DLV tests unsupported/disabled algorithms

This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.

bin/tests/system/dlv/clean.sh

@@ -16,6 +16,7 @@ rm -f ns1/dsset-*
 rm -f ns1/*.signed
 rm -f ns1/signer.err
 rm -f ns1/root.db
+rm -f ns1/trusted.conf
 rm -f ns2/K*
 rm -f ns2/dlvset-*
 rm -f ns2/dsset-*
@@ -25,18 +26,19 @@ rm -f ns2/signer.err
 rm -f ns2/druz.db
 rm -f ns3/K*
 rm -f ns3/*.db
-rm -f ns3/*.signed
+rm -f ns3/*.signed ns3/*.signed.tmp
 rm -f ns3/dlvset-*
 rm -f ns3/dsset-*
 rm -f ns3/keyset-*
-rm -f ns1/trusted.conf ns5/trusted.conf
-rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
+rm -f ns3/trusted*.conf
 rm -f ns3/signer.err
+rm -f ns5/trusted*.conf
 rm -f ns6/K*
 rm -f ns6/*.db
 rm -f ns6/*.signed
 rm -f ns6/dsset-*
 rm -f ns6/signer.err
+rm -f ns7/trusted*.conf ns8/trusted*.conf
 rm -f */named.memstats
 rm -f dig.out.ns*.test*
 rm -f ns*/named.lock

bin/tests/system/dlv/ns1/root.db.in

@@ -13,7 +13,14 @@ $TTL	120
 @		NS	ns.rootservers.utld
 ns		A	10.53.0.1
 ;
+; A zone that is unsigned (utld=unsigned tld) that will include a second level
+; zone that acts as a DLV.
+;
 utld		NS	ns.utld
 ns.utld		A	10.53.0.2
+;
+; A zone that has a bad DNSKEY RRset but has good DLV records for its child
+; zones.
+;
 druz		NS	ns.druz
 ns.druz		A	10.53.0.2

bin/tests/system/dlv/ns1/sign.sh

@@ -34,3 +34,5 @@ echo_i "signed $zone"
 
 keyfile_to_trusted_keys $keyname2 > trusted.conf
 cp trusted.conf ../ns5
+cp trusted.conf ../ns7
+cp trusted.conf ../ns8

bin/tests/system/dlv/ns2/named.conf.in

@@ -21,6 +21,17 @@ options {
 	notify yes;
 };
 
+/* Root hints. */
 zone "." { type hint; file "hints"; };
+
+/*
+ * A zone that is unsigned (utld=unsigned tld) that will include a second level
+ * zone that acts as a DLV.
+ */
 zone "utld" { type master; file "utld.db"; };
+
+/*
+ * A zone that has a bad DNSKEY RRset but has good DLV records for its child
+ * zones.
+ */
 zone "druz" { type master; file "druz.signed"; };

bin/tests/system/dlv/ns2/utld.db

@@ -18,6 +18,12 @@ ns.rootservers	A	10.53.0.1
 dlv		NS	ns.dlv
 ns.dlv		A	10.53.0.3
 ;
+disabled-algorithm-dlv		NS	ns.disabled-algorithm-dlv
+ns.disabled-algorithm-dlv	A	10.53.0.3
+;
+unsupported-algorithm-dlv	NS	ns.unsupported-algorithm-dlv
+ns.unsupported-algorithm-dlv	A	10.53.0.3
+;
 child1		NS	ns.child1
 ns.child1	A	10.53.0.3
 ;
@@ -47,3 +53,9 @@ ns.child9	A	10.53.0.3
 ;
 child10		NS	ns.child10
 ns.child10	A	10.53.0.3
+;
+disabled-algorithm		NS    ns.disabled-algorithm
+ns.disabled-algorithm		A     10.53.0.3
+;
+unsupported-algorithm		NS    ns.unsupported-algorithm
+ns.unsupported-algorithm	A     10.53.0.3

bin/tests/system/dlv/ns3/named.conf.in

@@ -21,21 +21,121 @@ options {
 	notify yes;
 };
 
