+toomuchinfo-b.example.com:192.168.99.90:120
+usa-ns1.usa.example.com:192.168.4.1:120
+usa-ns2.usa.example.com:192.168.4.2:120
-3ipv6.example.com:200106a80000000102104bfffe4b4c61:120
:_imap._tcp.example.com:33:\000\000\000\001\000\217\004blah\004test\003com\000:120
:dsdelegation.example.com:43:m\341\010\001\312\361\352\256\315\253\347afpx\217\220\042EK\365\375\237\332:120
:escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120
:hightype.example.com:65534:\007\355\046\000\001:120
:host-0.example.com:108:\000PV\233\000\347:120
:host-1.example.com:109:\000PV\233\000\347\176W:120
-:hostmaster.mb.example.com:8:\004phil\303\231:120
-:hostmaster.mb.example.com:8:\006sheila\303\231:120
+:hostmaster.mb.example.com:8:\004phil\303\263:120
+:hostmaster.mb.example.com:8:\006sheila\303\263:120
:hwinfo.example.com:13:\003abc\003def:120
+:ipv6.example.com:28:\040\001\006\250\000\000\000\001\002\020K\377\376KLa:120
:location.example.com:29:\0002\026\023\213\044\323e\176\273\347\100\000\230\230\020:120
:location.example.com:29:\000B\026\023t\333\053\274\176\273\347\100\000\230\230\020:120
:location.example.com:29:\000\022\026\023\213\044\310\373\201D\030\300\000\230\230\020:120
:location.example.com:29:\000\042\026\023t\3331\320\201D\030\300\000\230\230\020:120
:multitext.example.com:16:\015text\040part\040one\015text\040part\040two\017text\040part\040three:120
-:phil.mb.example.com:7:\002pc\303\231:120
-:philip.mb.example.com:9:\303\250:120
-:sheila.mb.example.com:7:\004bill\303\231:120
+:phil.mb.example.com:7:\002pc\303\263:120
+:philip.mb.example.com:9:\303\302:120
+:sheila.mb.example.com:7:\004bill\303\263:120
:text.example.com:16:\025Hi\054\040this\040is\040some\040text:120
:text0.example.com:16:\014k\075rsa\073\040p\075one:120
:text1.example.com:16:\014k\075rsa\073\040p\075one:120
C\052.w2.example.com:x.y.z.w3.example.com.:120
C\052.w3.example.com:x.y.z.w4.example.com.:120
C\052.w4.example.com:x.y.z.w5.example.com.:120
+Ccname-to-insecure.example.com:www.insecure.dnssec-parent.com.:120
Cexternal.example.com:somewhere.else.net.:120
Cloop1.example.com:loop2.example.com.:120
Cloop2.example.com:loop3.example.com.:120
&dnssec-parent.com::ns1.dnssec-parent.com.:3600
&dnssec-parent.com::ns2.dnssec-parent.com.:3600
&insecure-delegated.ent.ent.auth-ent.dnssec-parent.com::ns.example.com.:3600
+&insecure.dnssec-parent.com::ns.example.com.:3600
&secure-delegated.dnssec-parent.com::ns1.secure-delegated.dnssec-parent.com.:3600
&secure-delegated.dnssec-parent.com::ns2.secure-delegated.dnssec-parent.com.:3600
+dnssec-parent.com:9.9.9.9:3600
+ns2.secure-delegated.dnssec-parent.com:5.6.7.8:3600
+something1.auth-ent.dnssec-parent.com:1.1.2.3:3600
:secure-delegated.dnssec-parent.com:43:\324\057\010\002\240\271\303\214\323\044\030\052\360\357f\203\015\012\016\205\241\325\211y\311\203N\030\310qw\236\004\010W\267:3600
+Cwww.dnssec-parent.com:www.insecure.dnssec-parent.com.:3600
Zdnssec-parent.com:ns1.dnssec-parent.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600
+#2000081501 auto axfr-get
+&insecure.dnssec-parent.com::ns1.example.com.:120
+&insecure.dnssec-parent.com::ns2.example.com.:120
++www.insecure.dnssec-parent.com:192.0.2.88:120
+Zinsecure.dnssec-parent.com:ns1.example.com.:ahu.example.com.:2000081501:28800:7200:604800:86400:120
#2005092501 auto axfr-get
&delegated.dnssec-parent.com::ns1.delegated.dnssec-parent.com.:3600
&delegated.dnssec-parent.com::ns2.delegated.dnssec-parent.com.:3600
-16f36b572fcb576e465f061e417626f8 ../regression-tests/zones/example.com
+db93ba72fcc30da0f775183ee9126edf ../regression-tests/zones/example.com
fe49d2784b1bcc3b91ddd5619f0b6cc1 ../regression-tests/zones/test.com
f0df67fa656d33fd85098cbe43893395 ../regression-tests/zones/test.dyndns
