diff --git a/bin/tests/system/checkzone/zones/bad-cdnskey.db b/bin/tests/system/checkzone/zones/bad-cdnskey.db index e3c0ded019..9247247ae5 100644 --- a/bin/tests/system/checkzone/zones/bad-cdnskey.db +++ b/bin/tests/system/checkzone/zones/bad-cdnskey.db @@ -1,4 +1,4 @@ example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= -example. 0 CDNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +example. 0 CDNSKEY 257 3 14 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= diff --git a/bin/tests/system/checkzone/zones/bad-cds.db b/bin/tests/system/checkzone/zones/bad-cds.db index 9cd48a164f..a412c1ed0a 100644 --- a/bin/tests/system/checkzone/zones/bad-cds.db +++ b/bin/tests/system/checkzone/zones/bad-cds.db @@ -1,6 +1,4 @@ example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= -; Actual CDS -; example. 0 CDS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C -example. 0 CDS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B +example. 0 CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 9e50a0edf1..bada872181 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3368,26 +3368,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that a lone non matching CDS record is rejected ($n)" -ret=0 -( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | -$DSFROMKEY -C -A -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true -grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 0 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check that a CDS deletion record is accepted ($n)" ret=0 ( @@ -3601,25 +3581,6 @@ status=$((status+ret)) # precedes the supported one in the DNSKEY RRset, and verify the result still # validates succesfully. -echo_i "check that a lone non matching CDNSKEY record is rejected ($n)" -ret=0 -( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true -grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 0 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check that a CDNSKEY deletion record is accepted ($n)" ret=0 ( diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 2034aa46ab..aa327f8962 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -43,6 +43,7 @@ rm -f ns3/delegation.test.db rm -f ns3/dnskey.test.db rm -f ns3/dsset-* rm -f ns3/example.db +rm -f ns3/multisigner.test.db rm -f ns3/many.test.bk rm -f ns3/nsec3param.test.db rm -f ns3/too-big.test.db diff --git a/bin/tests/system/nsupdate/ns3/multisigner.test.db.in b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in new file mode 100644 index 0000000000..05f651f430 --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +multisigner.test. 10 IN SOA multisigner.test. hostmaster.multisigner.test. 1 3600 900 2419200 3600 +multisigner.test. 10 IN NS multisigner.test. +multisigner.test. 10 IN A 10.53.0.3 diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in index f658a19b1b..c1e0047fdb 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf.in +++ b/bin/tests/system/nsupdate/ns3/named.conf.in @@ -61,3 +61,11 @@ zone "too-big.test" { max-records 3; file "too-big.test.db"; }; + +/* Zone for testing CDS and CDNSKEY updates from other provider */ +zone "multisigner.test" { + type primary; + allow-update { any; }; + dnssec-policy "default"; + file "multisigner.test.db"; +}; diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh index 2fab79ba56..ba6fc8c9bf 100644 --- a/bin/tests/system/nsupdate/ns3/sign.sh +++ b/bin/tests/system/nsupdate/ns3/sign.sh @@ -43,3 +43,6 @@ keyname2=`$KEYGEN -q -a RSASHA256 -3 $zone` cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# Just copy multisigner.db.in because it is signed with dnssec-policy. +cp multisigner.test.db.in multisigner.test.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index f6198b06f1..ac4ce7eaf8 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -52,6 +52,16 @@ while true; do fi done +has_positive_response() { + zone=$1 + type=$2 + ns=$3 + $DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1 + grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1 + grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1 + return 0 +} + ret=0 echo_i "fetching first copy of zone before update" $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ @@ -1227,6 +1237,75 @@ grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } +n=`expr $n + 1` +ret=0 +echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C +send +END +msg=": bad CDS RRset" +nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=`expr $n + 1` +ret=0 +echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +nextpart ns3/named.run > /dev/null +$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== +send +END +msg=": bad CDNSKEY RRset" +nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=`expr $n + 1` +ret=0 +echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d < nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C +send +END +retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=`expr $n + 1` +ret=0 +echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d < nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== +send +END +retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + n=`expr $n + 1` ret=0 echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"