+/* Root hints. */
 zone "." { type hint; file "hints"; };
-zone "dlv.utld" { type master; file "dlv.signed"; };
-zone "child1.utld" { type master; file "child1.signed"; };	// dlv
-zone "child3.utld" { type master; file "child3.signed"; };	// dlv
-zone "child4.utld" { type master; file "child4.signed"; };	// dlv
-zone "child5.utld" { type master; file "child5.signed"; };	// dlv
-zone "child7.utld" { type master; file "child7.signed"; };	// no dlv
-zone "child8.utld" { type master; file "child8.signed"; };	// no dlv
-zone "child9.utld" { type master; file "child9.signed"; };	// dlv
-zone "child10.utld" { type master; file "child.db.in"; }; 	// dlv unsigned
-zone "child1.druz" { type master; file "child1.druz.signed"; };	// dlv
-zone "child3.druz" { type master; file "child3.druz.signed"; };	// dlv
-zone "child4.druz" { type master; file "child4.druz.signed"; };	// dlv
-zone "child5.druz" { type master; file "child5.druz.signed"; };	// dlv
-zone "child7.druz" { type master; file "child7.druz.signed"; };	// no dlv
-zone "child8.druz" { type master; file "child8.druz.signed"; };	// no dlv
-zone "child9.druz" { type master; file "child9.druz.signed"; };	// dlv
-zone "child10.druz" { type master; file "child.db.in"; }; 	// dlv unsigned
+
+/* DLV zone below unsigned TLD. */
+zone "dlv.utld" { type master; file "dlv.utld.signed"; };
+
+/* DLV zone signed with a disabled algorithm below unsigned TLD. */
+zone "disabled-algorithm-dlv.utld." {
+	type master;
+	file "disabled-algorithm-dlv.utld.signed";
+};
+
+/* DLV zone signed with an unsupported algorithm below unsigned TLD. */
+zone "unsupported-algorithm-dlv.utld." {
+	type master;
+	file "unsupported-algorithm-dlv.utld.signed";
+};
+
+/* Signed zone below unsigned TLD with DLV entry. */
+zone "child1.utld" { type master; file "child1.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+ * with a disabled algorithm.
+ */
+zone "child3.utld" { type master; file "child3.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry.  This one is slightly
+ * different because its children (the grandchildren) don't have a DS record in
+ * this zone.  The grandchild zones are served by ns6.
+ *
+ */
+zone "child4.utld" { type master; file "child4.signed"; };
+
+/*
+ * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+ * with an unsupported algorithm.
+ */
+zone "child5.utld" { type master; file "child5.signed"; };
+
+/* Signed zone below unsigned TLD without DLV entry. */
+zone "child7.utld" { type master; file "child7.signed"; };
+
+/*
+ * Signed zone below unsigned TLD without DLV entry and no DS records for the
+ * grandchildren.
+ */
+zone "child8.utld" { type master; file "child8.signed"; };
+
+/* Signed zone below unsigned TLD with DLV entry. */
+zone "child9.utld" { type master; file "child9.signed"; };
+
+/* Unsigned zone below an unsigned TLD with DLV entry. */
+zone "child10.utld" { type master; file "child.db.in"; };
+
+/*
+ * Zone signed with a disabled algorithm (an algorithm that is disabled in
+ * one of the test resolvers) with DLV entry.
+ */
+zone "disabled-algorithm.utld" {
+	type master;
+	file "disabled-algorithm.utld.signed";
+};
+
+/* Zone signed with an unsupported algorithm with DLV entry. */
+zone "unsupported-algorithm.utld" {
+	type master;
+	file "unsupported-algorithm.utld.signed";
+};
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.
+ */
+zone "child1.druz" { type master; file "child1.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.  The DLV zone is signed with a disabled algorithm.
+ */
+zone "child3.druz" { type master; file "child3.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.  Also there are no DS records for the grandchildren.
+ */
+zone "child4.druz" { type master; file "child4.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no chain of
+ * trust.  The DLV zone is signed with an unsupported algorithm.
+ */
+zone "child5.druz" { type master; file "child5.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD without DLV entry, and no chain of
+ * trust.
+ */
+zone "child7.druz" { type master; file "child7.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD without DLV entry and no DS set.  Also DS
+ * records for the grandchildren are not included in the zone.
+ */
+zone "child8.druz" { type master; file "child8.druz.signed"; };
+
+/*
+ * Signed zone below signed TLD with good DLV entry but no DS set.  Also DS
+ * records for the grandchildren are not included in the zone.
+ */
+zone "child9.druz" { type master; file "child9.druz.signed"; };
+
+/*
+ * Unsigned zone below signed TLD with good DLV entry but no chain of
+ * trust.
+ */
+zone "child10.druz" { type master; file "child.db.in"; };

