From 15a35f448d78b86536ca3486f2c38b60ebe58e28 Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Tue, 7 May 2019 09:54:52 +0200 Subject: [PATCH] auth: test for #7785 --- modules/tinydnsbackend/data | 20 ++++++++++++------ modules/tinydnsbackend/data.cdb | Bin 1352616 -> 1353259 bytes .../tinydns-data-check/expected_result | 7 +++--- regression-tests/backends/bind-master | 15 +++++++------ regression-tests/backends/gsql-common | 2 +- regression-tests/named.conf | 5 +++++ regression-tests/tests/axfr/expected_result | 2 ++ .../tests/axfr/expected_result.dnssec | 11 ++++++++-- .../tests/axfr/expected_result.nsec3 | 7 ++++++ .../tests/axfr/expected_result.nsec3-optout | 5 +++++ .../expected_result.dnssec | 2 +- .../secure-cname-to-insecure-child/command | 3 +++ .../description | 1 + .../expected_result | 5 +++++ .../expected_result.dnssec | 6 ++++++ .../tests/secure-cname-to-insecure/command | 3 +++ .../secure-cname-to-insecure/description | 1 + .../secure-cname-to-insecure/expected_result | 5 +++++ .../expected_result.dnssec | 6 ++++++ .../tests/verify-dnssec-zone/command | 2 +- regression-tests/zones/dnssec-parent.com | 2 ++ regression-tests/zones/example.com | 3 +++ .../zones/insecure.dnssec-parent.com | 13 ++++++++++++ 23 files changed, 106 insertions(+), 20 deletions(-) create mode 100755 regression-tests/tests/secure-cname-to-insecure-child/command create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/description create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/expected_result create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec create mode 100755 regression-tests/tests/secure-cname-to-insecure/command create mode 100644 regression-tests/tests/secure-cname-to-insecure/description create mode 100644 regression-tests/tests/secure-cname-to-insecure/expected_result create mode 100644 regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec create mode 100644 regression-tests/zones/insecure.dnssec-parent.com diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data index bcbeb035f..8f76c113b 100644 --- a/modules/tinydnsbackend/data +++ b/modules/tinydnsbackend/data @@ -20100,7 +20100,6 @@ +toomuchinfo-b.example.com:192.168.99.90:120 +usa-ns1.usa.example.com:192.168.4.1:120 +usa-ns2.usa.example.com:192.168.4.2:120 -3ipv6.example.com:200106a80000000102104bfffe4b4c61:120 :_imap._tcp.example.com:33:\000\000\000\001\000\217\004blah\004test\003com\000:120 :dsdelegation.example.com:43:m\341\010\001\312\361\352\256\315\253\347afpx\217\220\042EK\365\375\237\332:120 :escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120 @@ -20108,17 +20107,18 @@ :hightype.example.com:65534:\007\355\046\000\001:120 :host-0.example.com:108:\000PV\233\000\347:120 :host-1.example.com:109:\000PV\233\000\347\176W:120 -:hostmaster.mb.example.com:8:\004phil\303\231:120 -:hostmaster.mb.example.com:8:\006sheila\303\231:120 +:hostmaster.mb.example.com:8:\004phil\303\263:120 +:hostmaster.mb.example.com:8:\006sheila\303\263:120 :hwinfo.example.com:13:\003abc\003def:120 +:ipv6.example.com:28:\040\001\006\250\000\000\000\001\002\020K\377\376KLa:120 :location.example.com:29:\0002\026\023\213\044\323e\176\273\347\100\000\230\230\020:120 :location.example.com:29:\000B\026\023t\333\053\274\176\273\347\100\000\230\230\020:120 :location.example.com:29:\000\022\026\023\213\044\310\373\201D\030\300\000\230\230\020:120 :location.example.com:29:\000\042\026\023t\3331\320\201D\030\300\000\230\230\020:120 :multitext.example.com:16:\015text\040part\040one\015text\040part\040two\017text\040part\040three:120 -:phil.mb.example.com:7:\002pc\303\231:120 -:philip.mb.example.com:9:\303\250:120 -:sheila.mb.example.com:7:\004bill\303\231:120 +:phil.mb.example.com:7:\002pc\303\263:120 +:philip.mb.example.com:9:\303\302:120 +:sheila.mb.example.com:7:\004bill\303\263:120 :text.example.com:16:\025Hi\054\040this\040is\040some\040text:120 :text0.example.com:16:\014k\075rsa\073\040p\075one:120 :text1.example.com:16:\014k\075rsa\073\040p\075one:120 @@ -20134,6 +20134,7 @@ C\052.w1.example.com:x.y.z.w2.example.com.:120 C\052.w2.example.com:x.y.z.w3.example.com.:120 C\052.w3.example.com:x.y.z.w4.example.com.:120 C\052.w4.example.com:x.y.z.w5.example.com.:120 +Ccname-to-insecure.example.com:www.insecure.dnssec-parent.com.:120 Cexternal.example.com:somewhere.else.net.:120 Cloop1.example.com:loop2.example.com.:120 Cloop2.example.com:loop3.example.com.:120 @@ -20243,6 +20244,7 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400: &dnssec-parent.com::ns1.dnssec-parent.com.:3600 &dnssec-parent.com::ns2.dnssec-parent.com.:3600 &insecure-delegated.ent.ent.auth-ent.dnssec-parent.com::ns.example.com.:3600 +&insecure.dnssec-parent.com::ns.example.com.:3600 &secure-delegated.dnssec-parent.com::ns1.secure-delegated.dnssec-parent.com.:3600 &secure-delegated.dnssec-parent.com::ns2.secure-delegated.dnssec-parent.com.:3600 +dnssec-parent.com:9.9.9.9:3600 @@ -20254,7 +20256,13 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400: +ns2.secure-delegated.dnssec-parent.com:5.6.7.8:3600 +something1.auth-ent.dnssec-parent.com:1.1.2.3:3600 :secure-delegated.dnssec-parent.com:43:\324\057\010\002\240\271\303\214\323\044\030\052\360\357f\203\015\012\016\205\241\325\211y\311\203N\030\310qw\236\004\010W\267:3600 +Cwww.dnssec-parent.com:www.insecure.dnssec-parent.com.:3600 Zdnssec-parent.com:ns1.dnssec-parent.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600 +#2000081501 auto axfr-get +&insecure.dnssec-parent.com::ns1.example.com.:120 +&insecure.dnssec-parent.com::ns2.example.com.:120 ++www.insecure.dnssec-parent.com:192.0.2.88:120 +Zinsecure.dnssec-parent.com:ns1.example.com.:ahu.example.com.:2000081501:28800:7200:604800:86400:120 #2005092501 auto axfr-get &delegated.dnssec-parent.com::ns1.delegated.dnssec-parent.com.:3600 &delegated.dnssec-parent.com::ns2.delegated.dnssec-parent.com.:3600 diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb index c41b7e6a89fc684dd5ec66b549a4b5d9de19c92e..317ffaddf2e5134561b0f843acf398475de742c4 100644 GIT binary patch delta 7486 zcmZ{I30RZI^Z&j{NCE-&&HF|#pn}#D4;0jTQ{gw+4TPudKhLwzWM*e)XFfAK@4oNOvqSSP z4ArZC!DuN$$n6lNzDF@yZ01j3lmImFSB&D!{27em&Gfv5Ub4(z!)PbSb)^_(15GQ( zXp5P@htW1Ot+2=|F)9FF^@_?>@5nkm($-+K9wsX5Fj{L~AY;)+pn!0HJezJ3N$aBB?tr>ShN!Ov>i0UhBeqFEII}Hfu|_~fkqY`1zvTPMye~N^J%v&NIanPx~DACn<1*KrV$nXMI*|4Pia~W zl}FdH=m*eqld4e?&}fC4AQqug6Qq2xnndWPQInL_I8(l|8Rd;$YJyN&D>X@NL|Zkf zjff6vJy{UgRZVhS)?H1INDfk?)v!@bUrM9Dp>nr@)Iiw~s;?VP=PO64NextvR}&;u zlhp))vgvAc80@6Yq4L6oYElcv#cFg6!K{NL7=RRBl$I zh2{n6bUrytO-@H%4qca)t43Mo`90LZ=mTn!>*OO83Ec@b%7^)~63QFTQ3QAb$iiz<}0=14>}Z8?(LNLpRKh?W6KQks~#rJ!r!9Q_YQ{=%^TgPh~!mJy|iZ>sq*M*ia^>Mj&{P2 z9I1`uTFOUDdD02XlswvEKL3RdJcWn@0q|)~JVCD1AhEXtSd z;PoUTV?Gt+?c+&KwTGwyRUuDuom@nz>J&9lc#bE# zdTK$U%7VmO9-T13p&W z<&7;gq$X-wYiN)EN<(U)vZIEiw$fiiQfvHLLr#UNkA?)Arw^eDd0GuYB5kmS=6;xl zR{KaQH;&cN{t!v2aWXX!JzYa;!*@1aS2$loa+{~qkO<3`XlQCz&;V;zX=rV%r+RiZ zn>6&;Z2RexV)-Wp149Bs3PT3N28JAlc}@w#7KR-R6%2bA4lo?WPYOIFR!mrmKQr?E zZUCUOFem}Hvz5=C5;b-Dgp&Qj@dVsS&@ROR;>!fQm|^w{GZS%p=2syj5qGxR&%v6O zFl2(~PuN5JoQT&*U7LfTJq&eZ%!C!s2lNx0e1U>H_Ei9auMu}nzH$GwCZnK)Oh&B5Ld z%o?%f0qo?&j1+qqaS_90i=QvxR?V11q2)8|uR5NBkwa)vN}u&u$h?JJ#Q10UYdKRc z9)F1gr5HA8{1Yy}#h${;57=3Of1AGK{sTL*NErVP+X@rjU}s^;8|)+uF2PFS?tARn zv-jnRJG(j{JSsZDwMdDu+fAb+!nVOA-X8Q+VrPf&>ET;{&{}uHvmQ>HcS$A$y~VEb zH__XF`Nh_}k!LG>q(i@n`CuqEBYE>QtD$;}xW|#j1rn9eVVgQ&1RnV9(y@79J>*8U z-!