diff --git a/bin/tests/system/checkds/ns2/ns2-4.db.in b/bin/tests/system/checkds/ns2/ns2-4.db.in index 86b050a872..d5761a52fe 100644 --- a/bin/tests/system/checkds/ns2/ns2-4.db.in +++ b/bin/tests/system/checkds/ns2/ns2-4.db.in @@ -30,3 +30,7 @@ ns9.good A 10.53.0.9 $ORIGIN yes.dspublish.ns2-4. good NS ns9.good ns9.good A 10.53.0.9 + +$ORIGIN no.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2.db.in b/bin/tests/system/checkds/ns2/ns2.db.in index bd4a635e4f..293a446778 100644 --- a/bin/tests/system/checkds/ns2/ns2.db.in +++ b/bin/tests/system/checkds/ns2/ns2.db.in @@ -33,6 +33,10 @@ $ORIGIN yes.dspublish.ns2. good NS ns9.good ns9.good A 10.53.0.9 +$ORIGIN no.dspublish.ns2. +good NS ns9.good +ns9.good A 10.53.0.9 + $ORIGIN explicit.dsremoved.ns2. still-there NS ns9.still-there ns9.still-there A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5-7.db.in b/bin/tests/system/checkds/ns2/ns5-7.db.in index 5d66b990b5..14e19858d8 100644 --- a/bin/tests/system/checkds/ns2/ns5-7.db.in +++ b/bin/tests/system/checkds/ns2/ns5-7.db.in @@ -30,3 +30,7 @@ ns9.good A 10.53.0.9 $ORIGIN yes.dsremoved.ns5-7. good NS ns9.good ns9.good A 10.53.0.9 + +$ORIGIN no.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5.db.in b/bin/tests/system/checkds/ns2/ns5.db.in index 4501776a3e..70f6619e0c 100644 --- a/bin/tests/system/checkds/ns2/ns5.db.in +++ b/bin/tests/system/checkds/ns2/ns5.db.in @@ -40,3 +40,7 @@ good NS ns9.good resolver NS ns9.resolver ns9.good A 10.53.0.9 ns9.resolver A 10.53.0.9 + +$ORIGIN no.dsremoved.ns5. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-4.db.in b/bin/tests/system/checkds/ns5/ns2-4.db.in index 86b050a872..d5761a52fe 100644 --- a/bin/tests/system/checkds/ns5/ns2-4.db.in +++ b/bin/tests/system/checkds/ns5/ns2-4.db.in @@ -30,3 +30,7 @@ ns9.good A 10.53.0.9 $ORIGIN yes.dspublish.ns2-4. good NS ns9.good ns9.good A 10.53.0.9 + +$ORIGIN no.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2.db.in b/bin/tests/system/checkds/ns5/ns2.db.in index bd4a635e4f..293a446778 100644 --- a/bin/tests/system/checkds/ns5/ns2.db.in +++ b/bin/tests/system/checkds/ns5/ns2.db.in @@ -33,6 +33,10 @@ $ORIGIN yes.dspublish.ns2. good NS ns9.good ns9.good A 10.53.0.9 +$ORIGIN no.dspublish.ns2. +good NS ns9.good +ns9.good A 10.53.0.9 + $ORIGIN explicit.dsremoved.ns2. still-there NS ns9.still-there ns9.still-there A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5-7.db.in b/bin/tests/system/checkds/ns5/ns5-7.db.in index 5d66b990b5..14e19858d8 100644 --- a/bin/tests/system/checkds/ns5/ns5-7.db.in +++ b/bin/tests/system/checkds/ns5/ns5-7.db.in @@ -30,3 +30,7 @@ ns9.good A 10.53.0.9 $ORIGIN yes.dsremoved.ns5-7. good NS ns9.good ns9.good A 10.53.0.9 + +$ORIGIN no.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5.db.in b/bin/tests/system/checkds/ns5/ns5.db.in index 4501776a3e..70f6619e0c 100644 --- a/bin/tests/system/checkds/ns5/ns5.db.in +++ b/bin/tests/system/checkds/ns5/ns5.db.in @@ -40,3 +40,7 @@ good NS ns9.good resolver NS ns9.resolver ns9.good A 10.53.0.9 ns9.resolver A 10.53.0.9 + +$ORIGIN no.dsremoved.ns5. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index 6697e5fc2e..ad78f620ff 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -87,6 +87,15 @@ zone "good.yes.dspublish.ns2" { checkds yes; }; +/* Same as above, but with checkds disabled. */ +zone "good.no.dspublish.ns2" { + type primary; + file "good.no.dspublish.ns2.db"; + inline-signing yes; + dnssec-policy "default"; + checkds no; +}; + /* * 1. Enabling DNSSEC * 1.1 - With one parental agent @@ -164,6 +173,14 @@ zone "good.yes.dspublish.ns2-4" { checkds yes; }; +zone "good.no.dspublish.ns2-4" { + type primary; + file "good.no.dspublish.ns2-4.db"; + inline-signing yes; + dnssec-policy "default"; + checkds no; +}; + /* * 1. Enabling DNSSEC * 1.2 - With multiple parental agent @@ -256,6 +273,14 @@ zone "good.yes.dsremoved.ns5" { checkds yes; }; +zone "good.no.dsremoved.ns5" { + type primary; + file "good.no.dsremoved.ns5.db"; + inline-signing yes; + dnssec-policy "insecure"; + checkds no; +}; + /* * 2. Going insecure * 2.1 - With one parental agent @@ -333,6 +358,14 @@ zone "good.yes.dsremoved.ns5-7" { checkds yes; }; +zone "good.no.dsremoved.ns5-7" { + type primary; + file "good.no.dsremoved.ns5-7.db"; + inline-signing yes; + dnssec-policy "insecure"; + checkds no; +}; + /* * 2. Going insecure * 2.2. - With multiple parental agents diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh index a83a8cb633..3bfdfe921d 100644 --- a/bin/tests/system/checkds/ns9/setup.sh +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -33,7 +33,7 @@ T="now-30d" Y="now-1y" # DS Publication. -for checkds in explicit yes +for checkds in explicit yes no do for zn in \ good.${checkds}.dspublish.ns2 \ @@ -60,7 +60,7 @@ do done # DS Withdrawal. -for checkds in explicit yes +for checkds in explicit yes no do for zn in \ good.${checkds}.dsremoved.ns5 \ diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py index fff3c49e28..757e58113f 100755 --- a/bin/tests/system/checkds/tests_checkds.py +++ b/bin/tests/system/checkds/tests_checkds.py @@ -563,3 +563,26 @@ def test_checkds_dspublished(named_port): def test_checkds_dswithdrawn(named_port): checkds_dswithdrawn(named_port, "explicit") checkds_dswithdrawn(named_port, "yes") + + +def test_checkds_no(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + zone_check(server, "good.no.dspublish.ns2.") + keystate_check(parent, "good.no.dspublish.ns2.", "!DSPublish") + + zone_check(server, "good.no.dspublish.ns2-4.") + keystate_check(parent, "good.no.dspublish.ns2-4.", "!DSPublish") + + zone_check(server, "good.no.dsremoved.ns5.") + keystate_check(parent, "good.no.dsremoved.ns5.", "!DSRemoved") + + zone_check(server, "good.no.dsremoved.ns5-7.") + keystate_check(parent, "good.no.dsremoved.ns5-7.", "!DSRemoved")