From: Peter van Dijk Date: Tue, 7 May 2019 07:54:52 +0000 (+0200) Subject: auth: test for #7785 X-Git-Tag: rec-4.2.0-rc1~25^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=15a35f448d78b86536ca3486f2c38b60ebe58e28;p=pdns auth: test for #7785 --- diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data index bcbeb035f..8f76c113b 100644 --- a/modules/tinydnsbackend/data +++ b/modules/tinydnsbackend/data @@ -20100,7 +20100,6 @@ +toomuchinfo-b.example.com:192.168.99.90:120 +usa-ns1.usa.example.com:192.168.4.1:120 +usa-ns2.usa.example.com:192.168.4.2:120 -3ipv6.example.com:200106a80000000102104bfffe4b4c61:120 :_imap._tcp.example.com:33:\000\000\000\001\000\217\004blah\004test\003com\000:120 :dsdelegation.example.com:43:m\341\010\001\312\361\352\256\315\253\347afpx\217\220\042EK\365\375\237\332:120 :escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120 @@ -20108,17 +20107,18 @@ :hightype.example.com:65534:\007\355\046\000\001:120 :host-0.example.com:108:\000PV\233\000\347:120 :host-1.example.com:109:\000PV\233\000\347\176W:120 -:hostmaster.mb.example.com:8:\004phil\303\231:120 -:hostmaster.mb.example.com:8:\006sheila\303\231:120 +:hostmaster.mb.example.com:8:\004phil\303\263:120 +:hostmaster.mb.example.com:8:\006sheila\303\263:120 :hwinfo.example.com:13:\003abc\003def:120 +:ipv6.example.com:28:\040\001\006\250\000\000\000\001\002\020K\377\376KLa:120 :location.example.com:29:\0002\026\023\213\044\323e\176\273\347\100\000\230\230\020:120 :location.example.com:29:\000B\026\023t\333\053\274\176\273\347\100\000\230\230\020:120 :location.example.com:29:\000\022\026\023\213\044\310\373\201D\030\300\000\230\230\020:120 :location.example.com:29:\000\042\026\023t\3331\320\201D\030\300\000\230\230\020:120 :multitext.example.com:16:\015text\040part\040one\015text\040part\040two\017text\040part\040three:120 -:phil.mb.example.com:7:\002pc\303\231:120 -:philip.mb.example.com:9:\303\250:120 -:sheila.mb.example.com:7:\004bill\303\231:120 +:phil.mb.example.com:7:\002pc\303\263:120 +:philip.mb.example.com:9:\303\302:120 +:sheila.mb.example.com:7:\004bill\303\263:120 :text.example.com:16:\025Hi\054\040this\040is\040some\040text:120 :text0.example.com:16:\014k\075rsa\073\040p\075one:120 :text1.example.com:16:\014k\075rsa\073\040p\075one:120 @@ -20134,6 +20134,7 @@ C\052.w1.example.com:x.y.z.w2.example.com.:120 C\052.w2.example.com:x.y.z.w3.example.com.:120 C\052.w3.example.com:x.y.z.w4.example.com.:120 C\052.w4.example.com:x.y.z.w5.example.com.:120 +Ccname-to-insecure.example.com:www.insecure.dnssec-parent.com.:120 Cexternal.example.com:somewhere.else.net.:120 Cloop1.example.com:loop2.example.com.:120 Cloop2.example.com:loop3.example.com.:120 @@ -20243,6 +20244,7 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400: &dnssec-parent.com::ns1.dnssec-parent.com.:3600 &dnssec-parent.com::ns2.dnssec-parent.com.:3600 &insecure-delegated.ent.ent.auth-ent.dnssec-parent.com::ns.example.com.:3600 +&insecure.dnssec-parent.com::ns.example.com.:3600 &secure-delegated.dnssec-parent.com::ns1.secure-delegated.dnssec-parent.com.:3600 &secure-delegated.dnssec-parent.com::ns2.secure-delegated.dnssec-parent.com.:3600 +dnssec-parent.com:9.9.9.9:3600 @@ -20254,7 +20256,13 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400: +ns2.secure-delegated.dnssec-parent.com:5.6.7.8:3600 +something1.auth-ent.dnssec-parent.com:1.1.2.3:3600 :secure-delegated.dnssec-parent.com:43:\324\057\010\002\240\271\303\214\323\044\030\052\360\357f\203\015\012\016\205\241\325\211y\311\203N\030\310qw\236\004\010W\267:3600 +Cwww.dnssec-parent.com:www.insecure.dnssec-parent.com.:3600 Zdnssec-parent.com:ns1.dnssec-parent.