mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-08 18:52:07 -04:00
2904. [bug] When using DLV, sub-zones of the zones in the DLV,
could be incorrectly marked as insecure instead of
secure leading to negative proofs failing. This was
a unintended outcome from change 2890. [RT# 21392]
This commit is contained in:
Mark Andrews
parent
74040af06f
commit
e27d55e3ee
11 changed files with 335 additions and 60 deletions
5
CHANGES
5
CHANGES
|
|
@ -1,3 +1,8 @@
|
|||
2904. [bug] When using DLV, sub-zones of the zones in the DLV,
|
||||
could be incorrectly marked as insecure instead of
|
||||
secure leading to negative proofs failing. This was
|
||||
a unintended outcome from change 2890. [RT# 21392]
|
||||
|
||||
2903. [bug] managed-keys-directory missing from namedconf.c.
|
||||
[RT #21370]
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: conf.sh.in,v 1.45 2010/01/18 23:48:39 tbox Exp $
|
||||
# $Id: conf.sh.in,v 1.46 2010/05/26 06:28:00 marka Exp $
|
||||
|
||||
#
|
||||
# Common configuration data for system tests, to be sourced into
|
||||
|
|
@ -47,8 +47,8 @@ CHECKCONF=$TOP/bin/check/named-checkconf
|
|||
# The "stress" test is not run by default since it creates enough
|
||||
# load on the machine to make it unusable to other users.
|
||||
# v6synth
|
||||
SUBDIRS="acl autosign cacheclean checkconf checknames dnssec forward glue ixfr
|
||||
limits lwresd masterfile masterformat metadata notify nsupdate pending
|
||||
SUBDIRS="acl autosign cacheclean checkconf checknames dlv dnssec forward glue
|
||||
ixfr limits lwresd masterfile masterformat metadata notify nsupdate pending
|
||||
resolver rrsetorder sortlist smartsign stub tkey unknown upforwd views
|
||||
xfer xferquota zonechecks"
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: clean.sh,v 1.5 2007/09/26 03:22:43 marka Exp $
|
||||
# $Id: clean.sh,v 1.6 2010/05/26 06:28:00 marka Exp $
|
||||
|
||||
rm -f random.data
|
||||
rm -f ns*/named.run
|
||||
|
|
@ -25,4 +25,11 @@ rm -f ns3/dlvset-*
|
|||
rm -f ns3/dsset-*
|
||||
rm -f ns3/keyset-*
|
||||
rm -f ns3/trusted.conf ns5/trusted.conf
|
||||
rm -f ns3/signer.err
|
||||
rm -f ns6/K*
|
||||
rm -f ns6/*.db
|
||||
rm -f ns6/*.signed
|
||||
rm -f ns6/dsset-*
|
||||
rm -f ns6/signer.err
|
||||
rm -f */named.memstats
|
||||
rm -f dig.out.ns*.test*
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: child.db.in,v 1.4 2007/06/19 23:47:02 tbox Exp $
|
||||
; $Id: child.db.in,v 1.5 2010/05/26 06:28:00 marka Exp $
|
||||
|
||||
$TTL 120
|
||||
@ SOA ns hostmaster.ns 1 3600 1200 604800 60
|
||||
|
|
@ -20,3 +20,5 @@ $TTL 120
|
|||
ns A 10.53.0.3
|
||||
foo TXT foo
|
||||
bar TXT bar
|
||||
grand NS ns.grand
|
||||
ns.grand A 10.53.0.6
|
||||
|
|
|
|||
|
|
@ -14,7 +14,9 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: sign.sh,v 1.6 2009/10/27 23:47:44 tbox Exp $
|
||||
# $Id: sign.sh,v 1.7 2010/05/26 06:28:00 marka Exp $
|
||||
|
||||
(cd ../ns6; ./sign.sh)
|
||||
|
||||
SYSTEMTESTTOP=../..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
|
@ -29,12 +31,12 @@ outfile=child1.signed
|
|||
dlvzone=dlv.utld.
|
||||
dlvsets="$dlvsets dlvset-$zone"
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
|
|
@ -45,12 +47,12 @@ outfile=child3.signed
|
|||
dlvzone=dlv.utld.
|
||||
dlvsets="$dlvsets dlvset-$zone"
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
|
|
@ -61,12 +63,12 @@ outfile=child4.signed
|
|||
dlvzone=dlv.utld.
|
||||
dlvsets="$dlvsets dlvset-$zone"
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
|
|
@ -77,12 +79,12 @@ outfile=child5.signed
|
|||
dlvzone=dlv.utld.
|
||||
dlvsets="$dlvsets dlvset-$zone"
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
|
|
@ -92,12 +94,12 @@ zonefile=child7.utld.db
|
|||
outfile=child7.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
|
|
@ -107,12 +109,12 @@ zonefile=child8.utld.db
|
|||
outfile=child8.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
|
|
@ -123,12 +125,12 @@ outfile=child9.signed
|
|||
dlvzone=dlv.utld.
|
||||
dlvsets="$dlvsets dlvset-$zone"
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
zone=child10.utld.
|
||||
|
|
@ -138,12 +140,12 @@ outfile=child10.signed
|
|||
dlvzone=dlv.utld.
|
||||
dlvsets="$dlvsets dlvset-$zone"
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
|
|
@ -153,12 +155,12 @@ zonefile=dlv.utld.db
|
|||
outfile=dlv.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
|
||||
$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
|
|
|
|||
22
bin/tests/system/dlv/ns6/child.db.in
Normal file
22
bin/tests/system/dlv/ns6/child.db.in
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; Permission to use, copy, modify, and/or distribute this software for any
|
||||
; purpose with or without fee is hereby granted, provided that the above
|
||||
; copyright notice and this permission notice appear in all copies.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: child.db.in,v 1.2 2010/05/26 06:28:00 marka Exp $
|
||||
|
||||
$TTL 120
|
||||
@ SOA ns hostmaster.ns6 1 3600 1200 604800 60
|
||||
@ NS ns
|
||||
ns A 10.53.0.6
|
||||
foo TXT foo
|
||||
bar TXT bar
|
||||
18
bin/tests/system/dlv/ns6/hints
Normal file
18
bin/tests/system/dlv/ns6/hints
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; Permission to use, copy, modify, and/or distribute this software for any
|
||||
; purpose with or without fee is hereby granted, provided that the above
|
||||
; copyright notice and this permission notice appear in all copies.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: hints,v 1.2 2010/05/26 06:28:00 marka Exp $
|
||||
|
||||
. 0 NS ns.rootservers.utld.
|
||||
ns.rootservers.utld. 0 A 10.53.0.1
|
||||
42
bin/tests/system/dlv/ns6/named.conf
Normal file
42
bin/tests/system/dlv/ns6/named.conf
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
/*
|
||||
* Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.2 2010/05/26 06:28:00 marka Exp $ */
|
||||
|
||||
controls { /* empty */ };
|
||||
|
||||
options {
|
||||
query-source address 10.53.0.6;
|
||||
notify-source 10.53.0.6;
|
||||
transfer-source 10.53.0.6;
|
||||
port 5300;
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.6; };
|
||||
listen-on-v6 { none; };
|
||||
recursion no;
|
||||
notify yes;
|
||||
dnssec-enable yes;
|
||||
};
|
||||
|
||||
zone "." { type hint; file "hints"; };
|
||||
zone "grand.child1.utld" { type master; file "grand.child1.signed"; };
|
||||
zone "grand.child3.utld" { type master; file "grand.child3.signed"; };
|
||||
zone "grand.child4.utld" { type master; file "grand.child4.signed"; };
|
||||
zone "grand.child5.utld" { type master; file "grand.child5.signed"; };
|
||||
zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
|
||||
zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
|
||||
zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
|
||||
zone "grand.child10.utld" { type master; file "grand.child.db.in"; };
|
||||
139
bin/tests/system/dlv/ns6/sign.sh
Executable file
139
bin/tests/system/dlv/ns6/sign.sh
Executable file
|
|
@ -0,0 +1,139 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# Permission to use, copy, modify, and/or distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: sign.sh,v 1.2 2010/05/26 06:28:00 marka Exp $
|
||||
|
||||
SYSTEMTESTTOP=../..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
||||
RANDFILE=../random.data
|
||||
|
||||
zone=grand.child1.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child1.utld.db
|
||||
outfile=grand.child1.signed
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
zone=grand.child3.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child3.utld.db
|
||||
outfile=grand.child3.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
zone=grand.child4.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child4.utld.db
|
||||
outfile=grand.child4.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
zone=grand.child5.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child5.utld.db
|
||||
outfile=grand.child5.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
zone=grand.child7.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child7.utld.db
|
||||
outfile=grand.child7.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
zone=grand.child8.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child8.utld.db
|
||||
outfile=grand.child8.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
|
||||
zone=grand.child9.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child9.utld.db
|
||||
outfile=grand.child9.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
||||
zone=grand.child10.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child10.utld.db
|
||||
outfile=grand.child10.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
|
||||
echo "I: signed $zone"
|
||||
|
|
@ -14,6 +14,33 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: tests.sh,v 1.4 2007/06/19 23:47:02 tbox Exp $
|
||||
# $Id: tests.sh,v 1.5 2010/05/26 06:28:00 marka Exp $
|
||||
|
||||
exit 0
|
||||
SYSTEMTESTTOP=..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
||||
status=0
|
||||
n=0
|
||||
|
||||
rm -f dig.out.*
|
||||
|
||||
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
|
||||
|
||||
echo "I:checking that DNSKEY reference by DLV validates as secure ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that child DNSKEY reference by DLV validates as secure ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: validator.c,v 1.193 2010/05/14 23:50:39 tbox Exp $ */
|
||||
/* $Id: validator.c,v 1.194 2010/05/26 06:27:59 marka Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
|
|
@ -2264,6 +2264,17 @@ validatezonekey(dns_validator_t *val) {
|
|||
return (dlv_validatezonekey(val));
|
||||
|
||||
if (val->dsset == NULL) {
|
||||
|
||||
/*
|
||||
* We have a dlv sep. Skip looking up the SEP from
|
||||
* {trusted,managed}-keys. If the dlv sep is for the
|
||||
* root then it will have been handled above so we don't
|
||||
* need to check whether val->event->name is "." prior to
|
||||
* looking up the DS.
|
||||
*/
|
||||
if (val->havedlvsep)
|
||||
goto find_ds;
|
||||
|
||||
/*
|
||||
* First, see if this key was signed by a trusted key.
|
||||
*/
|
||||
|
|
@ -2295,13 +2306,13 @@ validatezonekey(dns_validator_t *val) {
|
|||
val->event->name, found) != ISC_R_SUCCESS) {
|
||||
if (val->mustbesecure) {
|
||||
validator_log(val, ISC_LOG_WARNING,
|
||||
"must be secure failure, "
|
||||
"not beneath secure root");
|
||||
"must be secure failure, "
|
||||
"not beneath secure root");
|
||||
return (DNS_R_MUSTBESECURE);
|
||||
} else
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"not beneath secure root");
|
||||
if (val->view->dlv == NULL || DLVTRIED(val)) {
|
||||
"not beneath secure root");
|
||||
if (val->view->dlv == NULL) {
|
||||
markanswer(val, "validatezonekey (1)");
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
|
@ -2344,22 +2355,6 @@ validatezonekey(dns_validator_t *val) {
|
|||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* If this is the root name and there was no trusted key,
|
||||
* give up, since there's no DS at the root.
|
||||
*/
|
||||
if (dns_name_equal(event->name, dns_rootname)) {
|
||||
if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"root key failed to validate");
|
||||
return (DNS_R_NOVALIDSIG);
|
||||
} else {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"no trusted root key");
|
||||
return (DNS_R_NOVALIDDS);
|
||||
}
|
||||
}
|
||||
|
||||
if (atsep) {
|
||||
/*
|
||||
* We have not found a key to verify this DNSKEY
|
||||
|
|
@ -2379,6 +2374,22 @@ validatezonekey(dns_validator_t *val) {
|
|||
return (DNS_R_NOVALIDKEY);
|
||||
}
|
||||
|
||||
/*
|
||||
* If this is the root name and there was no trusted key,
|
||||
* give up, since there's no DS at the root.
|
||||
*/
|
||||
if (dns_name_equal(event->name, dns_rootname)) {
|
||||
if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"root key failed to validate");
|
||||
return (DNS_R_NOVALIDSIG);
|
||||
} else {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"no trusted root key");
|
||||
return (DNS_R_NOVALIDDS);
|
||||
}
|
||||
}
|
||||
find_ds:
|
||||
/*
|
||||
* Otherwise, try to find the DS record.
|
||||
*/
|
||||
|
|
|
|||
Loading…
Reference in a new issue