Check 'server { broken-nsec yes; };'

2021-12-01 15:32:20 +11:00
parent 3faccb16cc
commit dfe31e61d2
5 changed files with 88 additions and 11 deletions
--- a/bin/tests/system/checkconf/good-broken-nsec.conf
+++ b/bin/tests/system/checkconf/good-broken-nsec.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+server 10.0.0/24 {
+	broken-nsec yes;
+};
--- a/bin/tests/system/synthfromdnssec/ns7/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns7/named.conf.in
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation yes;
+};
+
+server 10.53.0.1 {
+	broken-nsec yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+statistics-channels {
+	inet 10.53.0.7 port @EXTRAPORT1@ allow { any; };
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
+
+include "../ns1/trusted.conf";
--- a/bin/tests/system/synthfromdnssec/ns7/root.hints
+++ b/bin/tests/system/synthfromdnssec/ns7/root.hints
@@ -0,0 +1,11 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	NS	ns1
+ns1	A	10.53.0.1
--- a/bin/tests/system/synthfromdnssec/setup.sh
+++ b/bin/tests/system/synthfromdnssec/setup.sh
@@ -20,6 +20,7 @@ copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf

 (
    cd ns1
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -98,13 +98,14 @@ check_auth_count() {
    return 0
 }

-for ns in 2 4 5 6
+for ns in 2 4 5 6 7
 do
    case $ns in
    2) ad=yes; description="<default>";;
    4) ad=yes; description="no";;
    5) ad=yes; description="yes";;
    6) ad=no; description="yes; dnssec-validation no";;
+    7) ad=yes; description="yes; server 10.53.0.1 { broken-nsec yes; };";;
    *) exit 1;;
    esac
    echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
@@ -318,13 +319,14 @@ status=$((status+ret))
 #
 sleep 1

-for ns in 2 4 5 6
+for ns in 2 4 5 6 7
 do
    case $ns in
    2) ad=yes synth=${synth_default} description="<default>";;
    4) ad=yes synth=no description="no";;
    5) ad=yes synth=yes description="yes";;
    6) ad=no synth=no description="yes; dnssec-validation no";;
+    7) ad=yes synth=no description="yes; server 10.53.0.1 { broken-nsec yes; };";;
    *) exit 1;;
    esac
    echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
@@ -637,11 +639,11 @@ do
    count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
    test $count = 2 || ret=1
    zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
-    if [ ${ad} = yes ]
+    if [ ${ad} = no -o $ns = 7 ]
    then
-	test $zero = 1 || ret=1
-    else
 	test $zero = 2 || ret=1
+    else
+	test $zero = 1 || ret=1
    fi
    n=$((n+1))
    if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -698,11 +700,11 @@ do
 	count=$(echo "$counter" | grep CacheNSECNodes | wc -l)
 	test $count = 1 || ret=1
 	zero=$(echo "$counter" | grep ">0<" | wc -l)
-	if [ ${ad} = yes ]
+	if [ ${ad} = no -o $ns = 7 ]
 	then
-	    test $zero = 0 || ret=1
-	else
 	    test $zero = 1 || ret=1
+	else
+	    test $zero = 0 || ret=1
 	fi
 	n=$((n+1))
 	if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -761,11 +763,11 @@ do
 	count=$(grep '"CacheNSECNodes":' $json | wc -l)
 	test $count = 2 || ret=1
 	zero=$(grep '"CacheNSECNodes":0' $json | wc -l)
-	if [ ${ad} = yes ]
+	if [ ${ad} = no -o $ns = 7 ]
 	then
-	    test $zero = 1 || ret=1
-	else
 	    test $zero = 2 || ret=1
+	else
+	    test $zero = 1 || ret=1
 	fi
 	n=$((n+1))
 	if [ $ret != 0 ]; then echo_i "failed"; fi