ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Add check for NSEC3 and key algorithms

Browse Source 
NSEC3 is not backwards compatible with key algorithms that existed
before the RFC 5155 specification was published.
This commit is contained in:
Matthijs Mekking
2020-10-19 10:19:52 +02:00
parent f10790b02d
commit 00c5dabea3
6 changed files with 64 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bin/tests/system/checkconf/tests.sh
View File

@@ -528,6 +528,14 @@ if [ $lines != 3 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
ret=0
$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp key errors ($n)"
ret=0