dee3e8b568549d9450134b555ca73990 ../regression-tests/zones/sub.test.dyndns
e7c0fd528e8aaedb1ea3b6daaead4de2 ../regression-tests/zones/wtest.com
42b442de632686e94bde75acf66cf524 ../regression-tests/zones/nztest.com
-aeff58ea1eb6e63096e6da18337be312 ../regression-tests/zones/dnssec-parent.com
+b06133eb32c5bdf346223563501ba8f8 ../regression-tests/zones/dnssec-parent.com
+e9be89b6e5e0da8910c69e46f35d20ab ../regression-tests/zones/insecure.dnssec-parent.com
6510bf48aa3ca3501b73a1f510852a34 ../regression-tests/zones/delegated.dnssec-parent.com
a63dc120391d9df0003f2ec4f461a6af ../regression-tests/zones/secure-delegated.dnssec-parent.com
24514dc104b22206daeb973ff9303545 ../regression-tests/zones/minimal.com
b1f775045fa2cf0a3b91aa834af06e49 ../regression-tests/zones/stest.com
a98864b315f16bcf49ce577426063c42 ../regression-tests/zones/cdnskey-cds-test.com
9aeed2c26d0c3ba3baf22dfa9568c451 ../regression-tests/zones/2.0.192.in-addr.arpa
-dcf9536d23ecffbdb706aa7d95bfb725 ../modules/tinydnsbackend/data.cdb
+8fa20d959485419535d0406fd4df2a56 ../modules/tinydnsbackend/data.cdb
mysql --user="$GMYSQLUSER" --password="$GMYSQLPASSWD" --host="$GMYSQLHOST" \
"$GMYSQLDB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
fi
- securezone $zone bind
- if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
+ if [ $zone != insecure.dnssec-parent.com ]
then
- $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
- elif [ $context = bind-dnssec-nsec3-narrow ]
- then
- $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+ securezone $zone bind
+ if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
+ then
+ $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
+ elif [ $context = bind-dnssec-nsec3-narrow ]
+ then
+ $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+ fi
fi
if [ "$zone" = "tsig.com" ]; then
$PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY
for zone in $(grep 'zone ' named.conf | cut -f2 -d\")
do
- if [ $context != ${backend}-nodnssec ]
+ if [ $context != ${backend}-nodnssec ] && [ $zone != insecure.dnssec-parent.com ]
then
if [ $context = ${backend}-nsec3 ] || [ $context = ${backend}-nsec3-optout ]
then
file "dnssec-parent.com";
};
+zone "insecure.dnssec-parent.com"{
+ type master;
+ file "insecure.dnssec-parent.com";
+};
+
zone "delegated.dnssec-parent.com"{
type master;
file "delegated.dnssec-parent.com";
dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com.
+insecure.dnssec-parent.com. 3600 IN NS ns.example.com.
ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7
ns1.dnssec-parent.com. 3600 IN A 1.2.3.4
ns1.secure-delegated.dnssec-parent.com. 3600 IN A 1.2.3.4
secure-delegated.dnssec-parent.com. 3600 IN NS ns1.secure-delegated.dnssec-parent.com.
secure-delegated.dnssec-parent.com. 3600 IN NS ns2.secure-delegated.dnssec-parent.com.
something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3
+www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com.
delegated.dnssec-parent.com. 3600 IN NS ns1.delegated.dnssec-parent.com.
delegated.dnssec-parent.com. 3600 IN NS ns2.delegated.dnssec-parent.com.
-delegated.dnssec-parent.com. 86400 IN NSEC ns1.dnssec-parent.com. NS RRSIG NSEC
+delegated.dnssec-parent.com. 86400 IN NSEC insecure.dnssec-parent.com. NS RRSIG NSEC
delegated.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
dnssec-parent.com. 3600 IN A 9.9.9.9
dnssec-parent.com. 3600 IN NS ns1.dnssec-parent.com.
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com.
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN NSEC something1.auth-ent.dnssec-parent.com. NS RRSIG NSEC
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC 13 6 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+insecure.dnssec-parent.com. 3600 IN NS ns.example.com.
