upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-24 02:10:30 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/inline/ns3
History
Matthijs Mekking f4eb3ba459 Change inline system test 
The inline system test tests 'auto-dnssec' in conjunction with
'inline-signing'. Change the tests to make use of 'dnssec-policy'.

Remove some tests that no longer make sense:
- The 'retransfer3.' zone tests changing the parameters with
  'rndc signing -nsec3param'. This command is going away and NSEC3
  parameters now need to be configured with nsec3param within
  'dnssec-policy'.
- The 'inactivezsk.' and 'inactiveksk.' zones test whether the ZSK take
  over signing if the KSK is inactive, or vice versa. This fallback
  mode longer makes sense when using a DNSSEC policy.

Some tests need to be adapted more than just changing 'auto-dnssec'
to 'dnssec-policy':
- The 'delayedkeys.' zone first needs to be configured as insecure,
  then we can change it to start signing. Previously, no existing
  keys means that you cannot sign the zone, with 'dnssec-policy'
  new keys will be created.
- The 'updated.' zone needs to have key states in a specific state
  so that the minimal journal check still works (otherwise CDS/
  CDNSKEY and related records will be in the journal too).
- External keys are now added to the unsigned zone and no longer
  are maintained with key files. Adjust the 'externalkey.' zone
  accordingly.
- The 'nsec3-loop.' zone requires three signing keys. Since
  'dnssec-policy' will ignore duplicates in the 'keys' section,
  create RSASHA256 keys with different role and/or key length.

Finally, the 'externalkey.' zone checks for an expected number of
DNSKEY and RRSIG records in the response. This used to be 3 DNSKEY
and 2 RRSIG records. Due to logic behavior changes (key timing
metadata is no longer authoritative, these expected values are
changed to 4 DNSKEY records (two signing keys and two external keys
per algorithm) and 1 RRSIG record (one active KSK per signing
algorithm).
2023-07-20 11:04:23 +02:00
..
delayedkeys.conf.1 Change inline system test 2023-07-20 11:04:23 +02:00
delayedkeys.conf.2 Change inline system test 2023-07-20 11:04:23 +02:00
include.db.in Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
named.conf.in Change inline system test 2023-07-20 11:04:23 +02:00
primary.db.in Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
primary2.db.in Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
primary3.db.in Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
primary4.db.in Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
primary5.db.in Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
primary6.db.in Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
primary7.db.in Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
sign.sh Change inline system test 2023-07-20 11:04:23 +02:00