DNSSEC bis merge from HEAD:
1581. [func] Disable DNSSEC support by default. To enable
DNSSEC specify "enable-dnssec yes;" in named.conf.
1565. [bug] CD flag should be copied to outgoing queries unless
the query is under a secure entry point in which case
CD should be set.
1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
child zones for which we don't have a supported
algorithm. Such child zones are treated as unsigned.
1557. [func] Implement missing DNSSEC tests for
* NOQNAME proof with wildcard answers.
* NOWILDARD proof with NXDOMAIN.
Cache and return NOQNAME with wildcard answers.
1541. [func] NSEC now uses new bitmap format.
1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
length of the new bitmap.
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
This commit is contained in:
Mark Andrews
@@ -32,7 +32,7 @@
|
||||
#
|
||||
# perl -MCPAN -e "install Net::DNS"
|
||||
#
|
||||
# $Id: dnssec_update_test.pl,v 1.3 2004/03/05 05:00:09 marka Exp $
|
||||
# $Id: dnssec_update_test.pl,v 1.3.2.1 2004/03/08 02:07:44 marka Exp $
|
||||
#
|
||||
|
||||
use Getopt::Std;
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.16.206.2 2004/03/06 10:21:57 marka Exp $ */
|
||||
/* $Id: named.conf,v 1.16.206.3 2004/03/08 02:07:44 marka Exp $ */
|
||||
|
||||
// NS1
|
||||
|
||||
@@ -31,6 +31,7 @@ options {
|
||||
listen-on-v6 { none; };
|
||||
recursion no;
|
||||
notify yes;
|
||||
enable-dnssec yes;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: sign.sh,v 1.12.12.1 2004/03/06 10:21:58 marka Exp $
|
||||
# $Id: sign.sh,v 1.12.12.2 2004/03/08 02:07:45 marka Exp $
|
||||
|
||||
SYSTEMTESTTOP=../..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
@@ -26,21 +26,16 @@ zone=.
|
||||
infile=root.db.in
|
||||
zonefile=root.db
|
||||
|
||||
keyname=`$KEYGEN -a RSA -b 768 -n zone -r $RANDFILE $zone`
|
||||
|
||||
(cd ../ns2 && sh sign.sh )
|
||||
|
||||
cp ../ns2/keyset-example. .
|
||||
|
||||
$KEYSIGNER -r $RANDFILE keyset-example. $keyname > /dev/null
|
||||
|
||||
cat signedkey-example. >> ../ns2/example.db.signed
|
||||
|
||||
$KEYSETTOOL -r $RANDFILE -t 3600 $keyname > /dev/null
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
|
||||
|
||||
cat $infile $keyname.key > $zonefile
|
||||
|
||||
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
|
||||
echo $SIGNER -g -r $RANDFILE -o $zone $zonefile
|
||||
$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null
|
||||
|
||||
# Configure the resolving server with a trusted key.
|
||||
|
||||
@@ -56,3 +51,4 @@ EOF
|
||||
cp trusted.conf ../ns2/trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
cp trusted.conf ../ns4/trusted.conf
|
||||
cp trusted.conf ../ns6/trusted.conf
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: dst.example.db.in,v 1.2 2004/03/05 05:00:15 marka Exp $
|
||||
; $Id: dst.example.db.in,v 1.2.2.1 2004/03/08 02:07:45 marka Exp $
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: example.db.in,v 1.8.12.1 2004/03/06 10:22:00 marka Exp $
|
||||
; $Id: example.db.in,v 1.8.12.2 2004/03/08 02:07:45 marka Exp $
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
@@ -58,9 +58,17 @@ ns.secure A 10.53.0.3
|
||||
insecure NS ns.insecure
|
||||
ns.insecure A 10.53.0.3
|
||||
|
||||
|
||||
; A secure subdomain we're going to inject bogus data into
|
||||
bogus NS ns.bogus
|
||||
ns.bogus A 10.53.0.3
|
||||
|
||||
; A dynamic secure subdomain
|
||||
dynamic NS dynamic
|
||||
dynamic A 10.53.0.3
|
||||
|
||||
z A 10.0.0.26
|
||||
|
||||
keyless NS ns.keyless
|
||||
ns.keyless A 10.53.0.3
|
||||
|
||||
*.wild A 10.0.0.27
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.17.12.2 2004/03/06 10:22:00 marka Exp $ */
|
||||
/* $Id: named.conf,v 1.17.12.3 2004/03/08 02:07:45 marka Exp $ */
|
||||
|
||||
// NS2
|
||||
|
||||
@@ -31,6 +31,7 @@ options {
|
||||
listen-on-v6 { none; };
|
||||
recursion no;
|
||||
notify yes;
|
||||
enable-dnssec yes;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
@@ -56,5 +57,4 @@ zone "insecure.secure.example" {
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: private.secure.example.db.in,v 1.6.206.1 2004/03/06 10:22:01 marka Exp $
|
||||
; $Id: private.secure.example.db.in,v 1.6.206.2 2004/03/08 02:07:45 marka Exp $
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
@@ -30,3 +30,5 @@ a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
z A 10.0.0.26
|
||||
private2secure-nxdomain CNAME r.example.
|
||||
*.wild CNAME s.example.
