mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-11 06:49:58 -04:00
Add test cases that use DNSSEC signing
Add two new masterformat tests that use signing. In the case of 'under-limit-kasp', the signing will keep the number of records in the RRset under the limit. In the case of 'on-limit-kasp', the signing will push the number of records in the RRset over the limit, because of the added RRSIG record. (cherry picked from commit 4c677882e66883670990a771337ecbb5206a6faa)
This commit is contained in:
Matthijs Mekking
Nicki Křížek
parent
5067ab6120
commit
270512949e
5 changed files with 109 additions and 0 deletions
|
|
@ -27,7 +27,9 @@ $CHECKZONE -D -F raw=0 -o example.db.compat example-compat \
|
|||
$CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \
|
||||
example.db >/dev/null 2>&1
|
||||
$CHECKZONE -D -F raw -o under-limit.db.raw under-limit under-limit.db >/dev/null 2>&1
|
||||
$CHECKZONE -D -F raw -o under-limit-kasp.db.raw under-limit-kasp under-limit-kasp.db >/dev/null 2>&1
|
||||
$CHECKZONE -D -F raw -o on-limit.db.raw on-limit on-limit.db >/dev/null 2>&1
|
||||
$CHECKZONE -D -F raw -o on-limit-kasp.db.raw on-limit-kasp on-limit-kasp.db >/dev/null 2>&1
|
||||
$CHECKZONE -D -F raw -o over-limit.db.raw over-limit over-limit.db >/dev/null 2>&1
|
||||
$CHECKZONE -D -F raw -o 255types.db.raw 255types 255types.db >/dev/null 2>&1
|
||||
|
||||
|
|
|
|||
|
|
@ -80,6 +80,14 @@ zone "under-limit" {
|
|||
allow-transfer { any; };
|
||||
};
|
||||
|
||||
zone "under-limit-kasp" {
|
||||
type primary;
|
||||
file "under-limit-kasp.db.raw";
|
||||
masterfile-format raw;
|
||||
dnssec-policy masterformat;
|
||||
allow-transfer { any; };
|
||||
};
|
||||
|
||||
zone "on-limit" {
|
||||
type primary;
|
||||
file "on-limit.db.raw";
|
||||
|
|
@ -87,6 +95,13 @@ zone "on-limit" {
|
|||
allow-transfer { any; };
|
||||
};
|
||||
|
||||
zone "on-limit-kasp" {
|
||||
type primary;
|
||||
file "on-limit-kasp.db.raw";
|
||||
masterfile-format raw;
|
||||
dnssec-policy masterformat;
|
||||
allow-transfer { any; };
|
||||
};
|
||||
|
||||
zone "over-limit" {
|
||||
type primary;
|
||||
|
|
|
|||
|
|
@ -65,6 +65,13 @@ zone "under-limit" {
|
|||
file "under-limit.bk";
|
||||
};
|
||||
|
||||
zone "under-limit-kasp" {
|
||||
type secondary;
|
||||
primaries { 10.53.0.1; };
|
||||
masterfile-format raw;
|
||||
file "under-limit-kasp.bk";
|
||||
};
|
||||
|
||||
zone "on-limit" {
|
||||
type secondary;
|
||||
primaries { 10.53.0.1; };
|
||||
|
|
@ -72,6 +79,13 @@ zone "on-limit" {
|
|||
file "on-limit.bk";
|
||||
};
|
||||
|
||||
zone "on-limit-kasp" {
|
||||
type secondary;
|
||||
primaries { 10.53.0.1; };
|
||||
masterfile-format raw;
|
||||
file "on-limit-kasp.bk";
|
||||
};
|
||||
|
||||
zone "255types" {
|
||||
type secondary;
|
||||
primaries { 10.53.0.1; };
|
||||
|
|
|
|||
|
|
@ -32,6 +32,8 @@ awk 'END {
|
|||
for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; }
|
||||
for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; }
|
||||
}' </dev/null >>ns1/under-limit.db
|
||||
cp ns1/under-limit.db ns1/under-limit-kasp.db
|
||||
|
||||
cp ns1/empty.db.in ns1/on-limit.db
|
||||
awk 'END {
|
||||
for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; }
|
||||
|
|
@ -39,6 +41,8 @@ awk 'END {
|
|||
for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; }
|
||||
for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; }
|
||||
}' </dev/null >>ns1/on-limit.db
|
||||
cp ns1/on-limit.db ns1/on-limit-kasp.db
|
||||
|
||||
cp ns1/empty.db.in ns1/over-limit.db
|
||||
awk 'END {
|
||||
for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; }
|
||||
|
|
