diff --git a/bin/tests/system/nsec3/ns2/named.conf.j2 b/bin/tests/system/nsec3/ns2/named.conf.j2 index 924e9d26cb..904abbf81d 100644 --- a/bin/tests/system/nsec3/ns2/named.conf.j2 +++ b/bin/tests/system/nsec3/ns2/named.conf.j2 @@ -39,8 +39,10 @@ controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +{% if "nsec3-xfr-inline.kasp" in zones %} zone "nsec3-xfr-inline.kasp" { type primary; file "nsec3-xfr-inline.kasp.db"; dnssec-policy "nsec3"; }; +{% endif %}{# nsec3-xfr-inline.kasp #} diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.j2 b/bin/tests/system/nsec3/ns3/named-fips.conf.j2 index 5029457598..8074646fa6 100644 --- a/bin/tests/system/nsec3/ns3/named-fips.conf.j2 +++ b/bin/tests/system/nsec3/ns3/named-fips.conf.j2 @@ -18,41 +18,52 @@ {% set nsec3_from_optout = "optout" if not reconfiged else "nsec3" %} {% set nsec3_to_optout = "nsec3" if not reconfiged else "optout" %} +{% if "nsec-to-nsec3.kasp" in zones %} /* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; dnssec-policy "@nsec_to_nsec3@"; }; +{% endif %}{# nsec-to-nsec3.kasp #} +{% if "nsec3.kasp" in zones %} /* These zones use the default NSEC3 settings. */ zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; dnssec-policy "nsec3"; }; +{% endif %}{# nsec3.kasp #} +{% if "nsec3-dynamic.kasp" in zones %} zone "nsec3-dynamic.kasp" { type primary; file "nsec3-dynamic.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; +{% endif %}{# nsec3-dynamic.kasp #} +{% if "nsec3-other.kasp" in zones %} /* This zone uses non-default NSEC3 settings. */ zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; dnssec-policy "nsec3-other"; }; +{% endif %}{# nsec3-other.kasp #} +{% if "nsec3-change.kasp" in zones %} /* These zones will be reconfigured to use other NSEC3 settings. */ zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; dnssec-policy "@nsec3_change@"; }; +{% endif %}{# nsec3-change.kasp #} +{% if "nsec3-dynamic-change.kasp" in zones %} zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; @@ -60,28 +71,36 @@ zone "nsec3-dynamic-change.kasp" { dnssec-policy "@nsec3_change@"; allow-update { any; }; }; +{% endif %}{# nsec3-dynamic-change.kasp #} +{% if "nsec3-to-optout.kasp" in zones %} /* The zone will be reconfigured to use opt-out. */ zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; dnssec-policy "@nsec3_to_optout@"; }; +{% endif %}{# nsec3-to-optout.kasp #} +{% if "nsec3-from-optout.kasp" in zones %} /* The zone will be reconfigured to disable opt-out. */ zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; dnssec-policy "@nsec3_from_optout@"; }; +{% endif %}{# nsec3-from-optout.kasp #} +{% if "nsec3-to-nsec.kasp" in zones %} /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; dnssec-policy "@nsec3_to_nsec@"; }; +{% endif %}{# nsec3-to-nsec.kasp #} +{% if "nsec3-fails-to-load.kasp" in zones %} /* * The zone fails to load, this should not prevent shutdown. * The zone is fixed after a reconfig. @@ -92,7 +111,9 @@ zone "nsec3-fails-to-load.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; +{% endif %}{# nsec3-fails-to-load.kasp #} +{% if "nsec3-dynamic-to-inline.kasp" in zones %} /* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { type primary; @@ -101,9 +122,11 @@ zone "nsec3-dynamic-to-inline.kasp" { {% if not reconfiged %} allow-update { any; }; inline-signing no; -{% endif %} +{% endif %}{# not reconfiged #} }; +{% endif %}{# nsec3-dynamic-to-inline.kasp #} +{% if "nsec3-inline-to-dynamic.kasp" in zones %} zone "nsec3-inline-to-dynamic.kasp" { type primary; file "nsec3-inline-to-dynamic.kasp.db"; @@ -111,34 +134,11 @@ zone "nsec3-inline-to-dynamic.kasp" { {% if reconfiged %} allow-update { any; }; inline-signing no; -{% endif %} - +{% endif %}{# reconfiged #} }; +{% endif %}{# nsec3-inline-to-dynamic.kasp #} -{% if not reconfiged %} - -/* - * Test adding a NSEC3 record to an inline-signing dnssec-policy zone. - */ -zone "nsec3-dynamic-update-inline.kasp" { - type primary; - file "nsec3-dynamic-update-inline.kasp.db"; - allow-update { any; }; - dnssec-policy "nsec"; -}; - -/* - * This zone will have an empty nonterminal node added and a node deleted. - */ -zone "nsec3-xfr-inline.kasp" { - type secondary; - file "nsec3-xfr-inline.kasp.db"; - dnssec-policy "nsec"; - primaries { 10.53.0.2; }; -}; - -{% else %} - +{% if "nsec3-ent.kasp" in zones %} /* * This zone will have an empty nonterminal node added and a node deleted. */ @@ -148,5 +148,32 @@ zone "nsec3-ent.kasp" { dnssec-policy "nsec3"; inline-signing yes; }; +{% endif %}{# nsec3-ent.kasp #} -{% endif %} +{% if not reconfiged %} + +{% if "nsec3-dynamic-update-inline.kasp" in zones %} +/* + * Test adding a NSEC3 record to an inline-signing dnssec-policy zone. + */ +zone "nsec3-dynamic-update-inline.kasp" { + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + allow-update { any; }; + dnssec-policy "nsec"; +}; +{% endif %}{# nsec3-dynamic-update-inline.kasp #} + +{% if "nsec3-xfr-inline.kasp" in zones %} +/* + * This zone will have an empty nonterminal node added and a node deleted. + */ +zone "nsec3-xfr-inline.kasp" { + type secondary; + file "nsec3-xfr-inline.kasp.db"; + dnssec-policy "nsec"; + primaries { 10.53.0.2; }; +}; +{% endif %}{# nsec3-xfr-inline.kasp #} + +{% endif %}{# not reconfiged #} diff --git a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 index c2cbf485ce..7c47ae2d54 100644 --- a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 +++ b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 @@ -21,6 +21,8 @@ dnssec-policy "rsasha1" { }; }; + +{% if "rsasha1-to-nsec3.kasp" in zones %} /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should work despite the incompatible RSAHSHA1 algorithm, @@ -31,7 +33,9 @@ zone "rsasha1-to-nsec3.kasp" { file "rsasha1-to-nsec3.kasp.db"; dnssec-policy "@rsasha1_to_nsec3@"; }; +{% endif %}{# rsasha1-to-nsec3.kasp #} +{% if "rsasha1-to-nsec3-wait.kasp" in zones %} /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should block because RSASHA1 is not compatible with NSEC3, @@ -42,7 +46,9 @@ zone "rsasha1-to-nsec3-wait.kasp" { file "rsasha1-to-nsec3-wait.kasp.db"; dnssec-policy "@rsasha1_to_nsec3@"; }; +{% endif %}{# rsasha1-to-nsec3-wait.kasp #} +{% if "nsec3-to-rsasha1.kasp" in zones %} /* * This zone starts with NSEC3, but will be reconfigured to use NSEC with an * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 @@ -53,7 +59,9 @@ zone "nsec3-to-rsasha1.kasp" { file "nsec3-to-rsasha1.kasp.db"; dnssec-policy "@nsec3_to_rsasha1@"; }; +{% endif %}{# nsec3-to-rsasha1.kasp #} +{% if "nsec3-to-rsasha1-ds.kasp" in zones %} /* * This zone starts with NSEC3, but will be reconfigured to use NSEC with an * NSEC only algorithm. This should also be fine because we are allowed @@ -65,3 +73,4 @@ zone "nsec3-to-rsasha1-ds.kasp" { file "nsec3-to-rsasha1-ds.kasp.db"; dnssec-policy "@nsec3_to_rsasha1@"; }; +{% endif %}{# nsec3-to-rsasha1-ds.kasp #} diff --git a/bin/tests/system/nsec3/tests_nsec3_change.py b/bin/tests/system/nsec3/tests_nsec3_change.py index 39b3a1cbfe..a65a1789be 100644 --- a/bin/tests/system/nsec3/tests_nsec3_change.py +++ b/bin/tests/system/nsec3/tests_nsec3_change.py @@ -31,6 +31,18 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-change.