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: sign.sh,v 1.15.12.1 2004/03/06 10:22:01 marka Exp $
|
||||
# $Id: sign.sh,v 1.15.12.2 2004/03/08 02:07:46 marka Exp $
|
||||
|
||||
SYSTEMTESTTOP=../..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
@@ -26,34 +26,21 @@ zone=example.
|
||||
infile=example.db.in
|
||||
zonefile=example.db
|
||||
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
|
||||
|
||||
# Have the child generate a zone key and pass it to us,
|
||||
# sign it, and pass it back
|
||||
# Have the child generate a zone key and pass it to us.
|
||||
|
||||
( cd ../ns3 && sh sign.sh )
|
||||
|
||||
cp ../ns3/keyset-secure.example. .
|
||||
for subdomain in secure bogus dynamic keyless
|
||||
do
|
||||
cp ../ns3/keyset-$subdomain.example. .
|
||||
done
|
||||
|
||||
$KEYSIGNER -r $RANDFILE keyset-secure.example. $keyname > /dev/null
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
|
||||
# This will leave two copies of the child's zone key in the signed db file;
|
||||
# that shouldn't cause any problems.
|
||||
cat signedkey-secure.example. >>../ns3/secure.example.db.signed
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
cp ../ns3/keyset-bogus.example. .
|
||||
|
||||
$KEYSIGNER -r $RANDFILE keyset-bogus.example. $keyname > /dev/null
|
||||
|
||||
# This will leave two copies of the child's zone key in the signed db file;
|
||||
# that shouldn't cause any problems.
|
||||
cat signedkey-bogus.example. >>../ns3/bogus.example.db.signed
|
||||
|
||||
$KEYSETTOOL -r $RANDFILE -t 3600 $keyname > /dev/null
|
||||
|
||||
cat $infile $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
|
||||
$SIGNER -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
|
||||
|
||||
# Sign the privately secure file
|
||||
|
||||
@@ -65,4 +52,4 @@ privkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $privzone`
|
||||
|
||||
cat $privinfile $privkeyname.key >$privzonefile
|
||||
|
||||
$SIGNER -r $RANDFILE -o $privzone $privzonefile > /dev/null
|
||||
$SIGNER -g -r $RANDFILE -o $privzone $privzonefile > /dev/null
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: dynamic.example.db.in,v 1.3 2004/03/05 05:00:20 marka Exp $
|
||||
; $Id: dynamic.example.db.in,v 1.3.2.1 2004/03/08 02:07:46 marka Exp $
|
||||
|
||||
; This has the NS and glue at the apex because testing RT #2399
|
||||
; requires we have only one name in the zone at a certain point
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: keyless.example.db.in,v 1.3 2004/03/05 05:00:20 marka Exp $
|
||||
; $Id: keyless.example.db.in,v 1.3.2.1 2004/03/08 02:07:46 marka Exp $
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.18.12.2 2004/03/06 10:22:01 marka Exp $ */
|
||||
/* $Id: named.conf,v 1.18.12.3 2004/03/08 02:07:47 marka Exp $ */
|
||||
|
||||
// NS3
|
||||
|
||||
@@ -31,6 +31,7 @@ options {
|
||||
listen-on-v6 { none; };
|
||||
recursion no;
|
||||
notify yes;
|
||||
enable-dnssec yes;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
@@ -56,11 +57,21 @@ zone "bogus.example" {
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "dynamic.example" {
|
||||
type master;
|
||||
file "dynamic.example.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "insecure.example" {
|
||||
type master;
|
||||
file "insecure.example.db";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "keyless.example" {
|
||||
type master;
|
||||
file "keyless.example.db.signed";
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: sign.sh,v 1.12.12.1 2004/03/06 10:22:02 marka Exp $
|
||||
# $Id: sign.sh,v 1.12.12.2 2004/03/08 02:07:47 marka Exp $
|
||||
|
||||
RANDFILE=../random.data
|
||||
|
||||
@@ -23,9 +23,7 @@ zone=secure.example.
|
||||
infile=secure.example.db.in
|
||||
zonefile=secure.example.db
|
||||
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
|
||||
|
||||
$KEYSETTOOL -r $RANDFILE -t 3600 $keyname.key > /dev/null
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
|
||||
|
||||
cat $infile $keyname.key >$zonefile
|
||||
|
||||
@@ -37,8 +35,33 @@ zonefile=bogus.example.db
|
||||
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
|
||||
|
||||
$KEYSETTOOL -r $RANDFILE -t 3600 $keyname.key > /dev/null
|
||||
cat $infile $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
|
||||
|
||||
zone=dynamic.example.
