diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index bb738af862..f4ab636e8e 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -35,6 +35,8 @@ rm -f ns2/private.secure.example.db ns2/bar.db rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf rm -f ns3/autonsec3.example.db +rm -f ns3/cdnskey-delete.example.db +rm -f ns3/cds-delete.example.db rm -f ns3/delzsk.example.db rm -f ns3/dname-at-apex-nsec3.example.db rm -f ns3/inacksk2.example.db diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index ec45cac86c..ddb9469277 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -16,8 +16,9 @@ # Have the child generate subdomain keys and pass DS sets to us. ( cd ../ns3 && $SHELL keygen.sh ) -for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \ - dname-at-apex-nsec3 +for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \ + nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ + cdnskey-delete do cp ../ns3/dsset-$subdomain.example. . done diff --git a/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in new file mode 100644 index 0000000000..3083a79f7d --- /dev/null +++ b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/cds-delete.example.db.in b/bin/tests/system/autosign/ns3/cds-delete.example.db.in new file mode 100644 index 0000000000..3083a79f7d --- /dev/null +++ b/bin/tests/system/autosign/ns3/cds-delete.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index e9016f05e1..bd1d16e06f 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -332,7 +332,7 @@ $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || du $DSFROMKEY $ksk.key > dsset-${zone}. # -# A zone that starts with a active KSK + ZSK and a inactive ZSK. +# A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inacksk3.example cp $infile $zonefile @@ -342,7 +342,7 @@ $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. # -# A zone that starts with a active KSK + ZSK and a inactive ZSK. +# A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inaczsk3.example cp $infile $zonefile @@ -363,10 +363,29 @@ zsk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out` || dumpit kg. echo $zsk > ../delzsk.key # -# Check that NSEC3 are correctly signed and returned from below a DNAME +# Check that NSEC3 are correctly signed and returned from below a DNAME # setup dname-at-apex-nsec3.example cp $infile $zonefile ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. + +# +# Check that dynamically added CDS (DELETE) is kept in the zone after signing. +# +setup cds-delete.example +cp $infile $zonefile +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after +# signing. +# +setup cdnskey-delete.example +cp $infile $zonefile +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 677f597e4b..29dfad6312 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -318,4 +318,18 @@ zone "dname-at-apex-nsec3.example" { auto-dnssec maintain; }; +zone "cds-delete.example" { + type primary; + file "cds-delete.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "cdnskey-delete.example" { + type primary; + file "cdnskey-delete.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 8b7a8dea84..3c7334ab3d 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -1645,6 +1645,89 @@ inac=`grep "DNSKEY .* is now inactive" ns1/named.run | wc -l` [ "$inac" -eq 1 ] || ret=1 del=`grep "DNSKEY .* is now deleted" ns1/named.run | wc -l` [ "$del" -eq 1 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that CDS (DELETE) persists after zone sign ($n)" +echo_i "update add cds-delete.example. CDS 0 0 00" +ret=0 +$NSUPDATE > nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 + return 0 +) +_cdnskey_delete_nx() { + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 + return 0 +} + +echo_i "query cds-delete.example. CDS" +retry_quiet 10 _cds_delete cds-delete.example. || ret=1 +echo_i "query cds-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 + +echo_i "sign cds-delete.example." +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1 +wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run +# The CDS (DELETE) record should still be here. +echo_i "query cds-delete.example. CDS" +retry_quiet 1 _cds_delete cds-delete.example. || ret=1 +# The CDNSKEY (DELETE) record should still not be added. +echo_i "query cds-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 + +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)" +echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA==" +ret=0 +$NSUPDATE > nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 + return 0 +) +_cdnskey_delete() { + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 + return 0 +} + +echo_i "query cdnskey-delete.example. CDNSKEY" +retry_quiet 10 _cdnskey_delete cdnskey-delete.example. || ret=1 +echo_i "query cdnskey-delete.example. CDS" +retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 + +echo_i "sign cdsnskey-delete.example." +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1 +wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run +# The CDNSKEY (DELETE) record should still be here. +echo_i "query cdnskey-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete cdnskey-delete.example. || ret=1 +# The CDS (DELETE) record should still not be added. +echo_i "query cdnskey-delete.example. CDS" +retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 + +n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`