mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-01 04:50:50 -05:00
72c201733c
When a mirror zone is verified, the 'ignore_kskflag' argument passed to dns_zoneverify_dnssec() is set to false. This means that in order for its verification to succeed, a mirror zone needs to have at least one key with the SEP bit set configured as a trust anchor. This brings no security benefit and prevents zones signed only using keys without the SEP bit set from being mirrored, so change the value of the 'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true. |
||
|---|---|---|
| .. | ||
| ns1 | ||
| ns2 | ||
| ns3 | ||
| clean.sh | ||
| README | ||
| setup.sh | ||
| tests.sh | ||
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
This test checks whether zones configured with "type mirror;" behave as
expected.
ns1 is an authoritative-only server. It only serves the root zone, which is
mirrored by ns3.
ns2 is an authoritative-only server. It serves a number of zones, some of which
are delegated to it by ns1 and used in recursive resolution tests aimed at ns3
while others are only served so that ns3 has a primary server to mirror zones
from during various tests of the mirror zone implementation.
ns3 is a recursive resolver. It has a number of mirror zones configured. This
is the only server whose behavior is being examined by this system test.