DNSSEC bis merge from HEAD:

1581. [func] Disable DNSSEC support by default. To enable DNSSEC specify "enable-dnssec yes;" in named.conf. 1565. [bug] CD flag should be copied to outgoing queries unless the query is under a secure entry point in which case CD should be set. 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into child zones for which we don't have a supported algorithm. Such child zones are treated as unsigned. 1557. [func] Implement missing DNSSEC tests for * NOQNAME proof with wildcard answers. * NOWILDARD proof with NXDOMAIN. Cache and return NOQNAME with wildcard answers. 1541. [func] NSEC now uses new bitmap format. 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong length of the new bitmap. 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2004-03-08 02:08:05 +00:00
parent 83a9f037e5
commit a821d5fa3d
112 changed files with 4272 additions and 2752 deletions
--- a/bin/tests/system/dnssec/ns2/dst.example.db.in
+++ b/bin/tests/system/dnssec/ns2/dst.example.db.in
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: dst.example.db.in,v 1.2 2004/03/05 05:00:15 marka Exp $
+; $Id: dst.example.db.in,v 1.2.2.1 2004/03/08 02:07:45 marka Exp $

 $TTL 300	; 5 minutes
@			IN SOA	mname1. . (
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: example.db.in,v 1.8.12.1 2004/03/06 10:22:00 marka Exp $
+; $Id: example.db.in,v 1.8.12.2 2004/03/08 02:07:45 marka Exp $

 $TTL 300	; 5 minutes
@			IN SOA	mname1. . (
@@ -58,9 +58,17 @@ ns.secure		A	10.53.0.3
 insecure		NS	ns.insecure
 ns.insecure		A	10.53.0.3

-
 ; A secure subdomain we're going to inject bogus data into
 bogus			NS	ns.bogus
 ns.bogus		A	10.53.0.3

+; A dynamic secure subdomain
+dynamic			NS	dynamic
+dynamic			A	10.53.0.3
+
 z			A	10.0.0.26
+
+keyless			NS	ns.keyless
+ns.keyless		A	10.53.0.3
+
+*.wild			A	10.0.0.27
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.17.12.2 2004/03/06 10:22:00 marka Exp $ */
+/* $Id: named.conf,v 1.17.12.3 2004/03/08 02:07:45 marka Exp $ */

 // NS2

@@ -31,6 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	enable-dnssec yes;
 };

 zone "." {
@@ -56,5 +57,4 @@ zone "insecure.secure.example" {
 	allow-update { any; };
 };

-
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns2/private.secure.example.db.in
+++ b/bin/tests/system/dnssec/ns2/private.secure.example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: private.secure.example.db.in,v 1.6.206.1 2004/03/06 10:22:01 marka Exp $
+; $Id: private.secure.example.db.in,v 1.6.206.2 2004/03/08 02:07:45 marka Exp $

 $TTL 300	; 5 minutes
@			IN SOA	mname1. . (
@@ -30,3 +30,5 @@ a			A	10.0.0.1
 b			A	10.0.0.2
 d			A	10.0.0.4
 z			A	10.0.0.26
+private2secure-nxdomain	CNAME	r.example.
+*.wild			CNAME   s.example.
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.15.12.1 2004/03/06 10:22:01 marka Exp $
+# $Id: sign.sh,v 1.15.12.2 2004/03/08 02:07:46 marka Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -26,34 +26,21 @@ zone=example.
 infile=example.db.in
 zonefile=example.db

-keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
-
-# Have the child generate a zone key and pass it to us,
-# sign it, and pass it back
+# Have the child generate a zone key and pass it to us.

 ( cd ../ns3 && sh sign.sh )

-cp ../ns3/keyset-secure.example. .
+for subdomain in secure bogus dynamic keyless
+do
+	cp ../ns3/keyset-$subdomain.example. .
+done

-$KEYSIGNER -r $RANDFILE keyset-secure.example. $keyname > /dev/null
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`

-# This will leave two copies of the child's zone key in the signed db file;
-# that shouldn't cause any problems.
-cat signedkey-secure.example. >>../ns3/secure.example.db.signed
+cat $infile $keyname1.key $keyname2.key >$zonefile

-cp ../ns3/keyset-bogus.example. .
-
-$KEYSIGNER -r $RANDFILE keyset-bogus.example. $keyname > /dev/null
-
-# This will leave two copies of the child's zone key in the signed db file;
-# that shouldn't cause any problems.
-cat signedkey-bogus.example. >>../ns3/bogus.example.db.signed
-
-$KEYSETTOOL -r $RANDFILE -t 3600 $keyname > /dev/null
-
-cat $infile $keyname.key >$zonefile
-
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null

 # Sign the privately secure file

@@ -65,4 +52,4 @@ privkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $privzone`

 cat $privinfile $privkeyname.key >$privzonefile

-$SIGNER -r $RANDFILE -o $privzone $privzonefile > /dev/null
+$SIGNER -g -r $RANDFILE -o $privzone $privzonefile > /dev/null