3001. [func] Added a default trust anchor for the root zone, which
can be switched on by setting "dnssec-validation auto;" in the named.conf options. [RT #21727]
This commit is contained in:
Evan Hunt
@@ -2,7 +2,7 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
|
||||
|
||||
$Id: README,v 1.8 2004/03/05 05:00:08 marka Exp $
|
||||
$Id: README,v 1.9 2011/01/03 23:45:07 each Exp $
|
||||
|
||||
The test setup for the DNSSEC tests has a secure root.
|
||||
|
||||
@@ -15,3 +15,7 @@ for the root.
|
||||
|
||||
ns5 is a caching-only server, configured with the an incorrect trusted
|
||||
key for the root. It is used for testing failure cases.
|
||||
|
||||
ns6 is a caching-only server configured to use DLV.
|
||||
|
||||
ns7 is used for checking non-cacheable answers.
|
||||
|
||||
@@ -15,9 +15,10 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: clean.sh,v 1.31 2010/12/18 02:12:44 each Exp $
|
||||
# $Id: clean.sh,v 1.32 2011/01/03 23:45:07 each Exp $
|
||||
|
||||
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
|
||||
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
|
||||
rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
|
||||
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
|
||||
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
|
||||
rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
|
||||
@@ -44,4 +45,4 @@ rm -f ns1/managed.key.id
|
||||
rm -f signer/example.db
|
||||
rm -f ns2/algroll.db
|
||||
rm -f ns3/kskonly.example.db
|
||||
|
||||
rm -f ns4/named.conf
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: sign.sh,v 1.34 2010/11/16 01:14:51 marka Exp $
|
||||
# $Id: sign.sh,v 1.35 2011/01/03 23:45:07 each Exp $
|
||||
|
||||
SYSTEMTESTTOP=../..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
@@ -39,7 +39,6 @@ cat $infile $keyname.key > $zonefile
|
||||
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a trusted key.
|
||||
|
||||
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
|
||||
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
||||
local $key = join("", @rest);
|
||||
@@ -49,11 +48,23 @@ trusted-keys {
|
||||
};
|
||||
EOF
|
||||
' > trusted.conf
|
||||
|
||||
# ...or with a managed key.
|
||||
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
|
||||
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
||||
local $key = join("", @rest);
|
||||
print <<EOF
|
||||
managed-keys {
|
||||
"$dn" initial-key $flags $proto $alg "$key";
|
||||
};
|
||||
EOF
|
||||
' > managed.conf
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
cp trusted.conf ../ns4/trusted.conf
|
||||
cp trusted.conf ../ns6/trusted.conf
|
||||
cp trusted.conf ../ns7/trusted.conf
|
||||
cp managed.conf ../ns4/managed.conf
|
||||
#
|
||||
# Save keyid for managed key id test.
|
||||
#
|
||||
|
||||
60
bin/tests/system/dnssec/ns4/named1.conf
Normal file
60
bin/tests/system/dnssec/ns4/named1.conf
Normal file
@@ -0,0 +1,60 @@
|
||||
/*
|
||||
* Copyright (C) 2004, 2006, 2007, 2010 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 2000, 2001 Internet Software Consortium.
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named1.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */
|
||||
|
||||
// NS4
|
||||
|
||||
controls { /* empty */ };
|
||||
|
||||
options {
|
||||
query-source address 10.53.0.4;
|
||||
notify-source 10.53.0.4;
|
||||
transfer-source 10.53.0.4;
|
||||
port 5300;
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.4; };
|
||||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
acache-enable yes;
|
||||
dnssec-enable yes;
|
||||
dnssec-validation yes;
|
||||
dnssec-must-be-secure mustbesecure.example yes;
|
||||
|
||||
# Note: We only reference the bind.keys file here to confirm that it
|
||||
# is *not* being used. It contains the real root key, and we're
|
||||
# using a local toy root zone for the tests, so it wouldn't work.
|
||||
# But since dnssec-validation is set to "yes" not "auto", that
|
||||
# won't matter.
|
||||
bindkeys-file "../../../../../bind.keys";
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-md5;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.30 2010/06/25 23:46:51 tbox Exp $ */
|
||||
/* $Id: named2.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */
|
||||
|
||||
// NS4
|
||||
|
||||
@@ -32,8 +32,8 @@ options {
|
||||
recursion yes;
|
||||
acache-enable yes;
|
||||
dnssec-enable yes;
|
||||
dnssec-validation yes;
|
||||
dnssec-must-be-secure mustbesecure.example yes;
|
||||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
@@ -49,5 +49,3 @@ zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: setup.sh,v 1.17 2009/10/27 22:25:37 marka Exp $
|
||||
# $Id: setup.sh,v 1.18 2011/01/03 23:45:07 each Exp $
|
||||
|
||||
../../../tools/genrandom 400 random.data
|
||||
|
||||
@@ -23,4 +23,6 @@ cd ns1 && sh sign.sh
|
||||
|
||||
echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed
|
||||
|
||||
cd ../ns4 && cp -f named1.conf named.conf
|
||||
cd ../ns5 && cp -f trusted.conf.bad trusted.conf
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: tests.sh,v 1.71 2010/11/16 01:14:51 marka Exp $
|
||||
# $Id: tests.sh,v 1.72 2011/01/03 23:45:07 each Exp $
|
||||
|
||||
SYSTEMTESTTOP=..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
@@ -1055,5 +1055,57 @@ else
|
||||
echo "I:The DNSSEC update test requires the Net::DNS library." >&2
|
||||
fi
|
||||
|
||||
# Reconfigure caching server to use "dnssec-validation auto", and repeat
|
||||
# some of the DNSSEC validation tests to ensure that it works correctly.
|
||||
echo "I:switching to automatic root key configuration"
|
||||
cp ns4/named2.conf ns4/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
|
||||
sleep 5
|
||||
|
||||
echo "I:checking positive validation NSEC ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking positive validation NSEC3 ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth a.nsec3.example. \
|
||||
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth a.nsec3.example. \
|
||||
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking positive validation OPTOUT ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth a.optout.example. \
|
||||
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth a.optout.example. \
|
||||
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking negative validation ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
||||
Reference in New Issue
Block a user