}?`ceGOu|4LP_i*SeaE%OJd5Pr?fcxZ2r@YP$#(o=vw_e#n-4RnJnUwJ`_@Ikln zS@R%@VH4l?Omrlk1mTB%Q|^W#gcBCj#l8TKP9KaM+RUNBc>N#j9%cfERUfyjbe9i6tv-fGBp$gUQ#Qj#=`55{^|^#i40Cy%>^+Y5UDY<+-a zf^(!b3j8MJ^t2X^2ydP9cv4Cu4~n{k-nkFaOmUj(eprHV|1IC2QvpOv!@9SL1^wkU zE&~mi(7+u)ciUHbR{#ni*PHoPwJqLdP`z3+zwi4#lkO>zkaY`+Xxm%t?2qG%?@iAJ z_fFOZd;7!E*n71@W2~{%2Ze(Z;}7W}%VWK=h7WZR+P}v>!roh$ZH{A(ZNKvroNV9b zMbn*)f(n?>Dtw8Gpb&(&Ufu1UWP|YWClk_xAOg`=f8tgnWzUgM!oLLbOAFAQ?qIC< ztSzG_fyd83PkrMcAx8Z1tYz8C3s!g-a(uaCJ&SM`ZQt|#AeO3je}A#co-7uW zAMtfb`*q@-k9d-dsTPB4v6GE-ZocI}E|jw6_RKPI7|Vt!nF?{cGwbinY!`3)u`{KT zpiSbS&g@uw=9##=7aL~B+!jCoKQ_#s&-@=oo?~tlkHL<}b95K{?0>|bkFa6{dy0t> z2Zpn2WRfoF;+@fKNPx7{S~@KbPG#-wnObp77TZeB%oUgIWQ!CMF+mL3%TBUke8k-c z*$g+y?Cs*9tL$nyGgZ7@$_hSxN-{ADE+4S5XA@f#eEjOVu^${zu;Pz&=PZx|oxBt1 zYsG87gDS!wGxH!<@1peNF5wWP{z4LyE1DSf9eXB6Jm{zvq|9D%AgA6FC+RPUwX4;& za&GKyj3TRw2d}fxbGrq{RCS`=y{#ZGi<8RIh4fUlcbn!Jl>f<0Ki=Kczb)lYTI8QC zwBt6hDpeh$vJC;qCS5;1@Mke9OI_q(*JV3KQ!}qzShh?2YOmT`>grX1(X`^)sHV^~ zrWv(ezcced6AQ$c{p#ViOqF>0m^wqsoE4*r)sv-?wyVTTCF&4o>Fu8gyq;pWa`mwm z%&miOxiwPejkrw49gy0rly>c~&0Gww3fn=e$=Z|@5FQwM`vpod2DtIOKowp#bzYOVY**k>+Qlw*(XZen^ zLAs*L5p!k0E1PxsYZ>V6SXBT~o7 z7^GX7Ju_+xm|Ny^yDqHJ_JL1FiLPKip=;+Tc&O{X%s)EF)fVZp9_$IqY!t@M$P06q zDUt5C3)RU2==Xfsq6B(D{ZF@0UA8WmA#Q!4W83CBwS-tUE+5u+nyg+2Vwts})J0fr z$GHlF?KxX-G`LeWd|1$}ocQ;}B*12x+|Q8P$hj7ajAELS7**)rw7FFp!3fp1oJ(_^ zCiA=H@m9Mf7I1}E&V5AB=(A5O?7ISCWw!Z-)cg>+)ME-bEk!4OiK!ZsDa zE4D34`a^|uH+N17JY~&gy+67YFNPGJlv&`7*Edx)rBxH6i#zwBhX(|bonO%GPw=5) z@!Kx3jY@1w&$%!9S@{NwokC7jCDJr3y(9qGcHlV6EZH`F)1Wbc^{~~<=uA(hcdBZXNH(**8RVo)Ib4%NU(Z;Gy;(ZJC*-QCTdoAj08uvYx+*m69kjwRyb_m&sQQE!_ zy>u2@lm>iU`t;QU6h!{f%#VHba$7mPqk`T(@zHK>rY&<{7$$PlfNS}xcaT)AFGhzw!&fDHz0r1bZKOO12WV_=iCd0`Ct2bhuyPB zh7jZUAJ2fi&s^KIR@P)1Qv0ub{5PyWu~Ip+2X?McQUf*o`fyyRlw1j26o&3Oioa?c zg|JdCpq1fJk^HP0Bg2sI>>{6AuLg!{zp1m2!xTu!buK_|c-%8IGLtkjY}gim#*hleBf~>x#4{uQe4hnxazzv;4R<{=2IW48;wTN~x5_+78)P{6j| zVx7~}M%XT@zI}5c=pPIE^2ftUWaxEvOmhaXE*N60`vvs-S6tfvgF=rChgaCF3xtWU z*#9d9M2b(px5nFgz63ia@Z&6&scEa+TzHfXivyW=e|Anr!?Al(8h_LuN!!A zM=2Mql$i3xsz13i4D&)fc#jK{bWDN!Z_chWaerB8Ysh7eb4o?hB}XEEl1t~cd6ag} z7rQ>>aukwITf{q+TvKo9?ah{>(VFA?G15i!j^-(*@O(CwIHZYPzvN>i(lzx5v$!Sy zom^rgh)vt_U}w}`@kA%SXLs{in!&f1NTX=m@DvBn;=g8?XmQnSzD_C~pKNIxhv)Nu zOSl!=Fe>@{D67yy`(=t}7V_`h?Gm8PoOh0E*?*UKW&>}sWv+@_Gx!}IYBm9*-w$op zNxqYz-%oFv)L$G{%#V;t2TEuf9rTs%iId zLtCrErf$inz2HJ-D(Vtgn`*V+;NbV(n>1I2^ozV5d9pc~u0(pSTnmPqd@A4aBX~T` z_{RW^f;?s?n_`Y_+5(TSfBsCnuXTIgMEOrKGSzBtO-ZzdYZ{vq_je3<+3jGP!T{?5 ztzT%GDD+ZRNQ62gPi_URu_;I%ehMyfKM-K+JRC>JhY;9d0&VA?St9Ti5v&>@li(Z2mV;FddErI3g>ergjtV zm%p*D*PEnQ<6pjom{%1h%(@L>++Vrq3%DKr^Jl79)Vs|U&^wTQ3c=Oc6d2aM94=(0 zCL;~cFZ@#*90@6vuY&IaCe^vepKmxI(||=D$2!9LlIP)VPeLNX$II=~8OR|h#=^UX z`TIwEQ`)Zb{F?wnY}CzD(GV_^cNac%{mZ+{S>i5~7fyXc+xM^g=!O6)fY6)qZYNkE$D=&GquaBcTtRI$oVKg~jS?i1x+nlln+ zlyI?y<~?^C-qRkZT?u93Mq{RZ_lTyJnw*vrmrQZ7R#PjJzM`GcMcg=8lWik$$rXDJ z*ThI9!5LyfxF)qJvrh<~sd?{Gvk9a3ZYPF#l{ujIqmO(0Yz7|a2yxgfO{kru+5g1! fSj{CBqZMZ)YKjz0p4e`+W-`wth#N9ByyX7?oMD=p delta 6991 zcmZu$3tWuZ`#fW&39l)4W6qRFT=0MkI`zt0GdH2z)B?}J1TKw|8igwLJ9pCx#GBi z3^Ia&MbDr)fC#p5!pVO%&VNrpp9T}oyEvZ*k_Xj%jXfa{=}fo z4!=f5W~gKZ(OXtCC==o%i^!n$fckVsW}q^YLCZnbZ6y_|b`mVft6^e4v9n7ga7jLc zPJ(^qal$}l34;!UY`s7#4Y*3ibvJ96xJSkV9y2J(L6PZCQc>Jg2 z$<&yWsYvkWQiuQ-_jQwTvzC?~JIJ)D!7utpF&OII>(?a85SkU(WLK}{?t z?*{!~PF`#MFb?g3@$%7}%#3}!tcU#{PYmo+IhktXEP|TZoZKwsb2-vn3pu$r5|(g; zsbw5FH&V%b(>e~Fg8=q4PG+KV3n%aQ01Jo89f{=;efa@S?t#j~9Gnxd|H6t06_#R7 z-tU&unu;#gRCu{Yf2~G;lS7Lg4(|{~!X6U4fJ#p8a(fkFAm9ZjH@E6FC-;Wt9g*#b zmruetC6Ce_`(NkA%M|GtP=FjzkC&OS*5~DOK+}jPO!)DHiDo=uq9rdMSk@pS$F<|- zwKaC+q3FrU}RJsasr6nGMyeleML9V#6o*+{mpe5s~Mnu;6335*) z_zQA(n_38RFT@22@3KI1|)SS1_8YUnF&o_L0)@He}UWy-w?fS zxF9o8GMb=nJaJGtNsxQPGKI_wn<>a^8!