Commit fce76326 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

tests-extra: nsec3 opt-out

parent d7d36939
#!/usr/bin/env python3
'''Test for NSEC3 and delegation with and without opt-out'''
from dnstest.utils import *
from dnstest.test import Test
import random
zone_name = "example.com."
t = Test()
def check_deleg(deleg, nsec3_bitmap, msg):
t.sleep(2)
resp = master.dig(deleg + "." + zone_name, "A", dnssec=True, bufsize=4096)
first_nsec3 = str(resp.resp.authority[1]) # assert this is the first NSEC3 in the response
first_bitmap = ' '.join(first_nsec3.split()[9:])
check_log("NSEC3 bitmap '%s', expected '%s' for '%s'" % (first_bitmap, nsec3_bitmap, msg))
if first_bitmap != nsec3_bitmap:
set_err("NSEC3 bitmap for '%s'" % msg)
detail_log(SEP)
master.zone_backup(zone, flush=True)
master.zone_verify(zone)
master = t.server("knot")
zone = t.zone(zone_name)
t.link(zone, master)
master.dnssec(zone).enable = True
master.dnssec(zone).nsec3 = True
master.dnssec(zone).nsec3_iters = 2
master.dnssec(zone).nsec3_salt_len = 8
master.dnssec(zone).nsec3_opt_out = False
t.start()
master.zones_wait(zone)
master.zone_backup(zone, flush=True)
master.zone_verify(zone)
# opt-out off, delegation added in changeset
up = master.update(zone)
up.add("deleg1", 3600, "NS", "nothing")
up.send("NOERROR")
check_deleg("deleg1", "NS", "non-optout update")
# opt-out off, zone re-sign
master.ctl("zone-sign")
check_deleg("deleg1", "NS", "non-optout re-sign")
# opt-out on, zone re-sign
master.dnssec(zone).nsec3_opt_out = True
master.gen_confile()
master.reload()
check_deleg("deleg1", "NS SOA MX RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY", "optout re-sign")
# opt-out on, delegation added in changeset
up = master.update(zone)
up.add("deleg2", 3600, "NS", "nothing")
up.send("NOERROR")
check_deleg("deleg2", "NS SOA MX RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY", "optout update")
t.end()
......@@ -51,6 +51,7 @@ class ZoneDnssec(object):
self.rrsig_refresh = None
self.nsec3 = None
self.nsec3_iters = None
self.nsec3_opt_out = None
self.nsec3_salt_lifetime = None
self.nsec3_salt_len = None
self.ksk_sbm_check = []
......@@ -1183,6 +1184,7 @@ class Knot(Server):
self._str(s, "rrsig-refresh", z.dnssec.rrsig_refresh)
self._bool(s, "nsec3", z.dnssec.nsec3)
self._str(s, "nsec3-iterations", z.dnssec.nsec3_iters)
self._bool(s, "nsec3-opt-out", z.dnssec.nsec3_opt_out)
self._str(s, "nsec3-salt-lifetime", z.dnssec.nsec3_salt_lifetime)
self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
if len(z.dnssec.ksk_sbm_check) > 0:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment