diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh index 6383f29bea..d6b11e749b 100644 --- a/bin/tests/system/nsec3/clean.sh +++ b/bin/tests/system/nsec3/clean.sh @@ -13,9 +13,10 @@ set -e -rm -f dig.out.* rndc.signing.* +rm -f dig.out.* rndc.signing.* verify.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind rm -f ns*/K*.private ns*/K*.key ns*/K*.state rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed - +rm -f ns*/keygen.out.* ns*/settime.out.* +rm -f created.key-* *.created unused.key-* diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index 36c217ad3c..c94fa5d679 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -18,6 +18,12 @@ dnssec-policy "nsec" { // NSEC will be used; }; +dnssec-policy "rsasha1" { + keys { + csk lifetime unlimited algorithm rsasha1; + }; +}; + dnssec-policy "nsec3" { nsec3param; }; @@ -59,6 +65,56 @@ zone "nsec-to-nsec3.kasp" { dnssec-policy "nsec"; }; +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should work despite the incompatible RSAHSHA1 algorithm, + * because the DS is still in hidden state. + */ +zone "rsasha1-to-nsec3.kasp" { + type primary; + file "rsasha1-to-nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should block because RSASHA1 is not compatible with NSEC3, + * and the DS is published. + */ +zone "rsasha1-to-nsec3-wait.kasp" { + type primary; + file "rsasha1-to-nsec3-wait.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 + * algorithm, because the DS is still in hidden state. + */ +zone "nsec3-to-rsasha1.kasp" { + type primary; + file "nsec3-to-rsasha1.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should also be fine because we are allowed + * to change to NSEC with any algorithm, then we can also publish the new + * DNSKEY and signatures of the RSASHA1 algorithm. + */ +zone "nsec3-to-rsasha1-ds.kasp" { + type primary; + file "nsec3-to-rsasha1-ds.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + + /* These zones use the default NSEC3 settings. */ zone "nsec3.kasp" { type primary; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index c81cd70049..d9764abcad 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -18,6 +18,12 @@ dnssec-policy "nsec" { // NSEC will be used; }; +dnssec-policy "rsasha1" { + keys { + csk lifetime unlimited algorithm rsasha1; + }; +}; + dnssec-policy "nsec3" { nsec3param; }; @@ -60,6 +66,59 @@ zone "nsec-to-nsec3.kasp" { dnssec-policy "nsec3"; }; +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should work despite the incompatible RSAHSHA1 algorithm, + * because the DS is still in hidden state. + */ +zone "rsasha1-to-nsec3.kasp" { + type primary; + file "rsasha1-to-nsec3.kasp.db"; + inline-signing yes; + //dnssec-policy "rsasha1"; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC, but will be reconfigured to use NSEC3. + * This should block because RSASHA1 is not compatible with NSEC3, + * and the DS is published. + */ +zone "rsasha1-to-nsec3-wait.kasp" { + type primary; + file "rsasha1-to-nsec3-wait.kasp.db"; + inline-signing yes; + //dnssec-policy "rsasha1"; + dnssec-policy "nsec3"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 + * algorithm, because the DS is still in hidden state. + */ +zone "nsec3-to-rsasha1.kasp" { + type primary; + file "nsec3-to-rsasha1.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "rsasha1"; +}; + +/* + * This zone starts with NSEC3, but will be reconfigured to use NSEC with an + * NSEC only algorithm. This should also be fine because we are allowed + * to change to NSEC with any algorithm, then we can also publish the new + * DNSKEY and signatures of the RSASHA1 algorithm. + */ +zone "nsec3-to-rsasha1-ds.kasp" { + type primary; + file "nsec3-to-rsasha1-ds.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "rsasha1"; +}; + /* These zones use the default NSEC3 settings. */ zone "nsec3.kasp" { type primary; diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index cbaf84ce8d..e2478ac3df 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -30,4 +30,29 @@ do setup "${zn}.kasp" done +if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) +then + for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \ + nsec3-to-rsasha1-ds + do + setup "${zn}.kasp" + done + + longago="now-1y" + keytimes="-P ${longago} -A ${longago}" + O="omnipresent" + + zone="rsasha1-to-nsec3-wait.kasp" + CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2> keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 + + zone="nsec3-to-rsasha1-ds.kasp" + CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2> keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 +else + echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported" +fi + cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index d9c2b83d17..f5865d5ab1 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -36,6 +36,8 @@ rndccmd() { set_zone_policy() { ZONE=$1 POLICY=$2 + NUM_KEYS=$3 + DNSKEY_TTL=$4 } # Set expected NSEC3 parameters: flags ($1), iterations ($2), and # salt length ($3). @@ -47,6 +49,49 @@ set_nsec3param() { SALT="" } +# Set expected default dnssec-policy keys values. +set_key_default_values() { + key_clear $1 + + set_keyrole $1 "csk" + set_keylifetime $1 "0" + set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256" + set_keysigning $1 "yes" + set_zonesigning $1 "yes" + + set_keystate $1 "GOAL" "omnipresent" + set_keystate $1 "STATE_DNSKEY" "rumoured" + set_keystate $1 "STATE_KRRSIG" "rumoured" + set_keystate $1 "STATE_ZRRSIG" "rumoured" + set_keystate $1 "STATE_DS" "hidden" +} + +# Set expected rsasha1 dnssec-policy keys values. +set_key_rsasha1_values() { + key_clear $1 + + set_keyrole $1 "csk" + set_keylifetime $1 "0" + set_keyalgorithm $1 "5" "RSASHA1" "2048" + set_keysigning $1 "yes" + set_zonesigning $1 "yes" + + set_keystate $1 "GOAL" "omnipresent" + set_keystate $1 "STATE_DNSKEY" "rumoured" + set_keystate $1 "STATE_KRRSIG" "rumoured" + set_keystate $1 "STATE_ZRRSIG" "rumoured" + set_keystate $1 "STATE_DS" "hidden" +} + +# Update the key states. +set_key_states() { + set_keystate $1 "GOAL" "$2" + set_keystate $1 "STATE_DNSKEY" "$3" + set_keystate $1 "STATE_KRRSIG" "$4" + set_keystate $1 "STATE_ZRRSIG" "$5" + set_keystate $1 "STATE_DS" "$6" +} + # The apex NSEC3PARAM record indicates that it is signed. _wait_for_nsec3param() { dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1 @@ -79,24 +124,43 @@ wait_for_zone_is_signed() { status=$((status+ret)) } +# Test: check DNSSEC verify +_check_dnssec_verify() { + dig_with_opts @$SERVER "${ZONE}" AXFR > "dig.out.test$n.axfr.$ZONE" || return 1 + $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" > "verify.out.test$n.$ZONE" 2>&1 || return 1 + return 0 +} + # Test: check NSEC in answers -_check_nsec_nsec3param() -{ +_check_nsec_nsec3param() { dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1 return 0 } -_check_nsec_nxdomain() -{ +_check_nsec_nxdomain() { dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1 return 0 } -check_nsec() -{ +check_nsec() { + n=$((n+1)) + echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + check_keys + retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + n=$((n+1)) + echo_i "verify DNSSEC for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + n=$((n+1)) echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" ret=0 @@ -113,8 +177,7 @@ check_nsec() } # Test: check NSEC3 parameters in answers -_check_nsec3_nsec3param() -{ +_check_nsec3_nsec3param() { dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1 @@ -124,15 +187,13 @@ _check_nsec3_nsec3param() return 0 } -_check_nsec3_nxdomain() -{ +_check_nsec3_nxdomain() { dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 return 0 } -check_nsec3() -{ +check_nsec3() { n=$((n+1)) echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)" ret=0 @@ -146,74 +207,119 @@ check_nsec3() retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) + + n=$((n+1)) + echo_i "verify DNSSEC for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) } start_time="$(TZ=UTC date +%s)" status=0 n=0 +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + # Zone: nsec-to-nsec3.kasp. -set_zone_policy "nsec-to-nsec3.kasp" "nsec" +set_zone_policy "nsec-to-nsec3.kasp" "nsec" 1 3600 set_server "ns3" "10.53.0.3" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec -dnssec_verify + +if ($SHELL ../testcrypto.sh -q RSASHA1) +then + # Zone: rsasha1-to-nsec3.kasp. + set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + echo_i "initial check zone ${ZONE}" + check_nsec + + # Zone: rsasha1-to-nsec3-wait.kasp. + set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + echo_i "initial check zone ${ZONE}" + check_nsec + + # Zone: nsec3-to-rsasha1.kasp. + set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + echo_i "initial check zone ${ZONE}" + check_nsec3 + + # Zone: nsec3-to-rsasha1-ds.kasp. + set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + echo_i "initial check zone ${ZONE}" + check_nsec3 +fi # Zone: nsec3.kasp. -set_zone_policy "nsec3.kasp" "nsec3" +set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-dynamic.kasp. -set_zone_policy "nsec3-dynamic.kasp" "nsec3" +set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-change.kasp. -set_zone_policy "nsec3-change.kasp" "nsec3" +set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-dynamic-change.kasp. -set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" +set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-to-nsec.kasp. -set_zone_policy "nsec3-to-nsec.kasp" "nsec3" +set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-to-optout.kasp. -set_zone_policy "nsec3-to-optout.kasp" "nsec3" +set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-from-optout.kasp. -set_zone_policy "nsec3-from-optout.kasp" "optout" +set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600 set_nsec3param "1" "0" "0" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Zone: nsec3-other.kasp. -set_zone_policy "nsec3-other.kasp" "nsec3-other" +set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 -dnssec_verify # Reconfig named. echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" @@ -221,88 +327,139 @@ copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 # Zone: nsec-to-nsec3.kasp. (reconfigured) -set_zone_policy "nsec-to-nsec3.kasp" "nsec3" +set_zone_policy "nsec-to-nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify + +if ($SHELL ../testcrypto.sh -q RSASHA1) +then + # Zone: rsasha1-to-nsec3.kasp. + set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" + set_keysigning "KEY1" "no" + set_zonesigning "KEY1" "no" + set_key_default_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec3 + + # Zone: rsasha1-to-nsec3-wait.kasp. + set_zone_policy "rsasha1-to-nsec3-wait.kasp" "nsec3" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + set_key_default_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + + ret=0 + wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + check_nsec + + # Zone: nsec3-to-rsasha1.kasp. + set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_default_values "KEY1" + set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" + set_keysigning "KEY1" "no" + set_zonesigning "KEY1" "no" + set_key_rsasha1_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec + + # Zone: nsec3-to-rsasha1-ds.kasp. + set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_default_values "KEY1" + set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + set_key_rsasha1_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec + + key_clear "KEY1" + key_clear "KEY2" +fi # Zone: nsec3.kasp. (same) -set_zone_policy "nsec3.kasp" "nsec3" +set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Zone: nsec3-dyamic.kasp. (same) -set_zone_policy "nsec3-dynamic.kasp" "nsec3" +set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Zone: nsec3-change.kasp. (reconfigured) -set_zone_policy "nsec3-change.kasp" "nsec3-other" +set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Zone: nsec3-dynamic-change.kasp. (reconfigured) -set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" +set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Zone: nsec3-to-nsec.kasp. (reconfigured) -set_zone_policy "nsec3-to-nsec.kasp" "nsec" +set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec -dnssec_verify # Zone: nsec3-to-optout.kasp. (reconfigured) # DISABLED: # There is a bug in the nsec3param building code that thinks when the # optout bit is changed, the chain already exists. [GL #2216] -#set_zone_policy "nsec3-to-optout.kasp" "optout" +#set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600 #set_nsec3param "1" "0" "0" +#set_key_default_values "KEY1" #echo_i "check zone ${ZONE} after reconfig" #check_nsec3 -#dnssec_verify # Zone: nsec3-from-optout.kasp. (reconfigured) # DISABLED: # There is a bug in the nsec3param building code that thinks when the # optout bit is changed, the chain already exists. [GL #2216] -#set_zone_policy "nsec3-from-optout.kasp" "nsec3" +#set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600 #set_nsec3param "0" "0" "0" +#set_key_default_values "KEY1" #echo_i "check zone ${ZONE} after reconfig" #check_nsec3 -#dnssec_verify # Zone: nsec3-other.kasp. (same) -set_zone_policy "nsec3-other.kasp" "nsec3-other" +set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -dnssec_verify # Using rndc signing -nsec3param (should fail) -set_zone_policy "nsec3-change.kasp" "nsec3-other" +set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600 echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings" rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail" check_nsec3 -dnssec_verify # Test NSEC3 and NSEC3PARAM is the same after restart -set_zone_policy "nsec3.kasp" "nsec3" +set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} before restart" check_nsec3 -dnssec_verify # Restart named, NSEC3 should stay the same. ret=0 @@ -318,22 +475,22 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) prevsalt="${SALT}" -set_zone_policy "nsec3.kasp" "nsec3" +set_zone_policy "nsec3.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" SALT="${prevsalt}" echo_i "check zone ${ZONE} after restart has salt ${SALT}" check_nsec3 -dnssec_verify # Zone: nsec3-fails-to-load.kasp. (should be fixed after reload) cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db rndc_reload ns3 10.53.0.3 -set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" +set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reload" check_nsec3 -dnssec_verify echo_i "exit status: $status" [ $status -eq 0 ] || exit 1