bin/tests/system/dlv/ns3/sign.sh

@@ -16,10 +16,19 @@ SYSTEMTESTTOP=../..
 
 echo_i "dlv/ns3/sign.sh"
 
-dlvzone=dlv.utld.
+dlvzone="dlv.utld."
 dlvsets=
 dssets=
 
+disableddlvzone="disabled-algorithm-dlv.utld."
+disableddlvsets=
+disableddssets=
+
+unsupporteddlvzone="unsupported-algorithm-dlv.utld."
+unsupporteddlvsets=
+unsupporteddssets=
+
+# Signed zone below unsigned TLD with DLV entry.
 zone=child1.utld.
 infile=child.db.in
 zonefile=child1.utld.db
@@ -32,15 +41,17 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+# with a disabled algorithm.
 zone=child3.utld.
 infile=child.db.in
 zonefile=child3.utld.db
 outfile=child3.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
 keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
@@ -48,10 +59,13 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below unsigned TLD with DLV entry.  This one is slightly
+# different because its children (the grandchildren) don't have a DS record in
+# this zone.  The grandchild zones are served by ns6.
 zone=child4.utld.
 infile=child.db.in
 zonefile=child4.utld.db
@@ -63,15 +77,17 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
+# with an unsupported algorithm.
 zone=child5.utld.
 infile=child.db.in
 zonefile=child5.utld.db
 outfile=child5.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
 keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
@@ -79,10 +95,10 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
-
+# Signed zone below unsigned TLD without DLV entry.
 zone=child7.utld.
 infile=child.db.in
 zonefile=child7.utld.db
@@ -94,10 +110,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below unsigned TLD without DLV entry and no DS records for the
+# grandchildren.
 zone=child8.utld.
 infile=child.db.in
 zonefile=child8.utld.db
@@ -108,10 +126,10 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
-
+# Signed zone below unsigned TLD with DLV entry.
 zone=child9.utld.
 infile=child.db.in
 zonefile=child9.utld.db
@@ -123,9 +141,11 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
+# Unsigned zone below an unsigned TLD with DLV entry.  We still need to sign
+# the zone to generate the DLV set.
 zone=child10.utld.
 infile=child.db.in
 zonefile=child10.utld.db
@@ -137,9 +157,50 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
+
+# Zone signed with a disabled algorithm (an algorithm that is disabled in
+# one of the test resolvers) with DLV entry.
+zone=disabled-algorithm.utld.
+infile=child.db.in
+zonefile=disabled-algorithm.utld.db
+outfile=disabled-algorithm.utld.signed
+dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+keyname1=`$KEYGEN -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -O full -l $dlvzone -o $zone -f ${outfile} $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+
+# Zone signed with an unsupported algorithm with DLV entry.
+zone=unsupported-algorithm.utld.
+infile=child.db.in
+zonefile=unsupported-algorithm.utld.db
+outfile=unsupported-algorithm.utld.signed
+dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -O full -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
+awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
+
+cp ${keyname2}.key ${keyname2}.tmp
+awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
+cp dlvset-${zone} dlvset-${zone}tmp
+awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone}
+
+echo_i "signed $zone"
+
+# Signed zone below signed TLD with DLV entry and DS set.
 zone=child1.druz.
 infile=child.db.in
 zonefile=child1.druz.db
@@ -153,16 +214,18 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD with DLV entry and DS set.  The DLV zone is
+# signed with a disabled algorithm.
 zone=child3.druz.
 infile=child.db.in
 zonefile=child3.druz.db
