Commit 18dd340a authored by Lubos Slovak's avatar Lubos Slovak

tests-extra: DNSSEC + mixed cases in RDATA dnames

- no_resign extended to test whether the zone will be resigned
  if only the case of RDATA dname changes.
- Added new DNSSEC test to sign zone with wierd records.
parent 1e68d5aa
......@@ -104,6 +104,17 @@ cname.to.hash.dname CNAME \035leading.hash.char
; Maximal dname length
1234567890123456789012345678901234567890123456789.1234567890123456789012345678901234567890123456789.1234567890123456789012345678901234567890123456789.1234567890123456789012345678901234567890123456789.123456789012345678901234567890123456789012345.records. MX 0 1234567890123456789012345678901234567890123456789.1234567890123456789012345678901234567890123456789.1234567890123456789012345678901234567890123456789.1234567890123456789012345678901234567890123456789.123456789012345678901234567890123456789012345.records.
; Duplicate RDATA differing only in case
dupl MX 10 some.domain
dupl MX 10 Some.Domain
DuPl MX 10 some.domain
dUpL MX 10 sOMe.doMAin
; Different case in RDATA possibly resulting in wrong order of RDATA
bad-order NS B.foo.
bad-order NS a.foo.
; CNAME loop
*.loop1 CNAME a.loop2
*.loop2 CNAME a.loop1
......
This diff is collapsed.
This diff is collapsed.
; This is a zone-signing key, keyid 35721, for example.
; Created: 20140908125912 (Mon Sep 8 14:59:12 2014)
; Publish: 20140908125912 (Mon Sep 8 14:59:12 2014)
; Activate: 20140908125912 (Mon Sep 8 14:59:12 2014)
example. IN DNSKEY 256 3 5 AwEAAdcURIq28DnbSgdwnQjjX/9ihQAgPylq7HHnMjQOm59fGPMnsjy/ AkpcNxadAVGRycM7jZHloPyp7Tty/11J9wKDsLR86YChcYk9KXFKakdr EE1jchkL7KYL7g0bUTAIJSDLhsn6TyLILzgTX6Ru4mCceS4wLJ30LSi+ DR4cockH
Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: 1xREirbwOdtKB3CdCONf/2KFACA/KWrscecyNA6bn18Y8yeyPL8CSlw3Fp0BUZHJwzuNkeWg/KntO3L/XUn3AoOwtHzpgKFxiT0pcUpqR2sQTWNyGQvspgvuDRtRMAglIMuGyfpPIsgvOBNfpG7iYJx5LjAsnfQtKL4NHhyhyQc=
PublicExponent: AQAB
PrivateExponent: fgzx0r4+choT++JDFndzxo/t1NIRUmvI4USXRq0dBb1NOQyVyEZFyGDdJFKl+DFSJyqa4NvMiufoEkRmZz03Ft2avWiV7ppdPEFu4xX6gcrmCotmF254gR4/kTNcPBtJ8jqCcM67ysPSbqVzOWSFPgpRX4T8NY9qFBhUh4b+7ZE=
Prime1: +WxDO783tXN1uRNfV/6kq5l7GGkUH801AMq/L6mRozcIYjGDYJAMW6eCYJh9V2L79TPQMU9duFPpC4kGSSPLeQ==
Prime2: 3MAqqYnXWLOQGjCpENYGkYeDvDl2W9LgJwbcg6ZKDO/fGhLqd7lHaj/UhMGaCjW4VH6I7FEsZqQZDpcaV5CYfw==
Exponent1: EOD9r8Zh67qTheHEuvy1ghNR3DYIMZq+cn5F7+DGxUfNHnABVwCIhY9RaF4JZWeCa3aFKUEYs4eiJrCwJzTv6Q==
Exponent2: gvpOFdvgdxPLi46VsZSbvxtd0X9yt5bOQrmyezZeN4DXqhvRHIpFUkhfKwnIAQjQvul5CmY7Zwc0itCi45O6tw==
Coefficient: B9dhLlL07WU8tFuITQlyFJAk75P4CD7ow/rCWOPVWZfPVS5CsUUU6TVVSuIn727mal631QOer8uTnxnRy99KHw==
Created: 20140908125912
Publish: 20140908125912
Activate: 20140908125912
; This is a key-signing key, keyid 65014, for example.
