diff --git a/bin/tests/system/chain/ns2/named.conf.in b/bin/tests/system/chain/ns2/named.conf.in index e8882dc666..dea26feb4d 100644 --- a/bin/tests/system/chain/ns2/named.conf.in +++ b/bin/tests/system/chain/ns2/named.conf.in @@ -40,6 +40,11 @@ zone "signed-sub2.example" { file "sub.db"; }; +zone "wildcard-secure.example" { + type primary; + file "wildcard-secure.example.db.signed"; +}; + zone "wildcard-nsec.example" { type primary; file "wildcard-nsec.example.db.signed"; diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh index d0aa9bb673..db8dc1e2d0 100644 --- a/bin/tests/system/chain/ns2/sign.sh +++ b/bin/tests/system/chain/ns2/sign.sh @@ -19,6 +19,14 @@ ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone` zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone` $SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +zone=wildcard-secure.example. +zonefile=wildcard-secure.db +signedfile=wildcard-secure.example.db.signed + +ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone` +zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone` +$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null + zone=wildcard-nsec.example. zonefile=wildcard.db signedfile=wildcard-nsec.example.db.signed diff --git a/bin/tests/system/chain/ns2/wildcard-secure.db b/bin/tests/system/chain/ns2/wildcard-secure.db new file mode 100644 index 0000000000..7aa59671cf --- /dev/null +++ b/bin/tests/system/chain/ns2/wildcard-secure.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2021051901 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS localhost. + +delegation NS localhost. + DS 12345 13 2 0000000000000000000000000000000000000000000000000000000000000000 + +; CNAME pointing into a child zone +cname CNAME delegation + +; wildcard CNAME pointing at a CNAME pointing into a child zone +* CNAME cname diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh index 0b53bfd974..7d1115722a 100644 --- a/bin/tests/system/chain/tests.sh +++ b/bin/tests/system/chain/tests.sh @@ -122,13 +122,44 @@ ensure_no_ds_in_bitmap() { } n=`expr $n + 1` -echo_i "checking delegation prepared using CNAME chaining, NSEC ($n)" +echo_i "checking secure delegation prepared using CNAME chaining ($n)" +ret=0 +# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a +# DS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains the expected NS and DS RRsets. +exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking secure delegation prepared using wildcard expansion + CNAME chaining ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an +# NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains the expected NS and DS RRsets. +exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 +# Check NSEC records in the AUTHORITY section. +no_records_exist_for "wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +exactly_one_record_exists_for "*.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "cname.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 # Check NSEC records in the AUTHORITY section. no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 no_records_exist_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 @@ -141,14 +172,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #1 ($n)" +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC records are different. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 # Check NSEC records in the AUTHORITY section. no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 exactly_one_record_exists_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 @@ -161,15 +194,17 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #2 ($n)" +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 # Check NSEC records in the AUTHORITY section. no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 no_records_exist_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 @@ -202,13 +237,15 @@ status=`expr $status + $ret` # SG2DEHEAOGCKP7FTNQAUVC3I3TIPJH0J (salt=-, hash=1, iterations=0) n=`expr $n + 1` -echo_i "checking delegation prepared using CNAME chaining, NSEC3 ($n)" +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 @@ -221,14 +258,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #1 ($n)" +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 @@ -241,15 +280,17 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #2 ($n)" +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 @@ -285,13 +326,15 @@ status=`expr $status + $ret` # V7OTS4791T9SU0HKVL93EVNAJ9JH2CH3 (salt=-, hash=1, iterations=0) n=`expr $n + 1` -echo_i "checking delegation prepared using CNAME chaining, NSEC3 with opt-out ($n)" +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with opt-out ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 @@ -303,14 +346,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #1 ($n)" +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. exactly_one_record_exists_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 @@ -322,15 +367,17 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #2 ($n)" +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1