 outfile=child3.druz.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+disableddssets="$disableddssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
 keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
@@ -170,10 +233,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD with DLV entry and DS set, but missing
+# DS records for the grandchildren.
 zone=child4.druz.
 infile=child.db.in
 zonefile=child4.druz.db
@@ -186,16 +251,18 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD with DLV entry and DS set.  The DLV zone is
+# signed with an unsupported algorithm algorithm.
 zone=child5.druz.
 infile=child.db.in
 zonefile=child5.druz.db
 outfile=child5.druz.signed
-dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+unsupporteddssets="$unsupportedssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
 keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
@@ -203,10 +270,11 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD without DLV entry, but with normal DS set.
 zone=child7.druz.
 infile=child.db.in
 zonefile=child7.druz.db
@@ -219,10 +287,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD without DLV entry and no DS set.  Also DS
+# records for the grandchildren are not included in the zone.
 zone=child8.druz.
 infile=child.db.in
 zonefile=child8.druz.db
@@ -233,10 +303,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
+# Signed zone below signed TLD with DLV entry but no DS set.  Also DS
+# records for the grandchildren are not included in the zone.
 zone=child9.druz.
 infile=child.db.in
 zonefile=child9.druz.db
@@ -248,9 +320,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
+
+# Unsigned zone below signed TLD with DLV entry and DS set.  We still need to
+# sign the zone to generate the DS sets.
 zone=child10.druz.
 infile=child.db.in
 zonefile=child10.druz.db
@@ -263,24 +338,60 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
-
-zone=dlv.utld.
-infile=dlv.db.in
-zonefile=dlv.utld.db
-outfile=dlv.signed
-
-keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
-
-cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
-
-$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
-echo_i "signed $zone"
-
-keyfile_to_trusted_keys $keyname2 > trusted-dlv.conf
-cp trusted-dlv.conf ../ns5
-
 cp $dssets ../ns2
+cp $disableddssets ../ns2
+cp $unsupporteddssets ../ns2
+
+# DLV zones
+infile=dlv.db.in
+for zone in dlv.utld. disabled-algorithm-dlv.utld. unsupported-algorithm-dlv.utld.
+do
+	zonefile="${zone}db"
+	outfile="${zone}signed"
+
+	case $zone in
+	"dlv.utld.")
+		algorithm=$DEFAULT_ALGORITHM
+		bits=$DEFAULT_BITS
+		dlvfiles=$dlvsets
+		;;
+	"disabled-algorithm-dlv.utld.")
+		algorithm=$DISABLED_ALGORITHM
+		bits=$DISABLED_BITS
+		dlvfiles=$disableddlvsets
+		;;
+	"unsupported-algorithm-dlv.utld.")
+		algorithm=$DEFAULT_ALGORITHM
+		bits=$DEFAULT_BITS
+		dlvfiles=$unsupporteddlvsets
+		;;
+	esac
+
+	keyname1=`$KEYGEN -a $algorithm -b $bits -n zone $zone 2> /dev/null`
+	keyname2=`$KEYGEN -f KSK -a $algorithm -b $bits -n zone $zone 2> /dev/null`
+
+	cat $infile $dlvfiles $keyname1.key $keyname2.key >$zonefile
+
+	case $zone in
+	"dlv.utld.")
+		$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+	        keyfile_to_trusted_keys $keyname2 > ../ns5/trusted-dlv.conf
+		;;
+	"disabled-algorithm-dlv.utld.")
+		$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+		keyfile_to_trusted_keys $keyname2 > ../ns8/trusted-dlv-disabled.conf
+		;;
+	"unsupported-algorithm-dlv.utld.")
+		cp ${keyname2}.key ${keyname2}.tmp
+		$SIGNER -O full -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
+		awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
+		awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
+		keyfile_to_trusted_keys $keyname2 > ../ns7/trusted-dlv-unsupported.conf
+		;;
+	esac
+
+	echo_i "signed $zone"
+done

