1589. [func] DNSSEC lookaside validation.

enable-dnssec -> dnssec-enable

bin/tests/system/dnssec/ns1/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.19 2004/03/05 05:00:12 marka Exp $ */
+/* $Id: named.conf,v 1.20 2004/03/10 02:19:53 marka Exp $ */
 
 // NS1
 
@@ -31,7 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	enable-dnssec yes;
+	dnssec-enable yes;
 };
 
 zone "." {

bin/tests/system/dnssec/ns1/root.db.in

@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db.in,v 1.7 2004/03/05 05:00:12 marka Exp $
+; $Id: root.db.in,v 1.8 2004/03/10 02:19:53 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
@@ -28,3 +28,5 @@ a.root-servers.nil.	A	10.53.0.1
 
 example.		NS	ns2.example.
 ns2.example.		A	10.53.0.2
+dlv.			NS	ns2.dlv.
+ns2.dlv.		A	10.53.0.2

bin/tests/system/dnssec/ns1/sign.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.18 2004/03/05 05:00:12 marka Exp $
+# $Id: sign.sh,v 1.19 2004/03/10 02:19:53 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -29,6 +29,7 @@ zonefile=root.db
 (cd ../ns2 && sh sign.sh )
 
 cp ../ns2/keyset-example. .
+cp ../ns2/keyset-dlv. .
 
 keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
 

bin/tests/system/dnssec/ns2/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.22 2004/03/05 05:00:16 marka Exp $ */
+/* $Id: named.conf,v 1.23 2004/03/10 02:19:53 marka Exp $ */
 
 // NS2
 
@@ -31,7 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	enable-dnssec yes;
+	dnssec-enable yes;
 };
 
 zone "." {
@@ -39,6 +39,11 @@ zone "." {
 	file "../../common/root.hint";
 };
 
+zone "dlv" {
+	type master;
+	file "dlv.db.signed";
+};
+
 zone "example" {
 	type master;
 	file "example.db.signed";

bin/tests/system/dnssec/ns2/sign.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.23 2004/03/05 05:00:16 marka Exp $
+# $Id: sign.sh,v 1.24 2004/03/10 02:19:53 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -52,4 +52,17 @@ privkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $privzone`
 
 cat $privinfile $privkeyname.key >$privzonefile
 
-$SIGNER -g -r $RANDFILE -o $privzone $privzonefile > /dev/null
+$SIGNER -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
+
+# Sign the DLV secure zone.
+
+
+dlvzone=dlv.
+dlvinfile=dlv.db.in
+dlvzonefile=dlv.db
+
+dlvkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $dlvzone`
+
+cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
+
+$SIGNER -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null

bin/tests/system/dnssec/ns3/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.24 2004/03/05 05:00:20 marka Exp $ */
+/* $Id: named.conf,v 1.25 2004/03/10 02:19:54 marka Exp $ */
 
 // NS3
 
@@ -31,7 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	enable-dnssec yes;
+	dnssec-enable yes;
 };
 
 zone "." {

bin/tests/system/dnssec/ns4/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.21 2004/03/05 05:00:24 marka Exp $ */
+/* $Id: named.conf,v 1.22 2004/03/10 02:19:54 marka Exp $ */
 
 // NS4
 
@@ -30,7 +30,7 @@ options {
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
-	enable-dnssec yes;
+	dnssec-enable yes;
 };
 
 zone "." {

bin/tests/system/dnssec/ns5/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.19 2004/03/05 05:00:31 marka Exp $ */
+/* $Id: named.conf,v 1.20 2004/03/10 02:19:54 marka Exp $ */
 
 // NS5
 
@@ -30,7 +30,7 @@ options {
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	recursion yes;
-	enable-dnssec yes;
+	dnssec-enable yes;
 };
 
 zone "." {

bin/tests/system/dnssec/ns6/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.5 2004/03/05 05:00:35 marka Exp $ */
+/* $Id: named.conf,v 1.6 2004/03/10 02:19:54 marka Exp $ */
 
 // NS6
 
@@ -31,7 +31,8 @@ options {
 	recursion yes;
 	notify yes;
 	disable-algorithms . { DSA; };
-	enable-dnssec yes;
+	dnssec-enable yes;
+	dnssec-lookaside dlv;
 };
 
 zone "." {

bin/tests/system/dnssec/tests.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.43 2004/03/05 05:00:09 marka Exp $
+# $Id: tests.sh,v 1.44 2004/03/10 02:19:53 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -441,6 +441,12 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking dnssec-lookaside-validation works ($n)"
+ret=0
+$DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \
+	> dig.out.ns6.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1
+
 # Run a minimal update test if possible.  This is really just
 # a regression test for RT #2399; more tests should be added.