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600 +#2000081501 auto axfr-get +&insecure.dnssec-parent.com::ns1.example.com.:120 +&insecure.dnssec-parent.com::ns2.example.com.:120 ++www.insecure.dnssec-parent.com:192.0.2.88:120 +Zinsecure.dnssec-parent.com:ns1.example.com.:ahu.example.com.:2000081501:28800:7200:604800:86400:120 #2005092501 auto axfr-get &delegated.dnssec-parent.com::ns1.delegated.dnssec-parent.com.:3600 &delegated.dnssec-parent.com::ns2.delegated.dnssec-parent.com.:3600 diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb index c41b7e6a8..317ffaddf 100644 Binary files a/modules/tinydnsbackend/data.cdb and b/modules/tinydnsbackend/data.cdb differ diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result index bace48899..6dee487ae 100644 --- a/regression-tests.nobackend/tinydns-data-check/expected_result +++ b/regression-tests.nobackend/tinydns-data-check/expected_result @@ -1,10 +1,11 @@ -16f36b572fcb576e465f061e417626f8 ../regression-tests/zones/example.com +db93ba72fcc30da0f775183ee9126edf ../regression-tests/zones/example.com fe49d2784b1bcc3b91ddd5619f0b6cc1 ../regression-tests/zones/test.com f0df67fa656d33fd85098cbe43893395 ../regression-tests/zones/test.dyndns dee3e8b568549d9450134b555ca73990 ../regression-tests/zones/sub.test.dyndns e7c0fd528e8aaedb1ea3b6daaead4de2 ../regression-tests/zones/wtest.com 42b442de632686e94bde75acf66cf524 ../regression-tests/zones/nztest.com -aeff58ea1eb6e63096e6da18337be312 ../regression-tests/zones/dnssec-parent.com +b06133eb32c5bdf346223563501ba8f8 ../regression-tests/zones/dnssec-parent.com +e9be89b6e5e0da8910c69e46f35d20ab ../regression-tests/zones/insecure.dnssec-parent.com 6510bf48aa3ca3501b73a1f510852a34 ../regression-tests/zones/delegated.dnssec-parent.com a63dc120391d9df0003f2ec4f461a6af ../regression-tests/zones/secure-delegated.dnssec-parent.com 24514dc104b22206daeb973ff9303545 ../regression-tests/zones/minimal.com @@ -12,4 +13,4 @@ a63dc120391d9df0003f2ec4f461a6af ../regression-tests/zones/secure-delegated.dns b1f775045fa2cf0a3b91aa834af06e49 ../regression-tests/zones/stest.com a98864b315f16bcf49ce577426063c42 ../regression-tests/zones/cdnskey-cds-test.com 9aeed2c26d0c3ba3baf22dfa9568c451 ../regression-tests/zones/2.0.192.in-addr.arpa -dcf9536d23ecffbdb706aa7d95bfb725 ../modules/tinydnsbackend/data.cdb +8fa20d959485419535d0406fd4df2a56 ../modules/tinydnsbackend/data.cdb diff --git a/regression-tests/backends/bind-master b/regression-tests/backends/bind-master index f051d0d1e..579935bfb 100644 --- a/regression-tests/backends/bind-master +++ b/regression-tests/backends/bind-master @@ -57,13 +57,16 @@ __EOF__ mysql --user="$GMYSQLUSER" --password="$GMYSQLPASSWD" --host="$GMYSQLHOST" \ "$GMYSQLDB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')" fi - securezone $zone bind - if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ] + if [ $zone != insecure.dnssec-parent.com ] then - $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1 - elif [ $context = bind-dnssec-nsec3-narrow ] - then - $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 + securezone $zone bind + if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ] + then + $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1 + elif [ $context = bind-dnssec-nsec3-narrow ] + then + $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 + fi fi if [ "$zone" = "tsig.com" ]; then $PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY diff --git a/regression-tests/backends/gsql-common b/regression-tests/backends/gsql-common index 1a9e15eda..99eff8ecf 100644 --- a/regression-tests/backends/gsql-common +++ b/regression-tests/backends/gsql-common @@ -15,7 +15,7 @@ gsql_master() for zone in $(grep 'zone ' named.conf | cut -f2 -d\") do - if [ $context != ${backend}-nodnssec ] + if [ $context != ${backend}-nodnssec ] && [ $zone != insecure.dnssec-parent.com ] then if [ $context = ${backend}-nsec3 ] || [ $context = ${backend}-nsec3-optout ] then diff --git a/regression-tests/named.conf b/regression-tests/named.conf index 4eaf2a7ca..2a1a754da 100644 --- a/regression-tests/named.conf +++ b/regression-tests/named.conf @@ -48,6 +48,11 @@ zone "dnssec-parent.com"{ file "dnssec-parent.com"; }; +zone "insecure.dnssec-parent.com"{ + type master; + file "insecure.dnssec-parent.com"; +}; + zone "delegated.dnssec-parent.com"{ type master; file "delegated.dnssec-parent.com"; diff --git a/regression-tests/tests/axfr/expected_result b/regression-tests/tests/axfr/expected_result index edeba95de..d831426e4 100644 --- a/regression-tests/tests/axfr/expected_result +++ b/regression-tests/tests/axfr/expected_result @@ -6,6 +6,7 @@ dnssec-parent.com. 3600 IN NS ns2.dnssec-parent.com. dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com. +insecure.dnssec-parent.com. 3600 IN NS ns.example.com. ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7 ns1.dnssec-parent.com. 3600 IN A 1.2.3.4 ns1.secure-delegated.dnssec-parent.com. 3600 IN A 1.2.3.4 @@ -16,3 +17,4 @@ secure-delegated.dnssec-parent.com. 3600 IN DS 54319 8 2 a0b9c38cd324182af0ef668 secure-delegated.dnssec-parent.com. 3600 IN NS ns1.secure-delegated.dnssec-parent.com. secure-delegated.dnssec-parent.com. 3600 IN NS ns2.secure-delegated.dnssec-parent.com. something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3 +www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com. diff --git a/regression-tests/tests/axfr/expected_result.dnssec b/regression-tests/tests/axfr/expected_result.dnssec index f580f6c6e..e65f64774 100644 --- a/regression-tests/tests/axfr/expected_result.dnssec +++ b/regression-tests/tests/axfr/expected_result.dnssec @@ -1,6 +1,6 @@ delegated.dnssec-parent.com. 3600 IN NS ns1.delegated.dnssec-parent.com. delegated.dnssec-parent.com. 3600 IN NS ns2.delegated.dnssec-parent.com. -delegated.dnssec-parent.com. 86400 IN NSEC ns1.dnssec-parent.com. NS RRSIG NSEC +delegated.dnssec-parent.com. 86400 IN NSEC insecure.dnssec-parent.com. NS RRSIG NSEC delegated.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... dnssec-parent.com. 3600 IN A 9.9.9.9 dnssec-parent.com. 3600 IN NS ns1.dnssec-parent.com. @@ -17,6 +17,9 @@ dnssec-parent.com. 86400 IN RRSIG NSEC 13 2 86400 [expiry] [inception] [keytag] insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com. insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN NSEC something1.auth-ent.dnssec-parent.com. NS RRSIG NSEC insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC 13 6 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +insecure.dnssec-parent.com. 3600 IN NS ns.example.com. +insecure.dnssec-parent.com. 86400 IN NSEC ns1.dnssec-parent.com. NS RRSIG NSEC +insecure.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7 ns1.dnssec-parent.com. 3600 IN A 1.2.3.4 ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... @@ -33,9 +36,13 @@ secure-delegated.dnssec-parent.com. 3600 IN DS 54319 8 2 a0b9c38cd324182af0ef668 secure-delegated.dnssec-parent.com. 3600 IN NS ns1.secure-delegated.dnssec-parent.com. secure-delegated.dnssec-parent.com. 3600 IN NS ns2.secure-delegated.dnssec-parent.com. secure-delegated.dnssec-parent.com. 3600 IN RRSIG DS 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... -secure-delegated.dnssec-parent.com. 86400 IN NSEC dnssec-parent.com. NS DS RRSIG NSEC +secure-delegated.dnssec-parent.com. 86400 IN NSEC www.dnssec-parent.com. NS DS RRSIG NSEC secure-delegated.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3 something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... something1.auth-ent.dnssec-parent.com. 86400 IN NSEC delegated.dnssec-parent.com. A RRSIG NSEC something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC 13 4 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com. +www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 86400 IN NSEC dnssec-parent.com. CNAME RRSIG NSEC +www.