%gtE7T_m^3qxs337o6%LKVMjH`&9IzbfV zZBxGKr?)Ok-nvlm(C{eWae~Jg9wj`EF%>+n@TlQ&gU1~n4|qJKw=Ot#jwmJL4pQ_& z{GOsVh`o|=I6!hTZX-QQ#`7Gysf%%I$|7bg#%-w$(v`*7s*vud;K>>()r?=$Djukh zhDVIth6S-_Cg#MnEX<1?a&c2>q6L?EP$g2>A?)o)w>?q{{Zas^2mfaV&p5# zdrW&6KkI@M!olrE*;j~>Z$b4k^;CQlusS%$zq-4)B_I3s#dGd`=s(3BVV~=z^f1@Y zq4B0mxeZdB5$>evQQa7_8|jxdxW7m3c;vM7;S(@qori9RyVvN&U^~_h#?3x7d6n@$ zDv5VC?o-r>QT2Y(OAi|1T=zfxDzK#(_i6bwLwSxjibaYFxX0bA;nIwxb<#`s$Kb7=*YV>WlLLu+BX zsN44)Vf@4vcI@i8weu5Nt%kH0&p(u;7Q4R1&Ao7yUrN@gPn;u!t6RNmv_f0}OWb4c zw_PXPQz1NK=7~9DYs+f^^TkrZsq`Q3*5#HWPHTbJq`O^SSG0?QPOqn>#jx`?B7GK|Ysm zS04~2FZ(@ehrXdgN`SzD<3Gewmj?gWZSX zkK3BKi~sruKccU%mV)2m2~O08gC@q?nI64U+Uv}`a;I8L7LJKgQGF!4mT9k{Vx*up z%v1&a#3XGAWk$MFYY%l}V${?Usb3!^#+{2^g^}-w@?#^gC-NQM4zFG1*oJ}P%^}Q5 zN+V?sWmY=TcQ#4EqnMr@=--75hQS zMeo9BT=lVj^K0ZJICOD zrGK{^ajz%mGpNbjQYlS^3}?eDbXFfDg_Hx=)-Vf^|UcDK`y+eO!obxc|76I91`QS;wE#()o1!*+iy0-xJg zAL&|8i41F}Pj7Y1xprRT)43Vv#Z_L6U#Ow*;;@-cj<}^f{-sVy^Bed3@lPjYkXja| zTy;Z+#1ea_#xyb%C`Wu#Enb3BoyQNKRIpDBc4M?X4ITScN7r*f2B!($;ur`Sllb(< zSV$rD@PLo&oN7ZaAN%fn3b=_^2AOw4Sj)I`GZz6}efB>)vsX^3ks)zXh;P*ADaeq( z-dxiISXUjL(&B-**PRJWGPG$hWa^_jR1{8IcddRMDqNY{M>>H2<%-bYOvvMz@X8Pl zaW(oG`rm@;tB%Lk3kN%GWG` zYK*-#1EL`VVavcJ^T9!3=+mXGYa7JSqsPI96GckPg!mg!zcx=Tbr@NmJ#~C~odwmr z*_HN8W-r1Z(L-BYggC8RtovswFx%~$^`o5XFmrL&uRc>D?yP@a{rer{v3pcOcw;p( zq({vBv%7dNjR_YgV~+7M82^ktQshYN&9NIP9>|cq?(L#MVi9KiA`C5N{kW@F?XrGK z&G7JP`s1&G&eE3$PL+W3Y2B~KOb0~IzcU{K+D%Iab&Hp~8GOWiv%Lrs9W?)i$Ku+Z z^4ZsyIfwgdT_J90+wnfIgs$P;0=r_UNt8) zeKJ(iLIV5Q_0kZizPOX08a9Yp(OKW?~6t=@`J%DNw8Z|@M7>bav- z14%c8`yzmPB*iV@mblQ1RywS;lG{@5A*Py1&rDp5lh&Avk*T_kbg>4#@`$`Qk66## z#C?lt_9y9j4i}*aekNj+w%6XJsfpmEG{D5o-~HU%Mb?`g^2q1UGH)SS9wzDba8q5W z<)ZZ$t~Gsmg}7JChDbh#xwb6aQ~gRg>_SH^6Bk_Ocxl$J++~VVOS&uEO-f`YGtrJd zbruJdb3x*sU`C@fukW?|@jLkyDb%bDTERcAy@SmSHlF%1r}o{$-01PnH{klY-N~HoiOenAp2>JoXTnz}e3$yVBXeGC>BoH@$h=2; zw)B=O$S<6}r~vzruyZXofj;EAb95QV2WI&G`G*Rb+h#dUj0L};PoJ<_z_#5Y_NRhf z*bu*q(J(*k?J&37>Lg^g8lBg41OsdH&Ufa3L4M~iXIsI+*G!krBS1dvJ+jSR!0>G@ zfBgdix)hK2f&%+vuewZ*0{!uB{xSC;!Q&4{MJZtXWbVk=lWJr>_3?bcAn?<(boA`g zV0WlcSrB_QW?*o1xoT=B!1Ld`wx_{S z-`4@n%V0uZ(^%gZ;3#Ud%dGA&9y?Gyt_mvob>6tb$uPg<+r(}IK;M0y!F!Upr4`pz zY5vW{W0X#eErqvJ^O$OnWg)dkmwBAN=lAn#4*>J{p5t>P!QUgVh2uIvoW~JSO%>9Gle!J6QdLFA7zcN!D_&hO-A2%x<=e$;CX4Ffxp>6{RfnA zR+HE?bi35S#M@jcgT!R<+Z(g+qY+&`w9!BhbV8R;ZJ4l7Dml)7qoDWHoEIHW^RryI zW-BqenqTqD;2M0kPAodldnF0$i9QexhN~HG{+;(LLbfjY;@^iWkgdbwj{UE=AlnSn zHGL{z#rAF8?z$n{xjvoZB5E&o+x_Kp8^OtFTOuvs?$XFsI&^Khn-j7v-J0oi`_thI zemlm5-^%%~BVLSfWjqGkeCE8lyH1I0WlqCXM`|a0`exhD+)o}1j&okRnO9?E+md_d zfM=ZqIxF=jN7Y_lHa2U~>SD)D>4$9}qHn}4hUBH-fo^e!64^5OFXgJm`1uQN7pp>?;@X_cC7FbmX?gcT=Ef z#ijYr{)XJ5X02)a9Bf;Sxqs`WGqSmrJbqs;7QJV>wzvJ$>fySUKwQ~4-{q^p)?>uj zop4duDze6`Z4Y^Xd>t0%)5o^rNbG?*H2Ea zz13~M4@nx^s`j^sO+Q+x-b^9e))Oa~AV{R>l+dk$~Mzv_G{v*+*6&Jk6S}&Wj{;iy$ zbyDd)w{d=ma`YFgN?X z1*wtkM3uf}5l~Q>d$|Es+jzEk=fnd+;+Wn{h|*T??XC3Lj#ofGPurCI4e9VQZfkF9 zuzaz|?t|-g|F3*LO?ivcuJYcT9?p|%aVkpzY(@uGZ)WO(*!g1_PyO&-s3WYAzAZbskFp;MUBu%!!)BgdCCNRDL diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result index bace48899..6dee487ae 100644 --- a/regression-tests.nobackend/tinydns-data-check/expected_result +++ b/regression-tests.nobackend/tinydns-data-check/expected_result @@ -1,10 +1,11 @@ -16f36b572fcb576e465f061e417626f8 ../regression-tests/zones/example.com +db93ba72fcc30da0f775183ee9126edf ../regression-tests/zones/example.com fe49d2784b1bcc3b91ddd5619f0b6cc1 ../regression-tests/zones/test.com f0df67fa656d33fd85098cbe43893395 ../regression-tests/zones/test.dyndns dee3e8b568549d9450134b555ca73990 ../regression-tests/zones/sub.test.dyndns e7c0fd528e8aaedb1ea3b6daaead4de2 ../regression-tests/zones/wtest.com 42b442de632686e94bde75acf66cf524 ../regression-tests/zones/nztest.com -aeff58ea1eb6e63096e6da18337be312 ../regression-tests/zones/dnssec-parent.com +b06133eb32c5bdf346223563501ba8f8 ../regression-tests/zones/dnssec-parent.com +e9be89b6e5e0da8910c69e46f35d20ab ../regression-tests/zones/insecure.dnssec-parent.com 6510bf48aa3ca3501b73a1f510852a34 ../regression-tests/zones/delegated.dnssec-parent.com a63dc120391d9df0003f2ec4f461a6af ../regression-tests/zones/secure-delegated.dnssec-parent.com 24514dc104b22206daeb973ff9303545 ../regression-tests/zones/minimal.com @@ -12,4 +13,4 @@ a63dc120391d9df0003f2ec4f461a6af ../regression-tests/zones/secure-delegated.dns b1f775045fa2cf0a3b91aa834af06e49 ../regression-tests/zones/stest.com a98864b315f16bcf49ce577426063c42 ../regression-tests/zones/cdnskey-cds-test.com 9aeed2c26d0c3ba3baf22dfa9568c451 ../regression-tests/zones/2.0.192.in-addr.arpa -dcf9536d23ecffbdb706aa7d95bfb725 ../modules/tinydnsbackend/data.cdb +8fa20d959485419535d0406fd4df2a56 ../modules/tinydnsbackend/data.cdb diff --git a/regression-tests/backends/bind-master b/regression-tests/backends/bind-master index f051d0d1e..579935bfb 100644 --- a/regression-tests/backends/bind-master +++ b/regression-tests/backends/bind-master @@ -57,13 +57,16 @@ __EOF__ mysql --user="$GMYSQLUSER" --password="$GMYSQLPASSWD" --host="$GMYSQLHOST" \ "$GMYSQLDB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')" fi - securezone $zone bind - if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ] + if [ $zone != insecure.dnssec-parent.com ] then - $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1 - elif [ $context = bind-dnssec-nsec3-narrow ] - then - $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 + securezone $zone bind + if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ] + then + $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1 + elif [ $context = bind-dnssec-nsec3-narrow ] + then + $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 + fi fi if [ "$zone" = "tsig.com" ]; then $PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY diff --git a/regression-tests/backends/gsql-common b/regression-tests/backends/gsql-common index 1a9e15eda..99eff8ecf 100644 --- a/regression-tests/backends/gsql-common +++ b/regression-tests/backends/gsql-common @@ -15,7 +15,7 @@ gsql_master() for zone in $(grep 'zone ' named.conf | cut -f2 -d\") do - if [ $context != ${backend}-nodnssec ] + if [ $context != ${backend}-nodnssec ] && [ $zone != insecure.dnssec-parent.com ] then if [ $context = ${backend}-nsec3 ] || [ $context = ${backend}-nsec3-optout ] then diff --git a/regression-tests/named.conf b/regression-tests/named.conf index 4eaf2a7ca..2a1a754da 100644 --- a/regression-tests/named.conf +++ b/regression-tests/named.conf @@ -48,6 +48,11 @@ zone "dnssec-parent.com"{ file "dnssec-parent.com"; }; +zone "insecure.dnssec-parent.com"{ + type master; + file "insecure.dnssec-parent.com"; +}; + zone "delegated.dnssec-parent.com"{ type master; file "delegated.dnssec-parent.com"; diff --git a/regression-tests/tests/axfr/expected_result b/regression-tests/tests/axfr/expected_result index edeba95de..d831426e4 100644 --- a/regression-tests/tests/axfr/expected_result +++ b/regression-tests/tests/axfr/expected_result @@ -6,6 +6,7 @@ dnssec-parent.com. 3600 IN NS ns2.dnssec-parent.com. dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com. +insecure.dnssec-parent.com. 3600 IN NS ns.example.com. ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7 ns1.dnssec-parent.com. 3600 IN A 1.2.3.4 ns1.secure-delegated.dnssec-parent.com. 3600 IN A 1.2.3.4 @@ -16,3 +17,4 @@ secure-delegated.dnssec-parent.com. 3600 IN DS 54319 8 2 a0b9c38cd324182af0ef668 secure-delegated.dnssec-parent.com. 3600 IN NS ns1.secure-delegated.dnssec-parent.com. secure-delegated.dnssec-parent.com. 3600 IN NS ns2.secure-delegated.dnssec-parent.com. something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3 +www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com. diff --git a/regression-tests/tests/axfr/expected_result.dnssec b/regression-tests/tests/axfr/expected_result.dnssec index f580f6c6e..e65f64774 100644 --- a/regression-tests/tests/axfr/expected_result.dnssec +++ b/regression-tests/tests/axfr/expected_result.dnssec @@ -1,6 +1,6 @@ delegated.dnssec-parent.com. 3600 IN NS ns1.delegated.dnssec-parent.com. delegated.dnssec-parent.com. 3600 IN NS ns2.delegated.dnssec-parent.com. -delegated.dnssec-parent.com. 86400 IN NSEC ns1.dnssec-parent.com. NS RRSIG NSEC +delegated.dnssec-parent.com. 86400 IN NSEC insecure.dnssec-parent.com. NS RRSIG NSEC delegated.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... dnssec-parent.com. 3600 IN A 9.9.9.9 dnssec-parent.com. 3600 IN NS ns1.dnssec-parent.com. @@ -17,6 +17,9 @@ dnssec-parent.com. 86400 IN RRSIG NSEC 13 2 86400 [expiry] [inception] [keytag] insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com. insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN NSEC something1.auth-ent.dnssec-parent.com. NS RRSIG NSEC insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC 13 6 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +insecure.dnssec-parent.com. 3600 IN NS ns.example.com. +insecure.dnssec-parent.com. 86400 IN NSEC ns1.dnssec-parent.com. NS RRSIG NSEC +insecure.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7 ns1.dnssec-parent.com. 3600 IN A 1.2.3.4 ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... @@ -33,9 +36,13 @@ secure-delegated.dnssec-parent.com. 3600 IN DS 54319 8 2 a0b9c38cd324182af0ef668 secure-delegated.dnssec-parent.com. 3600 IN NS ns1.secure-delegated.dnssec-parent.com. secure-delegated.dnssec-parent.com. 3600 IN NS ns2.secure-delegated.dnssec-parent.com. secure-delegated.dnssec-parent.com. 3600 IN RRSIG DS 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... -secure-delegated.dnssec-parent.com. 86400 IN NSEC dnssec-parent.com. NS DS RRSIG NSEC +secure-delegated.dnssec-parent.com. 86400 IN NSEC www.dnssec-parent.com. NS DS RRSIG NSEC secure-delegated.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3 something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... something1.auth-ent.dnssec-parent.com. 86400 IN NSEC delegated.dnssec-parent.com. A RRSIG NSEC something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC 13 4 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com. +www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 86400 IN NSEC dnssec-parent.com. CNAME RRSIG NSEC +www.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... diff --git a/regression-tests/tests/axfr/expected_result.nsec3 b/regression-tests/tests/axfr/expected_result.nsec3 index ad2d86817..425b2b500 100644 --- a/regression-tests/tests/axfr/expected_result.nsec3 +++ b/regression-tests/tests/axfr/expected_result.nsec3 @@ -25,6 +25,9 @@ ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [in insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com. insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] NS insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +insecure.dnssec-parent.com. 3600 IN NS ns.example.com. +insecure.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] NS +insecure.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7 ns1.dnssec-parent.com. 3600 IN A 1.2.3.4 ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... @@ -47,3 +50,7 @@ something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3 something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... something1.