Validate glue before adding it to the additional section (#45062)
This commit is contained in:
Mukund Sivaraman
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 2012, 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
@@ -18,6 +18,12 @@ options {
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.4; };
|
||||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
acache-enable no;
|
||||
dnssec-enable yes;
|
||||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
dnssec-accept-expired yes;
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
@@ -29,47 +35,7 @@ controls {
|
||||
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
key auth {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
view rec {
|
||||
match-recursive-only yes;
|
||||
recursion yes;
|
||||
acache-enable yes;
|
||||
dnssec-validation yes;
|
||||
dnssec-accept-expired yes;
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
zone secure.example {
|
||||
type static-stub;
|
||||
server-addresses { 10.53.0.4; };
|
||||
};
|
||||
|
||||
zone insecure.secure.example {
|
||||
type static-stub;
|
||||
server-addresses { 10.53.0.4; };
|
||||
};
|
||||
};
|
||||
|
||||
view auth {
|
||||
recursion no;
|
||||
allow-recursion { none; };
|
||||
|
||||
zone secure.example {
|
||||
type slave;
|
||||
masters { 10.53.0.3; };
|
||||
};
|
||||
|
||||
zone insecure.secure.example {
|
||||
type slave;
|
||||
masters { 10.53.0.2; };
|
||||
};
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
75
bin/tests/system/dnssec/ns4/named5.conf
Normal file
75
bin/tests/system/dnssec/ns4/named5.conf
Normal file
@@ -0,0 +1,75 @@
|
||||
/*
|
||||
* Copyright (C) 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*/
|
||||
|
||||
// NS4
|
||||
|
||||
controls { /* empty */ };
|
||||
|
||||
options {
|
||||
query-source address 10.53.0.4;
|
||||
notify-source 10.53.0.4;
|
||||
transfer-source 10.53.0.4;
|
||||
port 5300;
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.4; };
|
||||
listen-on-v6 { none; };
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
key auth {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
view rec {
|
||||
match-recursive-only yes;
|
||||
recursion yes;
|
||||
acache-enable yes;
|
||||
dnssec-validation yes;
|
||||
dnssec-accept-expired yes;
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
zone secure.example {
|
||||
type static-stub;
|
||||
server-addresses { 10.53.0.4; };
|
||||
};
|
||||
|
||||
zone insecure.secure.example {
|
||||
type static-stub;
|
||||
server-addresses { 10.53.0.4; };
|
||||
};
|
||||
};
|
||||
|
||||
view auth {
|
||||
recursion no;
|
||||
allow-recursion { none; };
|
||||
|
||||
zone secure.example {
|
||||
type slave;
|
||||
masters { 10.53.0.3; };
|
||||
};
|
||||
|
||||
zone insecure.secure.example {
|
||||
type slave;
|
||||
masters { 10.53.0.2; };
|
||||
};
|
||||
};
|
||||
@@ -2697,6 +2697,10 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
cp ns4/named4.conf ns4/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
|
||||
sleep 3
|
||||
|
||||
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
|
||||
ret=0
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
|
||||
@@ -2714,6 +2718,27 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
cp ns4/named4.conf ns4/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
|
||||
sleep 3
|
||||
|
||||
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with acache off; ($n)"
|
||||
ret=0
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
|
||||
$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
|
||||
$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
|
||||
ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
|
||||
ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
|
||||
for ttl in ${ttls:-300}; do
|
||||
[ $ttl -eq 300 ] || ret=1
|
||||
done
|
||||
for ttl in ${ttls2:-0}; do
|
||||
[ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
|
||||
done
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:testing DNSKEY lookup via CNAME ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth cnameandkey.secure.example. \
|
||||
@@ -2875,7 +2900,7 @@ n=`expr $n + 1`
|
||||
if test "$before" = "$after" ; then echo "I:failed"; ret=1; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
cp ns4/named4.conf ns4/named.conf
|
||||
cp ns4/named5.conf ns4/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
|
||||
sleep 3
|
||||
|
||||
|
||||
Reference in New Issue
Block a user