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... diff --git a/regression-tests/tests/axfr/expected_result.nsec3 b/regression-tests/tests/axfr/expected_result.nsec3 index ad2d86817..425b2b500 100644 --- a/regression-tests/tests/axfr/expected_result.nsec3 +++ b/regression-tests/tests/axfr/expected_result.nsec3 @@ -25,6 +25,9 @@ ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [in insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com. insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] NS insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +insecure.dnssec-parent.com. 3600 IN NS ns.example.com. +insecure.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] NS +insecure.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7 ns1.dnssec-parent.com. 3600 IN A 1.2.3.4 ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... @@ -47,3 +50,7 @@ something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3 something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... something1.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] A RRSIG something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com. +www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] CNAME RRSIG +www.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... diff --git a/regression-tests/tests/axfr/expected_result.nsec3-optout b/regression-tests/tests/axfr/expected_result.nsec3-optout index 3e5178ff4..fbd473c1b 100644 --- a/regression-tests/tests/axfr/expected_result.nsec3-optout +++ b/regression-tests/tests/axfr/expected_result.nsec3-optout @@ -17,6 +17,7 @@ dnssec-parent.com. 86400 IN RRSIG DNSKEY 13 2 86400 [expiry] [inception] [keytag dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... dnssec-parent.com. 86400 IN RRSIG NSEC3PARAM 13 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com. +insecure.dnssec-parent.com. 3600 IN NS ns.example.com. ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7 ns1.dnssec-parent.com. 3600 IN A 1.2.3.4 ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... @@ -39,3 +40,7 @@ something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3 something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... something1.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 1 1 abcd [next owner] A RRSIG something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com. +www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 86400 IN NSEC3 1 1 1 abcd [next owner] CNAME RRSIG +www.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... diff --git a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec index 459ce0f08..2b461d47b 100644 --- a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec +++ b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec @@ -1,4 +1,4 @@ -1 delegated.dnssec-parent.com. IN NSEC 86400 ns1.dnssec-parent.com. NS RRSIG NSEC +1 delegated.dnssec-parent.com. IN NSEC 86400 insecure.dnssec-parent.com. NS RRSIG NSEC 1 delegated.dnssec-parent.com. IN RRSIG 86400 NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 diff --git a/regression-tests/tests/secure-cname-to-insecure-child/command b/regression-tests/tests/secure-cname-to-insecure-child/command new file mode 100755 index 000000000..0a9161560 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure-child/command @@ -0,0 +1,3 @@ +#!/bin/sh +cleandig www.dnssec-parent.com A dnssec + diff --git a/regression-tests/tests/secure-cname-to-insecure-child/description b/regression-tests/tests/secure-cname-to-insecure-child/description new file mode 100644 index 000000000..57ed85c34 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure-child/description @@ -0,0 +1 @@ +Signed CNAME to an A record in an unsigned child zone. diff --git a/regression-tests/tests/secure-cname-to-insecure-child/expected_result b/regression-tests/tests/secure-cname-to-insecure-child/expected_result new file mode 100644 index 000000000..288e33ba1 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure-child/expected_result @@ -0,0 +1,5 @@ +0 www.dnssec-parent.com. IN CNAME 3600 www.insecure.dnssec-parent.com. +0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='www.dnssec-parent.com.', qtype=A diff --git a/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec