From 77ca7783775597618cf5e9b459c7c8a281b1cec1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 18 Nov 2021 14:22:04 +1100 Subject: [PATCH] Generate test zone with multiple NSEC and NSEC3 chains The method used to generate a test zone with multiple NSEC and NSEC3 chains was incorrect. Multiple calls to dnssec-signzone with multiple parameters is not additive. Extract the chain on each run then add them to the final signed zone instance. --- bin/tests/system/dnssec/clean.sh | 1 + bin/tests/system/dnssec/ns3/sign.sh | 23 ++++++++++++----------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index adcb52f7d2..b4ff9f3941 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -94,6 +94,7 @@ rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed rm -f ./ns3/ttlpatch.example.db.patched rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp +rm -f ./ns3/NSEC ./ns3/NSEC3 rm -f ./ns4/managed-keys.bind* rm -f ./ns4/named_dump.db* rm -f ./ns6/optout-tld.db diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index c32e462a11..59fd58d77c 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -340,17 +340,18 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -O full -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC +"$SIGNER" -P -O full -u3 - -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3 +"$SIGNER" -P -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -P -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -P -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -P -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null +cat NSEC NSEC3 >> "$zonefile".signed # # A RSASHA256 zone.