From c6939f0bd469120de53d4a7d8b6ba1cfd960a86b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Feb 2019 14:28:26 -0800 Subject: [PATCH] test correct occlusion of DNSSEC records --- bin/tests/system/dnssec/ns3/insecure.example.db | 1 + bin/tests/system/dnssec/ns3/secure.example.db.in | 1 + bin/tests/system/dnssec/tests.sh | 13 +++++++++++++ 3 files changed, 15 insertions(+) diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db index 86552149e1..98777d674f 100644 --- a/bin/tests/system/dnssec/ns3/insecure.example.db +++ b/bin/tests/system/dnssec/ns3/insecure.example.db @@ -21,4 +21,5 @@ ns A 10.53.0.3 a A 10.0.0.1 b A 10.0.0.2 d A 10.0.0.4 +x DNSKEY 258 3 5 Cg== z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 9d310d8cb2..27f2b2401c 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -28,6 +28,7 @@ g A 10.0.0.7 z A 10.0.0.26 a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 x CNAME a +zz DNSKEY 258 3 5 Cg== private NS ns.private ns.private A 10.53.0.2 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 1f39bd535b..81865b626e 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3635,6 +3635,19 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)" +ret=0 +dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1 +dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1 +# DNSKEY+RRSIG, NSEC+RRSIG +grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # Note: after this check, ns4 will not be validating any more; do not add any # further validation tests employing ns4 below this check. echo_i "check that validation defaults to off when dnssec-enable is off ($n)"