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.fixture(scope="module", autouse=True) def after_servers_start(ns3, templates): @@ -58,8 +70,12 @@ def after_servers_start(ns3, templates): # After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM. # Reconfigure. - templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True}) - templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True}) + data = { + "reconfiged": True, + "zones": ZONES, + } + templates.render(f"{nsdir}/named-fips.conf", data) + templates.render(f"{nsdir}/named-rsasha1.conf", data) # Wait for the NSEC3 chain is finished rebuilding. messages = [ diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py index a8f52350fe..6ef80343a9 100644 --- a/bin/tests/system/nsec3/tests_nsec3_initial.py +++ b/bin/tests/system/nsec3/tests_nsec3_initial.py @@ -11,6 +11,8 @@ # pylint: disable=redefined-outer-name,unused-import +import os + import dns.update import pytest @@ -27,6 +29,40 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec-to-nsec3.kasp", + "nsec3-xfr-inline.kasp", + "nsec3-dynamic-update-inline.kasp", + "nsec3.kasp", + "nsec3-dynamic.kasp", + "nsec3-change.kasp", + "nsec3-dynamic-change.kasp", + "nsec3-dynamic-to-inline.kasp", + "nsec3-inline-to-dynamic.kasp", + "nsec3-to-nsec.kasp", + "nsec3-to-optout.kasp", + "nsec3-from-optout.kasp", + "nsec3-other.kasp", +} + +if os.environ["RSASHA1_SUPPORTED"] == "1": + ZONES.update( + { + "rsasha1-to-nsec3.kasp", + "rsasha1-to-nsec3-wait.kasp", + "nsec3-to-rsasha1.kasp", + "nsec3-to-rsasha1-ds.kasp", + } + ) + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.mark.parametrize( "params", [ diff --git a/bin/tests/system/nsec3/tests_nsec3_reconfig.py b/bin/tests/system/nsec3/tests_nsec3_reconfig.py index 1f7ffec73e..666ba320b4 100644 --- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py +++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py @@ -31,6 +31,38 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-to-nsec.kasp", + "nsec-to-nsec3.kasp", + "nsec3.kasp", + "nsec3-dynamic.kasp", + "nsec3-dynamic-change.kasp", + "nsec3-dynamic-to-inline.kasp", + "nsec3-inline-to-dynamic.kasp", + # "nsec3-to-optout.kasp", + # "nsec3-from-optout.kasp", + "nsec3-other.kasp", + "nsec3-ent.kasp", +} + +if os.environ["RSASHA1_SUPPORTED"] == "1": + ZONES.update( + { + "rsasha1-to-nsec3-wait.kasp", + "nsec3-to-rsasha1.kasp", + "nsec3-to-rsasha1-ds.kasp", + "rsasha1-to-nsec3.kasp", + } + ) + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.fixture(scope="module", autouse=True) def after_servers_start(ns3, templates): # Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig. @@ -41,8 +73,12 @@ def after_servers_start(ns3, templates): isctest.kasp.check_dnssec_verify(ns3, zone) # Reconfigure. - templates.render(f"{ns3.identifier}/named-fips.conf", {"reconfiged": True}) - templates.render(f"{ns3.identifier}/named-rsasha1.conf", {"reconfiged": True}) + data = { + "reconfiged": True, + "zones": ZONES, + } + templates.render(f"{ns3.identifier}/named-fips.conf", data) + templates.render(f"{ns3.identifier}/named-rsasha1.conf", data) ns3.reconfigure() diff --git a/bin/tests/system/nsec3/tests_nsec3_reload.py b/bin/tests/system/nsec3/tests_nsec3_reload.py index 0e5dd0cfea..b3fb860288 100644 --- a/bin/tests/system/nsec3/tests_nsec3_reload.py +++ b/bin/tests/system/nsec3/tests_nsec3_reload.py @@ -26,6 +26,18 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-fails-to-load.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + def test_nsec3_case(ns3): # Get test parameters. params = { diff --git a/bin/tests/system/nsec3/tests_nsec3_restart.py b/bin/tests/system/nsec3/tests_nsec3_restart.py index cae21f4413..e1e76c4f98 100644 --- a/bin/tests/system/nsec3/tests_nsec3_restart.py +++ b/bin/tests/system/nsec3/tests_nsec3_restart.py @@ -29,6 +29,19 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3.kasp", + "nsec3-other.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + def perform_nsec3_tests(server, params): # Get test parameters. zone = params["zone"]