b/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec new file mode 100644 index 000000000..937f3a3c0 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec @@ -0,0 +1,6 @@ +0 www.dnssec-parent.com. IN CNAME 3600 www.insecure.dnssec-parent.com. +0 www.dnssec-parent.com. IN RRSIG 3600 CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='www.dnssec-parent.com.', qtype=A diff --git a/regression-tests/tests/secure-cname-to-insecure/command b/regression-tests/tests/secure-cname-to-insecure/command new file mode 100755 index 000000000..9ad71facf --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure/command @@ -0,0 +1,3 @@ +#!/bin/sh +cleandig cname-to-insecure.example.com A dnssec + diff --git a/regression-tests/tests/secure-cname-to-insecure/description b/regression-tests/tests/secure-cname-to-insecure/description new file mode 100644 index 000000000..a00dbfb8b --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure/description @@ -0,0 +1 @@ +Signed CNAME to an unsigned A. diff --git a/regression-tests/tests/secure-cname-to-insecure/expected_result b/regression-tests/tests/secure-cname-to-insecure/expected_result new file mode 100644 index 000000000..7bcd93036 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure/expected_result @@ -0,0 +1,5 @@ +0 cname-to-insecure.example.com. IN CNAME 120 www.insecure.dnssec-parent.com. +0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='cname-to-insecure.example.com.', qtype=A diff --git a/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec b/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec new file mode 100644 index 000000000..76458ceac --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec @@ -0,0 +1,6 @@ +0 cname-to-insecure.example.com. IN CNAME 120 www.insecure.dnssec-parent.com. +0 cname-to-insecure.example.com. IN RRSIG 120 CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ... +0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='cname-to-insecure.example.com.', qtype=A diff --git a/regression-tests/tests/verify-dnssec-zone/command b/regression-tests/tests/verify-dnssec-zone/command index 98cf3d9a0..30dbe1955 100755 --- a/regression-tests/tests/verify-dnssec-zone/command +++ b/regression-tests/tests/verify-dnssec-zone/command @@ -1,5 +1,5 @@ #!/usr/bin/env bash -for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\)$') +for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\|insecure.dnssec-parent.com\)$') do TFILE=$(mktemp tmp.XXXXXXXXXX) drill -p $port axfr $zone @$nameserver | ldns-read-zone -z -u CDS -u CDNSKEY > $TFILE diff --git a/regression-tests/zones/dnssec-parent.com b/regression-tests/zones/dnssec-parent.com index 1a6e88b6c..0800ccf1e 100644 --- a/regression-tests/zones/dnssec-parent.com +++ b/regression-tests/zones/dnssec-parent.com @@ -23,3 +23,5 @@ ns1.secure-delegated IN A 1.2.3.4 ns2.secure-delegated IN A 5.6.7.8 insecure-delegated.ent.ent.auth-ent IN NS ns.example.com. something1.auth-ent IN A 1.1.2.3 +insecure IN NS ns.example.com. +www IN CNAME www.insecure diff --git a/regression-tests/zones/example.com b/regression-tests/zones/example.com index d797d8440..265732345 100644 --- a/regression-tests/zones/example.com +++ b/regression-tests/zones/example.com @@ -20202,3 +20202,6 @@ philip.mb IN MR phil.mb.example.com. ; Test that no out of zone data is sent _imap._tcp IN SRV 0 1 143 blah.test.com. + +; +cname-to-insecure IN CNAME www.insecure.dnssec-parent.com. diff --git a/regression-tests/zones/insecure.dnssec-parent.com b/regression-tests/zones/insecure.dnssec-parent.com new file mode 100644 index 000000000..b5a3c73cb --- /dev/null +++ b/regression-tests/zones/insecure.dnssec-parent.com @@ -0,0 +1,13 @@ +$TTL 120 +$ORIGIN insecure.dnssec-parent.com. +@ IN SOA ns1.example.com. ahu.example.com. ( + 2000081501 + 8H ; refresh + 2H ; retry + 1W ; expire + 1D ; default_ttl + ) + +@ IN NS ns1.example.com. +@ IN NS ns2.example.com. +www IN A 192.0.2.88