upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-26 19:41:04 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/mkeys
History
Matthijs Mekking 2fc42b598b Fix a quirky mkeys test failure 
The mkeys system test started to fail after introducing support for
zones transitioning to unsigned without going bogus. This is because
there was actually a bug in the code: if you reconfigure a zone and
remove the "auto-dnssec" option, the zone is actually still DNSSEC
maintained. This is because in zoneconf.c there is no call
to 'dns_zone_setkeyopt()' if the configuration option is not used
(cfg_map_get(zoptions, "auto-dnssec", &obj) will return an error).

The mkeys system test implicitly relied on this bug: initially the
root zone is being DNSSEC maintained, then at some point it needs to
reset the root zone in order to prepare for some tests with bad
signatures. Because it needs to inject a bad signature, 'auto-dnssec'
is removed from the configuration.

The test pass but for the wrong reasons:

I:mkeys:reset the root server
I:mkeys:reinitialize trust anchors
I:mkeys:check positive validation (18)

The 'check positive validation' test works because the zone is still
DNSSEC maintained: The DNSSEC records in the signed root zone file on
disk are being ignored.

After fixing the bug/introducing graceful transition to insecure,
the root zone is no longer DNSSEC maintained after the reconfig.

The zone now explicitly needs to be reloaded because otherwise the
'check positive validation' test works against an old version of the
zone (the one with all the revoked keys), and the test will obviously
fail.
2020-12-23 09:02:11 +01:00
..
ns1 update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
ns2 Use "-T maxcachesize=2097152" in all system tests 2020-08-31 13:15:33 +02:00
ns3 Use "-T maxcachesize=2097152" in all system tests 2020-08-31 13:15:33 +02:00
ns4 remove "dnssec-enable" from all system tests 2019-03-14 23:30:13 -07:00
ns5 Use "-T maxcachesize=2097152" in all system tests 2020-08-31 13:15:33 +02:00
ns6 update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
ns7 remove "dnssec-enable" from all system tests 2019-03-14 23:30:13 -07:00
clean.sh update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
README update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
setup.sh Ensure use of "echo_i" where possible 2020-10-22 09:54:24 +02:00
tests.sh Fix a quirky mkeys test failure 2020-12-23 09:02:11 +01:00

README 

Copyright (C) Internet Systems Consortium, Inc. ("ISC")

See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.

This is for testing RFC 5011 Automated Updates of DNSSEC Trust Anchors.

ns1 is the root server that offers new KSKs and hosts one record for
testing. The TTL for the zone's records is 2 seconds.

ns2 is a validator that uses managed keys.  "-T mkeytimers=2/20/40"
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.

ns3 is a validator with a broken initializing key in trust-anchors.

ns4 is a validator with a deliberately broken managed-keys.bind and
managed-keys.jnl, causing RFC 5011 initialization to fail.

ns5 is a validator which is prevented from getting a response from the
root server, causing key refresh queries to fail.

ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.

ns7 is a validator with multiple views configured.  It is used for
testing per-view rndc commands and checking interactions between options
related to and potentially affecting RFC 5011 processing.