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] A RRSIG something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com. +www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] CNAME RRSIG +www.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... diff --git a/regression-tests/tests/axfr/expected_result.nsec3-optout b/regression-tests/tests/axfr/expected_result.nsec3-optout index 3e5178ff4..fbd473c1b 100644 --- a/regression-tests/tests/axfr/expected_result.nsec3-optout +++ b/regression-tests/tests/axfr/expected_result.nsec3-optout @@ -17,6 +17,7 @@ dnssec-parent.com. 86400 IN RRSIG DNSKEY 13 2 86400 [expiry] [inception] [keytag dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... dnssec-parent.com. 86400 IN RRSIG NSEC3PARAM 13 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com. +insecure.dnssec-parent.com. 3600 IN NS ns.example.com. ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7 ns1.dnssec-parent.com. 3600 IN A 1.2.3.4 ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... @@ -39,3 +40,7 @@ something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3 something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... something1.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 1 1 abcd [next owner] A RRSIG something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com. +www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +www.dnssec-parent.com. 86400 IN NSEC3 1 1 1 abcd [next owner] CNAME RRSIG +www.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... diff --git a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec index 459ce0f08..2b461d47b 100644 --- a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec +++ b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec @@ -1,4 +1,4 @@ -1 delegated.dnssec-parent.com. IN NSEC 86400 ns1.dnssec-parent.com. NS RRSIG NSEC +1 delegated.dnssec-parent.com. IN NSEC 86400 insecure.dnssec-parent.com. NS RRSIG NSEC 1 delegated.dnssec-parent.com. IN RRSIG 86400 NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 diff --git a/regression-tests/tests/secure-cname-to-insecure-child/command b/regression-tests/tests/secure-cname-to-insecure-child/command new file mode 100755 index 000000000..0a9161560 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure-child/command @@ -0,0 +1,3 @@ +#!/bin/sh +cleandig www.dnssec-parent.com A dnssec + diff --git a/regression-tests/tests/secure-cname-to-insecure-child/description b/regression-tests/tests/secure-cname-to-insecure-child/description new file mode 100644 index 000000000..57ed85c34 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure-child/description @@ -0,0 +1 @@ +Signed CNAME to an A record in an unsigned child zone. diff --git a/regression-tests/tests/secure-cname-to-insecure-child/expected_result b/regression-tests/tests/secure-cname-to-insecure-child/expected_result new file mode 100644 index 000000000..288e33ba1 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure-child/expected_result @@ -0,0 +1,5 @@ +0 www.dnssec-parent.com. IN CNAME 3600 www.insecure.dnssec-parent.com. +0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='www.dnssec-parent.com.', qtype=A diff --git a/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec b/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec new file mode 100644 index 000000000..937f3a3c0 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec @@ -0,0 +1,6 @@ +0 www.dnssec-parent.com. IN CNAME 3600 www.insecure.dnssec-parent.com. +0 www.dnssec-parent.com. IN RRSIG 3600 CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... +0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='www.dnssec-parent.com.', qtype=A diff --git a/regression-tests/tests/secure-cname-to-insecure/command b/regression-tests/tests/secure-cname-to-insecure/command new file mode 100755 index 000000000..9ad71facf --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure/command @@ -0,0 +1,3 @@ +#!