+insecure.dnssec-parent.com. 86400 IN NSEC ns1.dnssec-parent.com. NS RRSIG NSEC
+insecure.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7
ns1.dnssec-parent.com. 3600 IN A 1.2.3.4
ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
secure-delegated.dnssec-parent.com. 3600 IN NS ns1.secure-delegated.dnssec-parent.com.
secure-delegated.dnssec-parent.com. 3600 IN NS ns2.secure-delegated.dnssec-parent.com.
secure-delegated.dnssec-parent.com. 3600 IN RRSIG DS 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
-secure-delegated.dnssec-parent.com. 86400 IN NSEC dnssec-parent.com. NS DS RRSIG NSEC
+secure-delegated.dnssec-parent.com. 86400 IN NSEC www.dnssec-parent.com. NS DS RRSIG NSEC
secure-delegated.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3
something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 86400 IN NSEC delegated.dnssec-parent.com. A RRSIG NSEC
something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC 13 4 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com.
+www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 86400 IN NSEC dnssec-parent.com. CNAME RRSIG NSEC
+www.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com.
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] NS
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+insecure.dnssec-parent.com. 3600 IN NS ns.example.com.
+insecure.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] NS
+insecure.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7
ns1.dnssec-parent.com. 3600 IN A 1.2.3.4
ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] A RRSIG
something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com.
+www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] CNAME RRSIG
+www.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
dnssec-parent.com. 86400 IN RRSIG NSEC3PARAM 13 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com.
+insecure.dnssec-parent.com. 3600 IN NS ns.example.com.
ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7
ns1.dnssec-parent.com. 3600 IN A 1.2.3.4
ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 1 1 abcd [next owner] A RRSIG
something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com.
+www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 86400 IN NSEC3 1 1 1 abcd [next owner] CNAME RRSIG
+www.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
-1 delegated.dnssec-parent.com. IN NSEC 86400 ns1.dnssec-parent.com. NS RRSIG NSEC
+1 delegated.dnssec-parent.com. IN NSEC 86400 insecure.dnssec-parent.com. NS RRSIG NSEC
1 delegated.dnssec-parent.com. IN RRSIG 86400 NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
--- /dev/null
+#!/bin/sh
+cleandig www.dnssec-parent.com A dnssec
+
--- /dev/null
+Signed CNAME to an A record in an unsigned child zone.
--- /dev/null
+0 www.dnssec-parent.com. IN CNAME 3600 www.insecure.dnssec-parent.com.
+0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.dnssec-parent.com.', qtype=A
--- /dev/null
+0 www.dnssec-parent.com. IN CNAME 3600 www.insecure.dnssec-parent.com.
+0 www.dnssec-parent.com. IN RRSIG 3600 CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.dnssec-parent.com.', qtype=A
--- /dev/null
+#!/bin/sh
+cleandig cname-to-insecure.example.com A dnssec
+
--- /dev/null
+Signed CNAME to an unsigned A.
--- /dev/null
+0 cname-to-insecure.example.com. IN CNAME 120 www.insecure.dnssec-parent.com.
+0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cname-to-insecure.example.com.', qtype=A
--- /dev/null
+0 cname-to-insecure.example.com. IN CNAME 120 www.insecure.dnssec-parent.com.
+0 cname-to-insecure.example.com. IN RRSIG 120 CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ...
+0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cname-to-insecure.example.com.', qtype=A
#!/usr/bin/env bash
-for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\)$')
+for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\|insecure.dnssec-parent.com\)$')
do
TFILE=$(mktemp tmp.XXXXXXXXXX)
drill -p $port axfr $zone @$nameserver | ldns-read-zone -z -u CDS -u CDNSKEY > $TFILE
ns2.secure-delegated IN A 5.6.7.8
insecure-delegated.ent.ent.auth-ent IN NS ns.example.com.
something1.auth-ent IN A 1.1.2.3
+insecure IN NS ns.example.com.
+www IN CNAME www.insecure
; Test that no out of zone data is sent
_imap._tcp IN SRV 0 1 143 blah.test.com.
+
+;
+cname-to-insecure IN CNAME www.insecure.dnssec-parent.com.
--- /dev/null
+$TTL 120
+$ORIGIN insecure.dnssec-parent.com.
+@ IN SOA ns1.example.com. ahu.example.com. (
+ 2000081501
+ 8H ; refresh
+ 2H ; retry
+ 1W ; expire
+ 1D ; default_ttl
+ )
+
+@ IN NS ns1.example.com.
+@ IN NS ns2.example.com.
+www IN A 192.0.2.88
projects / pdns / commitdiff