bin/tests/system/dlv/ns5/named.conf.in

@@ -24,6 +24,7 @@ options {
 	notify yes;
 	dnssec-validation yes;
 	dnssec-lookaside "." trust-anchor "dlv.utld";
+	disable-algorithms "utld." { @DISABLED_ALGORITHM@; };
 };
 
 zone "." { type hint; file "hints"; };

bin/tests/system/dlv/ns7/hints

@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
+

bin/tests/system/dlv/ns7/named.conf.in

@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "trusted.conf";
+include "trusted-dlv-unsupported.conf";
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-enable yes;
+	dnssec-validation yes;
+	dnssec-lookaside "." trust-anchor "unsupported-algorithm-dlv.utld";
+};
+
+zone "." { type hint; file "hints"; };
+

bin/tests/system/dlv/ns8/hints

@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
+

bin/tests/system/dlv/ns8/named.conf.in

@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "trusted.conf";
+include "trusted-dlv-disabled.conf";
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-enable yes;
+	dnssec-validation yes;
+	dnssec-lookaside "." trust-anchor "disabled-algorithm-dlv.utld";
+	disable-algorithms "disabled-algorithm-dlv.utld." { @DISABLED_ALGORITHM@; };
+};
+
+zone "." { type hint; file "hints"; };
+

bin/tests/system/dlv/setup.sh

@@ -20,5 +20,7 @@ copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
 
 (cd ns1 && $SHELL -e sign.sh)

bin/tests/system/dlv/tests.sh

@@ -19,37 +19,93 @@ rm -f dig.out.*
 
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
 
-echo_i "checking that DNSKEY reference by DLV validates as secure ($n)"
+echo_i "checking that unsigned TLD zone DNSKEY referenced by DLV validates as secure ($n)"
 ret=0
 $DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking that child DNSKEY reference by DLV validates as secure ($n)"
+echo_i "checking that unsigned TLD child zone DNSKEY referenced by DLV validates as secure ($n)"
 ret=0
 $DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+echo_i "checking that no chain of trust SOA referenced by DLV validates as secure ($n)"
 ret=0
 $DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+echo_i "checking that no chain of trust child SOA referenced by DLV validates as secure ($n)"
 ret=0
 $DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+# Test that a child zone that is signed with an unsupported algorithm,
+# referenced by a good DLV zone, yields an insecure response.
+echo_i "checking that unsupported algorithm TXT referenced by DLV validates as insecure ($n)"
+ret=0
+$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+grep -q "foo\.unsupported-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test that a child zone that is signed with a disabled algorithm,
+# referenced by a good DLV zone, yields an insecure response.
+echo_i "checking that disabled algorithm TXT referenced by DLV validates as insecure ($n)"
+ret=0
+$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+grep -q "foo\.disabled-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test that a child zone that is signed with a known algorithm, referenced by
+# a DLV zone that is signed with a disabled algorithm, yields a bogus
+# response.
+echo_i "checking that good signed TXT referenced by disabled algorithm DLV validates as bogus ($n)"
+ret=0
+$DIG $DIGOPTS foo.child3.utld txt @10.53.0.8 > dig.out.ns8.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+grep -q "foo\.child3\.utld\..*TXT.*\"foo\"" dig.out.ns8.test$n && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test that a child zone that is signed with a known algorithm, referenced by
+# a DLV zone that is signed with an unsupported algorithm, yields a bogus
+# response.
+echo_i "checking that good signed TXT referenced by unsupported algorithm DLV validates as bogus ($n)"
+ret=0
+$DIG $DIGOPTS foo.child5.utld txt @10.53.0.7 > dig.out.ns7.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns7.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns7.test$n > /dev/null && ret=1
+grep -q "foo\.child5\.utld\..*TXT.*\"foo\"" dig.out.ns7.test$n && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1