; Created: 20140908125912 (Mon Sep 8 14:59:12 2014)
; Publish: 20140908125912 (Mon Sep 8 14:59:12 2014)
; Activate: 20140908125912 (Mon Sep 8 14:59:12 2014)
example. IN DNSKEY 257 3 5 AwEAAeMNmQ/1/6yfFfp7jOqy2M7AGBtuSzZJFpnUqrcAmTTI+RxX9vN0 1Z5CpAs9nhYTVyLEQLaGQBwkrF+QBIPJ6DQ0SvHJEWEAN25tyvWmDdUj eDnevEpbQbkdaV+XQJ3SMWGf7OtzGo0BC4vO5ecw+zGteWT/UUbX9XkK 3vWOirLAF1s5kNEEnUt+kIbr50vz+qOfvWa+ldWHSt2T2Ds6fMVkdE84 gyb3mE0syQbEuSdgOO6Vko4qn9FtJ2Uz0L2i8vKb1chT+f7RISQhicTL X/RQgH0kV80UCBtn4CEgE6Cx5Yv+z50li0I4bNRI1BLBqJneCeN/eqQs /pYNJhZg4d8=
Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: 4w2ZD/X/rJ8V+nuM6rLYzsAYG25LNkkWmdSqtwCZNMj5HFf283TVnkKkCz2eFhNXIsRAtoZAHCSsX5AEg8noNDRK8ckRYQA3bm3K9aYN1SN4Od68SltBuR1pX5dAndIxYZ/s63MajQELi87l5zD7Ma15ZP9RRtf1eQre9Y6KssAXWzmQ0QSdS36QhuvnS/P6o5+9Zr6V1YdK3ZPYOzp8xWR0TziDJveYTSzJBsS5J2A47pWSjiqf0W0nZTPQvaLy8pvVyFP5/tEhJCGJxMtf9FCAfSRXzRQIG2fgISAToLHli/7PnSWLQjhs1EjUEsGomd4J4396pCz+lg0mFmDh3w==
PublicExponent: AQAB
PrivateExponent: MvZ8Yp6+sopKrpxItu1JyK5JOu74psik8AZSAx15ReXONFRyM5cH06v1kihUcXQJ3N3cAJwFi8uXfSOgP8xz+DO8lqSg5/radkjig1ywQiTh+WtLLA1rpRc67Z/Pex0QxG7XCMofLYMMimb4J3pRB4d+dfLw1Uvn5zFPdiJ2c0RKJcz7yVbkMz8r5KvQ1BaB5W3EWlftLgf/9RYPfhY/6ga6BlGIuKp0aT41F+MsSY2Z8pH/DCaC6lKlVe4+1JXUmvlZB8Qyq2r0DArbAnSRF5Lf/GM0uAWLTAE1ZkYGhpfE5XlQzavaSvPA6nXVL99QGFh1tZz7+iiv+rpiyOjLAQ==
Prime1: +5fpFprXTG6e1ac91mceje2NjyI3qzHmnXn8Megz5iEviEz5lO8b9Zi+wvRnixEuxGi1Mguaf0JtDSKFER3rQ1WMRR26AZH+e7hrjsdUfEg6fq8knYUpaypiGJePZEfRPMrz+Nw7GBjyFF9+3Uv/yx906+Zl9kNa74ubQfymiZ8=
Prime2: 5wendySfdB5+oq+nAk/OC8bjZ6lJSHFYzXYk0FU5F6DsfTyxdbcopJ/ZOJvYE+8/Nlsip53b2NfbhvNL/WzjjlMiFPr7hlY9edNz3XOarZSyXUnRn/sYL7FIlUBXw0fIVqjHWEAfCu/ytVmyVi97CPUF/OvksDbVJ3M9ezTrP8E=
Exponent1: S04M1ldCWf5CTHDicWosGw8fb9guEW++NyRr+AQohJkqQQHJMmrfU4OElZXR6C4ccW1lzrTqaWzYdzX93kG2SVExyv46zn2ETkPE7dd70jdMSt7hdsSEwS7Obc3vfXSBjFCy9an1hiDxVGfA8TvuND4WIQW1PyCp90kyD24v6sE=
Exponent2: IWwZDQJuUvUqasywg4QaEdgXA+MYp/NF3ott7fm2RbXRIJkMLzRtG8vIOAlLrC6bXXi3vbn3mRo5Nv+xiZscHHXoY1Kf2qJVSG+PvoS/5saxOw+31MYVjKjAEF97ktOqpubJ1/mGxCVMXnH4e8FosjYIRLu3nMqB8bAZP966/cE=
Coefficient: ARhVpFRH7/lHIt00+A7i6dDtwGuILz3+qYW6oS8l5bBCIMQbFdQvkcAV3Gklvw9UV+vFW3ejfw2EDYNk4BRWWvrBEIugMyCrO1dAadCjBGmrQAd3T52npS9Z/ubYQgjoEn81rymcFZmDB5hArKAx+NJD2bKiCzN63N3T9FvSzlY=
Created: 20140908125912
Publish: 20140908125912
Activate: 20140908125912
#!/bin/sh
