAg2LFYffrP
+ QlgPAtPn8A9cPCxU2i6hJ1ubqc6o1LVD7LH6
+ GVj842Ytys1uO2Nwf9xXS4gbchJ6NE9IjQh6
+ IoBNmlgdfprzJEJlEFx73dytakfcjc+hIj8t
+ b14Lu2/5BBDSamw+uVyeV8Wg2jNdrN7UEqyA
+ ccnhLPWHAOtspzxrmCrBDPc6Geelu8KzARs5
+ qOZ/p9CKffmKL/65K/N8WWKQWVNI22tAbiWT
+ J1t3BNkOLUSKMvEVLFcgStV4QtFcQrSB96Hu
+ D2rSbAGsH5Ujmz4GTxhOSqd8OJ7XDEWlhZod
+ LhUBltfjmakorhGqqg== )
+ns2.example. 300 IN A 10.53.0.2
+ 300 RRSIG A 8 2 300 (
+ 20361231235959 20000101000000 52810 example.
+ sDlETJwDoWqYZdcwYBW/l+Ot4Tb3mSXJvW3R
+ 1fsoiq/obWZeC+bU2MszckcZKPET2CRqBD+c
+ uLCcOhZrcH0m25Y02SAzOOG2V12KNvWVznSz
+ bZw+/+ucYhxhiNKherdwpHOAdjlhG//zFHDy
+ sAxmrtjWO2DT9pv1Hd/Hm3aGgAYTs0ryyeyo
+ k05sTgdr43APFkX4SNoNXGUEt8E0uMghIvhi
+ mgKSQ45fZFsZeUiEfwvtQ8uAuDNOLWK49Bw5
+ 184QrQ/NZ3YVyJercg7wm/jFMVkgxggiOl2q
+ ZCLadaSQNnsvtbwgyTktRJb5YovzZEQrH7O0
+ vW/DAN1Cqa1nXw/kZA== )
+ 300 NSEC example. A RRSIG NSEC
+ 300 RRSIG NSEC 8 2 300 (
+ 20361231235959 20000101000000 52810 example.
+ DyLuymW3Bv6irCLzfUGnz2cy1XctqfW7ycLc
+ 7wgDzDLNvJ6tqr8tjHKMdCODJDiG+lR5oFo7
+ 8RA604OYcmJjLIAMj3fCxzBkIlH5SXRcJ86X
+ a8U6oXrgt6IvUMC2crdWMVgVnSWlqBS4TNNg
+ QhUa+vt+Em8ce3fveqh1tXm1hzysSroOQtMk
+ HOPAtwYR9XP4mTdbC43AU/67jsYPqXq59lm4
+ sE1tmnVdhXuOk7yNAt8O2CSZGGZl5bYMC4On
+ IgWZP7liebXAmhmXpHbBf5/BaE9dVfvWzYTT
+ 4wUch+f8TDwwyTqumrlrPsVnvkQ9V0LwODox
+ PxWWxFAznmUMEtlo3g== )
diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.in b/bin/tests/system/rsabigexponent/ns2/example.db.in
new file mode 100644
index 0000000..a2a6964
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/example.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2012050601 ; serial
+ 3600 ; refresh
+ 600 ; retry
+ 604800 ; expire
+ 3600 ; minimum
+ )
+ NS ns2
+ns2 A 10.53.0.2
+
+a A 10.0.0.1
diff --git a/bin/tests/system/rsabigexponent/ns2/named.conf.in b/bin/tests/system/rsabigexponent/ns2/named.conf.in
new file mode 100644
index 0000000..c81b3f6
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-validation no;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+zone "example" {
+ type primary;
+ file "example.db.bad";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh
new file mode 100755
index 0000000..53e2257
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/sign.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../../conf.sh
+
+zone=example.
+infile=example.db.in
+outfile=example.db.bad
+
+for i in Xexample.+008+51650.key Xexample.+008+51650.private \
+ Xexample.+008+52810.key Xexample.+008+52810.private
+do
+ cp $i $(echo $i | sed s/X/K/)
+done
+
+$SIGNER -g -s 20000101000000 -e 20361231235959 -o $zone \
+ $infile Kexample.+008+52810.key \
+ > /dev/null 2> signer.err || true
diff --git a/bin/tests/system/rsabigexponent/ns3/named.conf.in b/bin/tests/system/rsabigexponent/ns3/named.conf.in
new file mode 100644
index 0000000..bc63656
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns3/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify yes;
+ dnssec-validation yes;
+ max-rsa-exponent-size 35;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rsabigexponent/setup.sh b/bin/tests/system/rsabigexponent/setup.sh
new file mode 100644
index 0000000..b7c2801
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+
+cd ns1 && $SHELL -e sign.sh
diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh
new file mode 100644
index 0000000..39ebd8a
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/tests.sh
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+. ../conf.sh
+
+status=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+
+for f in conf/good*.conf
+do
+ echo_i "checking '$f'"
+ ret=0
+ $CHECKCONF $f > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+done
+
+for f in conf/bad*.conf
+do
+ echo_i "checking '$f'"
+ ret=0
+ $CHECKCONF $f > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+done
+
+echo_i "checking that RSA big exponent keys can't be loaded"
+ret=0
+grep "out of range" ns2/signer.err > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that RSA big exponent signature can't validate"
+ret=0
+$DIG $DIGOPTS a.example @10.53.0.2 > dig.out.ns2 || ret=1
+$DIG $DIGOPTS a.example @10.53.0.3 > dig.out.ns3 || ret=1
+grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1
+grep "status: SERVFAIL" dig.out.ns3 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py b/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py
new file mode 100644
index 0000000..38ab381
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_rsabigexponent(run_tests_sh):
+ run_tests_sh()