remove DLV system tests
This commit is contained in:
Evan Hunt
@@ -14,9 +14,12 @@ for the root.
|
||||
ns5 is a caching-only server, configured with the an incorrect trusted
|
||||
key for the root. It is used for testing failure cases.
|
||||
|
||||
ns6 is a caching-only server configured to use DLV.
|
||||
ns6 is an caching and authoritative server used for testing unusual
|
||||
server behaviors such as disabled DNSSEC algorithms.
|
||||
|
||||
ns7 is used for checking non-cacheable answers.
|
||||
|
||||
ns8 is a caching-only server, configured with unsupported and disabled
|
||||
algorithms. It is used for testing failure cases.
|
||||
|
||||
ns9 is a forwarding-only server.
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
|
||||
set -e
|
||||
|
||||
rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/dlvset-* ./*/signedkey-* ./*/*.signed
|
||||
rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed
|
||||
rm -f ./*/example.bk
|
||||
rm -f ./*/named.conf
|
||||
rm -f ./*/named.memstats
|
||||
@@ -44,10 +44,8 @@ rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl
|
||||
rm -f ./ns2/cds-kskonly.secure.db
|
||||
rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl
|
||||
rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
|
||||
rm -f ./ns2/dlv.db
|
||||
rm -f ./ns2/in-addr.arpa.db
|
||||
rm -f ./ns2/nsec3chain-test.db
|
||||
rm -f ./ns2/private.secure.example.db
|
||||
rm -f ./ns2/single-nsec3.db
|
||||
rm -f ./ns2/updatecheck-kskonly.secure.*
|
||||
rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
|
||||
|
||||
@@ -20,8 +20,6 @@ a.root-servers.nil. A 10.53.0.1
|
||||
|
||||
example. NS ns2.example.
|
||||
ns2.example. A 10.53.0.2
|
||||
dlv. NS ns2.dlv.
|
||||
ns2.dlv. A 10.53.0.2
|
||||
algroll. NS ns2.algroll.
|
||||
ns2.algroll. A 10.53.0.2
|
||||
managed. NS ns2.managed.
|
||||
|
||||
@@ -25,7 +25,6 @@ zonefile=root.db
|
||||
echo_i "ns1/sign.sh"
|
||||
|
||||
cp "../ns2/dsset-example$TP" .
|
||||
cp "../ns2/dsset-dlv$TP" .
|
||||
cp "../ns2/dsset-in-addr.arpa$TP" .
|
||||
|
||||
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"
|
||||
|
||||
@@ -1,19 +0,0 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns2
|
||||
ns2 A 10.53.0.2
|
||||
@@ -40,11 +40,6 @@ zone "." {
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
zone "dlv" {
|
||||
type master;
|
||||
file "dlv.db.signed";
|
||||
};
|
||||
|
||||
zone "trusted" {
|
||||
type master;
|
||||
file "trusted.db.signed";
|
||||
@@ -61,12 +56,6 @@ zone "example" {
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "private.secure.example" {
|
||||
type master;
|
||||
file "private.secure.example.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "insecure.secure.example" {
|
||||
type master;
|
||||
file "insecure.secure.example.db";
|
||||
|
||||
@@ -136,31 +136,6 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
# Sign the privately secure file
|
||||
|
||||
privzone=private.secure.example
|
||||
privinfile=private.secure.example.db.in
|
||||
privzonefile=private.secure.example.db
|
||||
|
||||
privkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$privzone")
|
||||
|
||||
cat "$privinfile" "$privkeyname.key" > "$privzonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$privzone" -l dlv "$privzonefile" > /dev/null 2>&1
|
||||
|
||||
# Sign the DLV secure zone.
|
||||
|
||||
dlvzone=dlv.
|
||||
dlvinfile=dlv.db.in
|
||||
dlvzonefile=dlv.db
|
||||
dlvsetfile="dlvset-${privzone}${TP}"
|
||||
|
||||
dlvkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$dlvzone")
|
||||
|
||||
cat "$dlvinfile" "$dlvkeyname.key" "$dlvsetfile" > "$dlvzonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$dlvzone" "$dlvzonefile" > /dev/null 2>&1
|
||||
|
||||
# Sign the badparam secure file
|
||||
|
||||
zone=badparam.
|
||||
|
||||
@@ -23,7 +23,6 @@ options {
|
||||
notify yes;
|
||||
disable-algorithms . { @ALTERNATIVE_ALGORITHM@; };
|
||||
dnssec-validation yes;
|
||||
dnssec-lookaside . trust-anchor dlv;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
|
||||
@@ -1212,34 +1212,6 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that positive validation in a privately secure zone works ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noauth a.private.secure.example. a @10.53.0.2 \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
dig_with_opts +noauth a.private.secure.example. a @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that negative validation in a privately secure zone works ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noauth q.private.secure.example. a @10.53.0.2 \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
dig_with_opts +noauth q.private.secure.example. a @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that lookups succeed after disabling an algorithm ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noauth example. SOA @10.53.0.2 \
|
||||
@@ -1253,28 +1225,6 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking privately secure to nxdomain works ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking privately secure wildcard to nxdomain works ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking a non-cachable NODATA works ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \
|
||||
@@ -1299,21 +1249,6 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
#
|
||||
# private.secure.example is served by the same server as its
|
||||
# grand parent and there is not a secure delegation from secure.example
|
||||
# to private.secure.example. In addition secure.example is using a
|
||||
# algorithm which the validation does not support.
|
||||
#
|
||||
echo_i "checking dnssec-lookaside-validation works ($n)"
|
||||
ret=0
|
||||
dig_with_opts private.secure.example. SOA @10.53.0.6 \
|
||||
> dig.out.ns6.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that we can load a rfc2535 signed zone ($n)"
|
||||
ret=0
|
||||
dig_with_opts rfc2535.example. SOA @10.53.0.2 \
|
||||
@@ -2433,7 +2368,7 @@ status=$((status+ret))
|
||||
echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1
|
||||
dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1
|
||||
dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1
|
||||
digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
|
||||
Reference in New Issue
Block a user