export BASEDIR=`mktemp -d "/tmp/zone_sign-XXX"`
../../../../tools/zone_sign.sh example. ../../../../data/example.zone nsec
mv ../../../../data/example.zone.signed ./example.zone
rm ./keys/*
mv $BASEDIR/*.key ./keys
mv $BASEDIR/*.private ./keys
......@@ -10,19 +10,23 @@ t = Test()
master = t.server("knot")
nsec_zone = t.zone_rnd(1, dnssec=True, nsec3=False)
nsec3_zone = t.zone_rnd(1, dnssec=True, nsec3=True)
static_zone = t.zone("example.", storage=".")
t.link(nsec_zone, master)
t.link(nsec3_zone, master)
t.link(static_zone, master)
t.start()
# Get zone serial.
old_nsec_serial = master.zone_wait(nsec_zone)
old_nsec3_serial = master.zone_wait(nsec3_zone)
old_static_serial = master.zone_wait(static_zone)
# Enable autosigning.
master.dnssec_enable = True
master.use_keys(nsec_zone)
master.use_keys(nsec3_zone)
master.use_keys(static_zone)
master.gen_confile()
t.sleep(2)
master.reload()
......@@ -31,6 +35,7 @@ t.sleep(4)
new_nsec_serial = master.zone_wait(nsec_zone)
new_nsec3_serial = master.zone_wait(nsec3_zone)
new_static_serial = master.zone_wait(static_zone)
# Check if the zones are resigned.
if compare(old_nsec_serial, new_nsec_serial,
......@@ -45,4 +50,23 @@ if compare(old_nsec3_serial, new_nsec3_serial,
for rr in resp.resp:
detail_log(rr)
if compare(old_static_serial, new_static_serial,
"%s SOA serial (static)" % static_zone[0].name):
resp = master.dig(static_zone, "IXFR", serial=old_static_serial)
for rr in resp.resp:
detail_log(rr)
# Switch the static zone for the one with different NSEC case
master.update_zonefile(static_zone, 1)
master.reload()
new_static_serial2 = master.zone_wait(static_zone)
if compare(new_static_serial, new_static_serial2,
"%s SOA serial (static)" % static_zone[0].name):
resp = master.dig(static_zone, "IXFR", serial=new_static_serial)
for rr in resp.resp:
detail_log(rr)
t.stop()
#!/usr/bin/env python3
'''Test for signing a zone with wierd records.'''
from dnstest.utils import *
from dnstest.test import Test
t = Test()
master = t.server("knot")
zone = t.zone("records.")
t.link(zone, master)
# Enable autosigning.
master.dnssec_enable = True
master.gen_key(zone, ksk=True, alg="RSASHA1")
master.gen_key(zone, alg="RSASHA1")
master.gen_confile()
t.start()
t.sleep(4)
master.flush()
# Verify signed zone file.
master.zone_verify(zone)
t.stop()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment