mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-21 18:10:37 -04:00
2fc42b598b
The mkeys system test started to fail after introducing support for zones transitioning to unsigned without going bogus. This is because there was actually a bug in the code: if you reconfigure a zone and remove the "auto-dnssec" option, the zone is actually still DNSSEC maintained. This is because in zoneconf.c there is no call to 'dns_zone_setkeyopt()' if the configuration option is not used (cfg_map_get(zoptions, "auto-dnssec", &obj) will return an error). The mkeys system test implicitly relied on this bug: initially the root zone is being DNSSEC maintained, then at some point it needs to reset the root zone in order to prepare for some tests with bad signatures. Because it needs to inject a bad signature, 'auto-dnssec' is removed from the configuration. The test pass but for the wrong reasons: I:mkeys:reset the root server I:mkeys:reinitialize trust anchors I:mkeys:check positive validation (18) The 'check positive validation' test works because the zone is still DNSSEC maintained: The DNSSEC records in the signed root zone file on disk are being ignored. After fixing the bug/introducing graceful transition to insecure, the root zone is no longer DNSSEC maintained after the reconfig. The zone now explicitly needs to be reloaded because otherwise the 'check positive validation' test works against an old version of the zone (the one with all the revoked keys), and the test will obviously fail. |
||
|---|---|---|
| .. | ||
| startperf | ||
| system | ||
| testdata/wire | ||
| .gitignore | ||
| fromhex.pl | ||
| Makefile.am | ||
| named.conf | ||
| prepare-softhsm2.sh | ||
| wire_test.c | ||