3203. [bug] Increase log level to 'info' for validation failures

from expired or not-yet-valid RRSIGs. [RT #21796]
2011-11-04 05:36:28 +00:00
parent c4c0b6599a
commit 25845da41a
6 changed files with 33 additions and 10 deletions
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: example.db.in,v 1.30 2011/03/05 06:35:41 marka Exp $
+; $Id: example.db.in,v 1.31 2011/11/04 05:36:28 each Exp $

 $TTL 300	; 5 minutes
@			IN SOA	mname1. . (
@@ -73,6 +73,10 @@ dynamic			A	10.53.0.3
 mustbesecure		NS	ns.mustbesecure
 ns.mustbesecure		A	10.53.0.3

+; A subdomain with expired signatures
+expired			NS	ns.expired
+ns.expired		A	10.53.0.3
+
 ; A rfc2535 signed zone w/ CNAME
 rfc2535			NS	ns.rfc2535
 ns.rfc2535		A	10.53.0.3
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.49 2011/03/21 20:31:22 marka Exp $
+# $Id: sign.sh,v 1.50 2011/11/04 05:36:28 each Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -33,7 +33,7 @@ zonefile=example.db
 for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
    optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
    auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec \
-    split-smart
+    split-smart expired
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.42 2011/05/23 20:10:02 each Exp $
+# $Id: sign.sh,v 1.43 2011/11/04 05:36:28 each Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -271,7 +271,7 @@ zonefile=expired.example.db
 kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone -s -3h -e +1h $zonefile > /dev/null 2>&1
+$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
 rm -f $kskname.* $zskname.*

 #
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.101 2011/10/28 06:20:05 each Exp $
+# $Id: tests.sh,v 1.102 2011/11/04 05:36:28 each Exp $

 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1273,8 +1273,18 @@ status=`expr $status + $ret`

 echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
 ret=0
-$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns2.test$n || ret=1
-grep "RRSIG.SOA" dig.out.ns2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
+grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+
+status=`expr $status + $ret`
+echo "I:checking expired signatures do not validate ($n)"
+ret=0
+$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "expired.example .*: RRSIG has expired" ns4/named.run > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`