|
||||
infile=dynamic.example.db.in
|
||||
zonefile=dynamic.example.db
|
||||
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
|
||||
|
||||
cat $infile $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
|
||||
|
||||
zone=keyless.example.
|
||||
infile=keyless.example.db.in
|
||||
zonefile=keyless.example.db
|
||||
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
|
||||
|
||||
cat $infile $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
|
||||
|
||||
# Change the signer field of the a.b.keyless.example SIG A
|
||||
# to point to a provably nonexistent KEY record.
|
||||
mv $zonefile.signed $zonefile.tmp
|
||||
<$zonefile.tmp perl -p -e 's/ keyless.example/ b.keyless.example/
|
||||
if /^a.b.keyless.example/../NXT/;' >$zonefile.signed
|
||||
rm -f $zonefile.tmp
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.18.206.2 2004/03/06 10:22:02 marka Exp $ */
|
||||
/* $Id: named.conf,v 1.18.206.3 2004/03/08 02:07:47 marka Exp $ */
|
||||
|
||||
// NS4
|
||||
|
||||
@@ -30,6 +30,7 @@ options {
|
||||
listen-on { 10.53.0.4; };
|
||||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
enable-dnssec yes;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.16.206.2 2004/03/06 10:22:02 marka Exp $ */
|
||||
/* $Id: named.conf,v 1.16.206.3 2004/03/08 02:07:47 marka Exp $ */
|
||||
|
||||
// NS5
|
||||
|
||||
@@ -30,6 +30,7 @@ options {
|
||||
listen-on { 10.53.0.5; };
|
||||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
enable-dnssec yes;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.5 2004/03/05 05:00:35 marka Exp $ */
|
||||
/* $Id: named.conf,v 1.5.2.1 2004/03/08 02:07:48 marka Exp $ */
|
||||
|
||||
// NS6
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: tests.sh,v 1.33.12.1 2004/03/06 10:21:57 marka Exp $
|
||||
# $Id: tests.sh,v 1.33.12.2 2004/03/08 02:07:44 marka Exp $
|
||||
|
||||
SYSTEMTESTTOP=..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
@@ -25,7 +25,7 @@ n=0
|
||||
|
||||
rm -f dig.out.*
|
||||
|
||||
DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocmd +dnssec -p 5300"
|
||||
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
|
||||
|
||||
# Check the example. domain
|
||||
|
||||
@@ -48,6 +48,16 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking positive wildcard validation ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking negative validation ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
|
||||
@@ -58,12 +68,22 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking negative wildcard validation ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# Check the insecure.example domain
|
||||
|
||||
echo "I:checking 1-server insecurity proof ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
@@ -72,6 +92,34 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking 1-server negative insecurity proof ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
|
||||
> dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking 1-server negative insecurity proof with SOA hack ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \
|
||||
> dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# Check the secure.example domain
|
||||
|
||||
echo "I:checking multi-stage positive validation ($n)"
|
||||
@@ -105,13 +153,37 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that negative validation fails with a misconfigured trusted key ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1
|
||||
grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that insecurity proofs fail with a misconfigured trusted key ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
|
||||
grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that validation fails when key record is missing ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1
|
||||
grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# Check the insecure.secure.example domain (insecurity proof)
|
||||
|
||||
echo "I:checking 2-server insecurity proof ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS a.insecure.secure.example. @10.53.0.2 a \
|
||||
$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS a.insecure.secure.example. @10.53.0.4 a \
|
||||
$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
@@ -137,6 +209,20 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \
|
||||
|| ret=1
|
||||
$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \
|
||||
|| ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# Check that the query for a security root is successful and has ad set
|
||||
|
||||
echo "I:checking security root query ($n)"
|
||||
@@ -207,9 +293,9 @@ status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking cd bit on a negative insecurity proof ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS q.insecure.example. soa @10.53.0.4 \
|
||||
$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
$DIG $DIGOPTS +cdflag q.insecure.example. soa @10.53.0.5 \
|
||||
$DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \
|
||||
> dig.out.ns5.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
@@ -288,5 +374,83 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that positive validation in a privately secure zone works ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that negative validation in a privately secure zone works ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that lookups succeed after disabling a algorithm works ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \
|
||||
> dig.out.ns6.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking privately secure to nxdomain works ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking privately secure wilcard to nxdomain works ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
|
||||
> dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
|
||||
# Note - this is looking for failure, hence the &&
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# Run a minimal update test if possible. This is really just
|
||||
# a regression test for RT #2399; more tests should be added.
|
||||
|
||||
if $PERL -e 'use Net::DNS;' 2>/dev/null
|
||||
then
|
||||
echo "I:running DNSSEC update test"
|
||||
$PERL dnssec_update_test.pl -s 10.53.0.3 -p 5300 dynamic.example. || status=1
|
||||
else
|
||||
echo "I:The DNSSEC update test requires the Net::DNS library." >&2
|
||||
fi
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
||||
Reference in New Issue
Block a user