From 08a9e7add10d53a34ddbbe2e9fe9a9efe3b7494b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 2 Jun 2021 10:16:50 +0200 Subject: [PATCH] Add test for NSEC3PARAM not changed after restart Add a test case where 'named' is restarted and ensure that an already signed zone does not change its NSEC3 parameters. The test case first tests the current zone and saves the used salt value. Then after restart it checks if the salt (and other parameters) are the same as before the restart. This test case changes 'set_nsec3param'. This will now reset the salt value, and when checking for NSEC3PARAM we will store the salt and use it when testing the NXDOMAIN response. This does mean that for every test case we now have to call 'set_nsec3param' explicitly (and can not omit it because it is the same as the previous zone). Finally, slightly changed some echo output to make debugging friendlier. --- bin/tests/system/nsec3/tests.sh | 46 ++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 2982be9188..62c49e5904 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -41,8 +41,8 @@ set_nsec3param() { FLAGS=$1 ITERATIONS=$2 SALTLEN=$3 + # Reset salt. SALT="" - test "$SALTLEN" = "0" && SALT="-" } # The apex NSEC3PARAM record indicates that it is signed. @@ -115,6 +115,10 @@ _check_nsec3_nsec3param() { dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1 + + if [ -z "$SALT" ]; then + SALT=`awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE` + fi return 0 } @@ -128,14 +132,14 @@ _check_nsec3_nxdomain() check_nsec3() { n=$((n+1)) - echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" + echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)" ret=0 retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) - echo_i "check NSEC3 response for zone ${ZONE} ($n)" + echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)" ret=0 retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" @@ -169,24 +173,28 @@ dnssec_verify # Zone: nsec3-change.kasp. set_zone_policy "nsec3-change.kasp" "nsec3" +set_nsec3param "0" "5" "8" echo_i "initial check zone ${ZONE}" check_nsec3 dnssec_verify # Zone: nsec3-dynamic-change.kasp. set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" +set_nsec3param "0" "5" "8" echo_i "initial check zone ${ZONE}" check_nsec3 dnssec_verify # Zone: nsec3-to-nsec.kasp. set_zone_policy "nsec3-to-nsec.kasp" "nsec3" +set_nsec3param "0" "5" "8" echo_i "initial check zone ${ZONE}" check_nsec3 dnssec_verify # Zone: nsec3-to-optout.kasp. set_zone_policy "nsec3-to-optout.kasp" "nsec3" +set_nsec3param "0" "5" "8" echo_i "initial check zone ${ZONE}" check_nsec3 dnssec_verify @@ -205,7 +213,6 @@ echo_i "initial check zone ${ZONE}" check_nsec3 dnssec_verify - # Reconfig named. echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" copy_setports ns3/named2.conf.in ns3/named.conf @@ -221,12 +228,14 @@ dnssec_verify # Zone: nsec3.kasp. (same) set_zone_policy "nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "8" echo_i "check zone ${ZONE} after reconfig" check_nsec3 dnssec_verify # Zone: nsec3-dyamic.kasp. (same) set_zone_policy "nsec3-dynamic.kasp" "nsec3" +set_nsec3param "0" "5" "8" echo_i "check zone ${ZONE} after reconfig" check_nsec3 dnssec_verify @@ -247,6 +256,7 @@ dnssec_verify # Zone: nsec3-to-nsec.kasp. (reconfigured) set_zone_policy "nsec3-to-nsec.kasp" "nsec" +set_nsec3param "1" "11" "0" echo_i "check zone ${ZONE} after reconfig" check_nsec dnssec_verify @@ -286,5 +296,33 @@ grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.tes check_nsec3 dnssec_verify +# Test NSEC3 and NSEC3PARAM is the same after restart +set_zone_policy "nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "check zone ${ZONE} before restart" +check_nsec3 +dnssec_verify + +# Restart named, NSEC3 should stay the same. +ret=0 +echo "stop ns3" +$PERL ../stop.pl --use-rndc --port ${CONTROLPORT} nsec3 ${DIR} || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +ret=0 +echo "start ns3" +start_server --noclean --restart --port ${PORT} nsec3 ${DIR} +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +prevsalt="${SALT}" +set_zone_policy "nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "8" +SALT="${prevsalt}" +echo_i "check zone ${ZONE} after restart has salt ${SALT}" +check_nsec3 +dnssec_verify + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1