ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Add test for allowing update CDS/CDNSKEY

Browse Source 
Add tests to the nsupdate system test to make sure that CDS and/or
CDNSKEY that match an algorithm in the DNSKEY RRset are allowed. Also
add tests that updates are rejected if the algorithm does not match.

Remove the now redundant test cases from the dnssec system test.

Update the checkzone system test: Change the algorithm of the CDS and
CDNSKEY records so that the zone is still rejected.
This commit is contained in:
Matthijs Mekking
2021-07-13 11:04:44 +02:00
committed by Evan Hunt
parent 2292b48c2a
commit 6b79db1fdd
8 changed files with 105 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
bin/tests/system/dnssec/tests.sh
View File

@@ -3368,26 +3368,6 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that a lone non matching CDS record is rejected ($n)"
ret=0
(
echo zone cds-update.secure
echo server 10.53.0.2 "$PORT"
echo update delete cds-update.secure CDS
dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure |
grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' |
$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
sed "s/^/update add /"
echo send
) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
test "${lines:-10}" -eq 0 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that a CDS deletion record is accepted ($n)"
ret=0
(
@@ -3601,25 +3581,6 @@ status=$((status+ret))
# precedes the supported one in the DNSKEY RRset, and verify the result still
# validates succesfully.
echo_i "check that a lone non matching CDNSKEY record is rejected ($n)"
ret=0
(
echo zone cdnskey-update.secure
echo server 10.53.0.2 "$PORT"
echo update delete cdnskey-update.secure CDNSKEY
echo send
dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p'
echo send
) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
test "${lines:-10}" -eq 0 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that a CDNSKEY deletion record is accepted ($n)"
ret=0
(