Add dnssec-signzone tests with unsupported alg

dnssec-signzone should sign a zonefile that contains a DNSKEY record with an unsupported algorithm.
2018-12-18 12:10:05 +01:00
parent b04842c057
commit 6d976b37c1
8 changed files with 129 additions and 2 deletions
--- a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
+++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
--- a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
+++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
--- a/bin/tests/system/dnssec/ns3/dsa.key
+++ b/bin/tests/system/dnssec/ns3/dsa.key
@@ -0,0 +1 @@
+dnskey-unsupported-2.example.	IN	DNSKEY	257 3 3 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -151,6 +151,16 @@ zone "dnskey-unknown.example" {
 	file "dnskey-unknown.example.db.signed";
 };

+zone "dnskey-unsupported.example" {
+	type master;
+	file "dnskey-unsupported.example.db.signed";
+};
+
+zone "dnskey-unsupported-2.example" {
+	type master;
+	file "dnskey-unsupported-2.example.db.signed";
+};
+
 zone "dnskey-nsec3-unknown.example" {
 	type master;
 	nsec3-test-zone yes;
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -196,7 +196,7 @@ cat "$infile" "$keyname.key" > "$zonefile"
 "$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null 2>&1

 #
-# A zone with a unknown DNSKEY algorithm.
+# A zone that is signed with an unknown DNSKEY algorithm.
 # Algorithm 7 is replaced by 100 in the zone and dsset.
 #
 zone=dnskey-unknown.example.
@@ -214,6 +214,41 @@ awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { prin
 DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
 $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"

+#
+# A zone that is signed with an unsupported DNSKEY algorithm (3).
+# Algorithm 7 is replaced by 3 in the zone and dsset.
+#
+zone=dnskey-unsupported.example.
+infile=dnskey-unsupported.example.db.in
+zonefile=dnskey-unsupported.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
+
+awk '$4 == "DNSKEY" { $7 = 3; print } $4 == "RRSIG" { $6 = 3; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
+
+DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
+$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+
+#
+# A zone with a published unsupported DNSKEY algorithm (DSA).
+# Different from above because this key is not intended for signing.
+#
+zone=dnskey-unsupported-2.example.
+infile=dnskey-unsupported-2.example.db.in
+zonefile=dnskey-unsupported-2.example.db
+
+ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$ksk.key" "$zsk.key" dsa.key > "$zonefile"
+
+# "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
+"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile"
+
 #
 # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
 # Algorithm 7 is replaced by 100 in the zone and dsset.
				`@@ -0,0 +1 @@`
				`dnskey-unsupported-2.example. IN DNSKEY 257 3 3 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}`