add a system test

2018-04-30 17:43:52 -07:00
parent eaac2057c7
commit 7ecd699e81
5 changed files with 48 additions and 1 deletions
--- a/bin/tests/system/dnssec/ns2/corp.db
+++ b/bin/tests/system/dnssec/ns2/corp.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				30       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+www			A	10.0.0.1
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -158,4 +158,9 @@ zone "cdnskey-auto.secure" {
 	allow-update { any; };
 };

+zone "corp" {
+	type master;
+	file "corp.db";
+};
+
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns4/named1.conf.in
+++ b/bin/tests/system/dnssec/ns4/named1.conf.in
@@ -28,6 +28,8 @@ options {
 	nta-lifetime 12s;
 	nta-recheck 9s;

+	validate-except { corp; };
+
 	# Note: We only reference the bind.keys file here to confirm that it
 	# is *not* being used.  It contains the real root key, and we're
 	# using a local toy root zone for the tests, so it wouldn't work.
@@ -50,4 +52,9 @@ zone "." {
 	file "../../common/root.hint";
 };

+zone "corp" {
+	type static-stub;
+	server-addresses { 10.53.0.2; };
+};
+
 include "trusted.conf";
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1764,6 +1764,15 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

+echo_i "checking validate-except in an insecure local domain ($n)"
+ret=0
+$DIG $DIGOPTS ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "checking positive and negative validation with negative trust anchors ($n)"
 ret=0

@@ -2165,10 +2174,14 @@ fi
 echo_i "sleeping for an additional 4 seconds for ns4 to fully startup"
 sleep 4

-# dump the NTA to a file
+# dump the NTA to a file (omit validate-except entries)
+echo_i "testing 'rndc nta'"
 $RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
+# "corp" is configured as a validate-except domain and thus should be
+# omitted. only "secure.example" should be in the dump at this point.
 lines=`wc -l < rndc.out.ns4.test$n.1`
 [ "$lines" -eq 1 ] || ret=1
+grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1
 ts=`awk '{print $3" "$4}' < rndc.out.ns4.test$n.1`
 # rndc nta outputs localtime, so append the timezone
 ts_with_zone="$ts `date +%z`"
--- a/util/copyrights
+++ b/util/copyrights
@@ -990,6 +990,7 @@
 ./bin/tests/system/dnssec/ns2/cds.secure.db.in	ZONE	2015,2016,2018
 ./bin/tests/system/dnssec/ns2/child.nsec3.example.db	ZONE	2006,2008,2016,2018
 ./bin/tests/system/dnssec/ns2/child.optout.example.db	ZONE	2006,2008,2016,2018
+./bin/tests/system/dnssec/ns2/corp.db		ZONE	2018
 ./bin/tests/system/dnssec/ns2/dlv.db.in		ZONE	2004,2007,2016,2018
 ./bin/tests/system/dnssec/ns2/dst.example.db.in	ZONE	2004,2007,2016,2018
 ./bin/tests/system/dnssec/ns2/example.db.in	ZONE	2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2016,2018