/bin/sh +cleandig cname-to-insecure.example.com A dnssec + diff --git a/regression-tests/tests/secure-cname-to-insecure/description b/regression-tests/tests/secure-cname-to-insecure/description new file mode 100644 index 000000000..a00dbfb8b --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure/description @@ -0,0 +1 @@ +Signed CNAME to an unsigned A. diff --git a/regression-tests/tests/secure-cname-to-insecure/expected_result b/regression-tests/tests/secure-cname-to-insecure/expected_result new file mode 100644 index 000000000..7bcd93036 --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure/expected_result @@ -0,0 +1,5 @@ +0 cname-to-insecure.example.com. IN CNAME 120 www.insecure.dnssec-parent.com. +0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='cname-to-insecure.example.com.', qtype=A diff --git a/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec b/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec new file mode 100644 index 000000000..76458ceac --- /dev/null +++ b/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec @@ -0,0 +1,6 @@ +0 cname-to-insecure.example.com. IN CNAME 120 www.insecure.dnssec-parent.com. +0 cname-to-insecure.example.com. IN RRSIG 120 CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ... +0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='cname-to-insecure.example.com.', qtype=A diff --git a/regression-tests/tests/verify-dnssec-zone/command b/regression-tests/tests/verify-dnssec-zone/command index 98cf3d9a0..30dbe1955 100755 --- a/regression-tests/tests/verify-dnssec-zone/command +++ b/regression-tests/tests/verify-dnssec-zone/command @@ -1,5 +1,5 @@ #!/usr/bin/env bash -for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\)$') +for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\|insecure.dnssec-parent.com\)$') do TFILE=$(mktemp tmp.XXXXXXXXXX) drill -p $port axfr $zone @$nameserver | ldns-read-zone -z -u CDS -u CDNSKEY > $TFILE diff --git a/regression-tests/zones/dnssec-parent.com b/regression-tests/zones/dnssec-parent.com index 1a6e88b6c..0800ccf1e 100644 --- a/regression-tests/zones/dnssec-parent.com +++ b/regression-tests/zones/dnssec-parent.com @@ -23,3 +23,5 @@ ns1.secure-delegated IN A 1.2.3.4 ns2.secure-delegated IN A 5.6.7.8 insecure-delegated.ent.ent.auth-ent IN NS ns.example.com. something1.auth-ent IN A 1.1.2.3 +insecure IN NS ns.example.com. +www IN CNAME www.insecure diff --git a/regression-tests/zones/example.com b/regression-tests/zones/example.com index d797d8440..265732345 100644 --- a/regression-tests/zones/example.com +++ b/regression-tests/zones/example.com @@ -20202,3 +20202,6 @@ philip.mb IN MR phil.mb.example.com. ; Test that no out of zone data is sent _imap._tcp IN SRV 0 1 143 blah.test.com. + +; +cname-to-insecure IN CNAME www.insecure.dnssec-parent.com. diff --git a/regression-tests/zones/insecure.dnssec-parent.com b/regression-tests/zones/insecure.dnssec-parent.com new file mode 100644 index 000000000..b5a3c73cb --- /dev/null +++ b/regression-tests/zones/insecure.dnssec-parent.com @@ -0,0 +1,13 @@ +$TTL 120 +$ORIGIN insecure.dnssec-parent.com. +@ IN SOA ns1.example.com. ahu.example.com. ( + 2000081501 + 8H ; refresh + 2H ; retry + 1W ; expire + 1D ; default_ttl + ) + +@ IN NS ns1.example.com. +@ IN NS ns2.example.com. +www IN A 192.0.2.88 -- 2.40.0