3461. [bug] Negative responses could incorrectly have AD=1
set. [RT #32237]
This commit is contained in:
Mark Andrews
@@ -63,6 +63,7 @@ rm -f ns3/ttlpatch.example.db.patched
|
||||
rm -f ns3/split-smart.example.db
|
||||
rm -f ns3/inline.example.db.signed
|
||||
rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
|
||||
rm -f ns6/optout-tld.db
|
||||
rm -f nosign.before
|
||||
rm -f signing.out*
|
||||
rm -f canonical?.*
|
||||
|
||||
@@ -32,3 +32,5 @@ dlv. NS ns2.dlv.
|
||||
ns2.dlv. A 10.53.0.2
|
||||
algroll NS ns2.algroll
|
||||
ns2.algroll. A 10.53.0.2
|
||||
optout-tld NS ns6.optout-tld.
|
||||
ns6.optout-tld. A 10.53.0.6
|
||||
|
||||
@@ -27,10 +27,12 @@ infile=root.db.in
|
||||
zonefile=root.db
|
||||
|
||||
(cd ../ns2 && sh sign.sh )
|
||||
(cd ../ns6 && sh sign.sh )
|
||||
|
||||
cp ../ns2/dsset-example. .
|
||||
cp ../ns2/dsset-dlv. .
|
||||
grep "8 [12] " ../ns2/dsset-algroll. > dsset-algroll.
|
||||
cp ../ns6/dsset-optout-tld. .
|
||||
|
||||
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
|
||||
|
||||
|
||||
1
bin/tests/system/dnssec/ns6/named.args
Normal file
1
bin/tests/system/dnssec/ns6/named.args
Normal file
@@ -0,0 +1 @@
|
||||
-m record,size,mctx -c named.conf -d 99 -g -T nonearest -T clienttest
|
||||
@@ -42,4 +42,9 @@ zone "." {
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
zone "optout-tld" {
|
||||
type master;
|
||||
file "optout-tld.db.signed";
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
26
bin/tests/system/dnssec/ns6/optout-tld.db.in
Normal file
26
bin/tests/system/dnssec/ns6/optout-tld.db.in
Normal file
@@ -0,0 +1,26 @@
|
||||
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; Permission to use, copy, modify, and/or distribute this software for any
|
||||
; purpose with or without fee is hereby granted, provided that the above
|
||||
; copyright notice and this permission notice appear in all copies.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: example.db.in,v 1.2 2010/06/03 06:29:03 marka Exp $
|
||||
$TTL 60
|
||||
optout-tld. 60 IN SOA example. . 0 0 0 0 0
|
||||
optout-tld. 60 IN NS ns6.optout-tld.
|
||||
ns6.optout-tld. 60 IN A 10.53.0.6
|
||||
a 60 PTR example.
|
||||
b 60 PTR example.
|
||||
a.b.c.d 60 NS example.
|
||||
e 60 PTR example.
|
||||
f 60 PTR example.
|
||||
g 60 PTR example.
|
||||
h 60 PTR example.
|
||||
33
bin/tests/system/dnssec/ns6/sign.sh
Normal file
33
bin/tests/system/dnssec/ns6/sign.sh
Normal file
@@ -0,0 +1,33 @@
|
||||
#!/bin/sh -e
|
||||
#
|
||||
# Copyright (C) 2004, 2006-2012 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
#
|
||||
# Permission to use, copy, modify, and/or distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: sign.sh,v 1.43 2011/11/04 05:36:28 each Exp $
|
||||
|
||||
SYSTEMTESTTOP=../..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
||||
RANDFILE=../random.data
|
||||
|
||||
zone=optout-tld
|
||||
infile=optout-tld.db.in
|
||||
zonefile=optout-tld.db
|
||||
|
||||
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
|
||||
|
||||
cat $infile $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
@@ -1965,5 +1965,25 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check against against missing nearest provable proof ($n)"
|
||||
$DIG $DIGOPTS +norec b.c.d.optout-tld. \
|
||||
@10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1
|
||||
nsec3=`grep "IN.NSEC3" dig.out.ds.ns6.test$n | wc -l`
|
||||
[ $nsec3 -eq 2 ] || ret=1
|
||||
$DIG $DIGOPTS +norec b.c.d.optout-tld. \
|
||||
@10.53.0.6 A > dig.out.ns6.test$n || ret=1
|
||||
nsec3=`grep "IN.NSEC3" dig.out.ns6.test$n | wc -l`
|
||||
[ $nsec3 -eq 1 ] || ret=1
|
||||
$DIG $DIGOPTS optout-tld. \
|
||||
@10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS b.c.d.optout-tld. \
|
||||
@10.53.0.4 A > dig.out.ns4.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
||||
Reference in New Issue
Block a user