@ -47,6 +51,7 @@ awk 'END {
|
|||
for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; }
|
||||
for (i = 0; i < 2100; i++ ) { print "2100-txt TXT", i; }
|
||||
}' </dev/null >>ns1/over-limit.db
|
||||
|
||||
cp ns1/empty.db.in ns1/255types.db
|
||||
for ntype in $(seq 65280 65534); do
|
||||
echo "m TYPE${ntype} \# 0"
|
||||
|
|
|
|||
|
|
@ -201,6 +201,49 @@ n=$((n + 1))
|
|||
[ $ret -eq 0 ] || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "checking that under-limit-kasp dnskeys loaded ($n)"
|
||||
for _attempt in 0 1 2 3 4 5 6 7 8 9; do
|
||||
ret=0
|
||||
|
||||
$DIG +tcp +dnssec dnskey "under-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.dnskey.test$n"
|
||||
grep "status: NOERROR" "dig.out.ns1.dnskey.test$n" >/dev/null || ret=1
|
||||
grep "RRSIG" "dig.out.ns1.dnskey.test$n" >/dev/null || ret=1
|
||||
[ $ret -eq 0 ] && break
|
||||
sleep 1
|
||||
done
|
||||
n=$((n + 1))
|
||||
[ $ret -eq 0 ] || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "checking that under-limit-kasp rdatasets loaded ($n)"
|
||||
for _attempt in 0 1 2 3 4 5 6 7 8 9; do
|
||||
ret=0
|
||||
for rrcount in 500-txt 1000-txt 2000-txt; do
|
||||
$DIG +tcp +dnssec txt "${rrcount}.under-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n"
|
||||
grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1
|
||||
grep "RRSIG" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1
|
||||
done
|
||||
[ $ret -eq 0 ] && break
|
||||
sleep 1
|
||||
done
|
||||
n=$((n + 1))
|
||||
[ $ret -eq 0 ] || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "checking that under-limit-kasp rdatasets transfered ($n)"
|
||||
for _attempt in 0 1 2 3 4 5 6 7 8 9; do
|
||||
ret=0
|
||||
for rrcount in 500-txt 1000-txt 2000-txt; do
|
||||
$DIG +tcp +dnssec txt "${rrcount}.under-limit-kasp" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n"
|
||||
grep "status: NOERROR" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1
|
||||
done
|
||||
[ $ret -eq 0 ] && break
|
||||
sleep 1
|
||||
done
|
||||
n=$((n + 1))
|
||||
[ $ret -eq 0 ] || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "checking that on-limit rdatasets loaded ($n)"
|
||||
for _attempt in 0 1 2 3 4 5 6 7 8 9; do
|
||||
ret=0
|
||||
|
|
@ -229,6 +272,36 @@ n=$((n + 1))
|
|||
[ $ret -eq 0 ] || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "checking that on-limit-kasp rdatasets loaded ($n)"
|
||||
for _attempt in 0 1 2 3 4 5 6 7 8 9; do
|
||||
ret=0
|
||||
for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do
|
||||
$DIG +tcp +dnssec txt "${rrcount}.on-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n"
|
||||
grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1
|
||||
grep "RRSIG" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1
|
||||
done
|
||||
[ $ret -eq 0 ] && break
|
||||
sleep 1
|
||||
done
|
||||
n=$((n + 1))
|
||||
[ $ret -eq 0 ] || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "checking that on-limit-kasp rdatasets not transfered ($n)"
|
||||
for _attempt in 0 1 2 3 4 5 6 7 8 9; do
|
||||
ret=0
|
||||
for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do
|
||||
$DIG +tcp +dnssec txt "${rrcount}.on-limit-kasp" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n"
|
||||
grep "status: SERVFAIL" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1
|
||||
done
|
||||
[ $ret -eq 0 ] && break
|
||||
sleep 1
|
||||
done
|
||||
n=$((n + 1))
|
||||
[ $ret -eq 0 ] || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
|
||||
echo_i "checking that over-limit rdatasets not loaded ($n)"
|
||||
for _attempt in 0 1 2 3 4 5 6 7 8 9; do
|
||||
ret=0
|
||||
|
|
|
|||
Loading…
Reference in a new issue