Add test for allowing update CDS/CDNSKEY
Add tests to the nsupdate system test to make sure that CDS and/or CDNSKEY that match an algorithm in the DNSKEY RRset are allowed. Also add tests that updates are rejected if the algorithm does not match. Remove the now redundant test cases from the dnssec system test. Update the checkzone system test: Change the algorithm of the CDS and CDNSKEY records so that the zone is still rejected.
This commit is contained in:
Matthijs Mekking
committed by
Evan Hunt
Evan Hunt
parent
2292b48c2a
commit
6b79db1fdd
@@ -52,6 +52,16 @@ while true; do
|
||||
fi
|
||||
done
|
||||
|
||||
has_positive_response() {
|
||||
zone=$1
|
||||
type=$2
|
||||
ns=$3
|
||||
$DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1
|
||||
grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1
|
||||
grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
ret=0
|
||||
echo_i "fetching first copy of zone before update"
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
|
||||
@@ -1227,6 +1237,75 @@ grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)"
|
||||
$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
|
||||
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone multisigner.test
|
||||
update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
|
||||
send
|
||||
END
|
||||
msg=": bad CDS RRset"
|
||||
nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
|
||||
$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)"
|
||||
$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
|
||||
nextpart ns3/named.run > /dev/null
|
||||
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone multisigner.test
|
||||
update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
|
||||
send
|
||||
END
|
||||
msg=": bad CDNSKEY RRset"
|
||||
nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
|
||||
$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)"
|
||||
$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
|
||||
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone multisigner.test
|
||||
update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
|
||||
send
|
||||
END
|
||||
retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)"
|
||||
$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
|
||||
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone multisigner.test
|
||||
update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
|
||||
send
|
||||
END
|
||||
retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
|
||||
|
||||
Reference in New Issue
Block a user