1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16# shellcheck source=conf.sh 17. ../conf.sh 18# shellcheck source=kasp.sh 19. ../kasp.sh 20 21# Log errors and increment $ret. 22log_error() { 23 echo_i "error: $1" 24 ret=$((ret + 1)) 25} 26 27# Call dig with default options. 28dig_with_opts() { 29 $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" 30} 31 32# Call rndc. 33rndccmd() { 34 "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" 35} 36 37# Set zone name ($1) and policy ($2) for testing nsec3. 38# Also set the expected number of keys ($3) and DNSKEY TTL ($4). 39set_zone_policy() { 40 ZONE=$1 41 POLICY=$2 42 NUM_KEYS=$3 43 DNSKEY_TTL=$4 44 KEYFILE_TTL=$4 45 # The CDS digest type in these tests are all the default, 46 # which is SHA-256 (2). 47 CDS_SHA256="yes" 48 CDS_SHA384="no" 49} 50# Set expected NSEC3 parameters: flags ($1) and salt length ($2). 51set_nsec3param() { 52 FLAGS=$1 53 SALTLEN=$2 54 # Reset salt. 55 SALT="" 56} 57 58# Set expected default dnssec-policy keys values. 59set_key_default_values() { 60 key_clear $1 61 62 set_keyrole $1 "csk" 63 set_keylifetime $1 "0" 64 set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256" 65 set_keysigning $1 "yes" 66 set_zonesigning $1 "yes" 67 68 set_keystate $1 "GOAL" "omnipresent" 69 set_keystate $1 "STATE_DNSKEY" "rumoured" 70 set_keystate $1 "STATE_KRRSIG" "rumoured" 71 set_keystate $1 "STATE_ZRRSIG" "rumoured" 72 set_keystate $1 "STATE_DS" "hidden" 73} 74 75# Set expected rsasha1 dnssec-policy keys values. 76set_key_rsasha1_values() { 77 key_clear $1 78 79 set_keyrole $1 "csk" 80 set_keylifetime $1 "0" 81 set_keyalgorithm $1 "5" "RSASHA1" "2048" 82 set_keysigning $1 "yes" 83 set_zonesigning $1 "yes" 84 85 set_keystate $1 "GOAL" "omnipresent" 86 set_keystate $1 "STATE_DNSKEY" "rumoured" 87 set_keystate $1 "STATE_KRRSIG" "rumoured" 88 set_keystate $1 "STATE_ZRRSIG" "rumoured" 89 set_keystate $1 "STATE_DS" "hidden" 90} 91 92# Update the key states. 93set_key_states() { 94 set_keystate $1 "GOAL" "$2" 95 set_keystate $1 "STATE_DNSKEY" "$3" 96 set_keystate $1 "STATE_KRRSIG" "$4" 97 set_keystate $1 "STATE_ZRRSIG" "$5" 98 set_keystate $1 "STATE_DS" "$6" 99} 100 101# The apex NSEC3PARAM record indicates that it is signed. 102_wait_for_nsec3param() { 103 dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1 104 grep "${ZONE}\..*IN.*NSEC3PARAM 1 0 0.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1 105 grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1 106 return 0 107} 108# The apex NSEC record indicates that it is signed. 109_wait_for_nsec() { 110 dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC >"dig.out.test$n.wait" || return 1 111 grep "NS SOA" "dig.out.test$n.wait" >/dev/null || return 1 112 grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1 113 grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" >/dev/null && return 1 114 return 0 115} 116 117# Wait for the zone to be signed. 118wait_for_zone_is_signed() { 119 n=$((n + 1)) 120 ret=0 121 echo_i "wait for ${ZONE} to be signed with $1 ($n)" 122 123 if [ "$1" = "nsec3" ]; then 124 retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed" 125 else 126 retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" 127 fi 128 129 test "$ret" -eq 0 || echo_i "failed" 130 status=$((status + ret)) 131} 132 133# Test: check DNSSEC verify 134_check_dnssec_verify() { 135 dig_with_opts @$SERVER "${ZONE}" AXFR >"dig.out.test$n.axfr.$ZONE" || return 1 136 $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" >"verify.out.test$n.$ZONE" 2>&1 || return 1 137 return 0 138} 139 140# Test: check NSEC in answers 141_check_nsec_nsec3param() { 142 dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1 143 grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" >/dev/null && return 1 144 return 0 145} 146 147_check_nsec_nxdomain() { 148 dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1 149 grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1 150 grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" >/dev/null && return 1 151 return 0 152} 153 154check_nsec() { 155 wait_for_zone_is_signed "nsec" 156 157 n=$((n + 1)) 158 echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" 159 ret=0 160 check_keys 161 retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}" 162 test "$ret" -eq 0 || echo_i "failed" 163 status=$((status + ret)) 164 165 n=$((n + 1)) 166 echo_i "verify DNSSEC for zone ${ZONE} ($n)" 167 ret=0 168 retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" 169 test "$ret" -eq 0 || echo_i "failed" 170 status=$((status + ret)) 171 172 n=$((n + 1)) 173 echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" 174 ret=0 175 retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}" 176 test "$ret" -eq 0 || echo_i "failed" 177 status=$((status + ret)) 178 179 n=$((n + 1)) 180 echo_i "check NXDOMAIN response for zone ${ZONE} ($n)" 181 ret=0 182 retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" 183 test "$ret" -eq 0 || echo_i "failed" 184 status=$((status + ret)) 185} 186 187# Test: check NSEC3 parameters in answers 188_check_nsec3_nsec3param() { 189 dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1 190 grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*0.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1 191 192 if [ -z "$SALT" ]; then 193 SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE) 194 fi 195 return 0 196} 197 198_check_nsec3_nxdomain() { 199 dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1 200 grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*0.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1 201 return 0 202} 203 204check_nsec3() { 205 wait_for_zone_is_signed "nsec3" 206 207 n=$((n + 1)) 208 echo_i "check that NSEC3PARAM 1 0 0 ${SALT} is published zone ${ZONE} ($n)" 209 ret=0 210 retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" 211 test "$ret" -eq 0 || echo_i "failed" 212 status=$((status + ret)) 213 214 n=$((n + 1)) 215 echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} 0 ${SALT} for zone ${ZONE} ($n)" 216 ret=0 217 retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" 218 test "$ret" -eq 0 || echo_i "failed" 219 status=$((status + ret)) 220 221 n=$((n + 1)) 222 echo_i "verify DNSSEC for zone ${ZONE} ($n)" 223 ret=0 224 retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" 225 test "$ret" -eq 0 || echo_i "failed" 226 status=$((status + ret)) 227} 228 229start_time="$(TZ=UTC date +%s)" 230status=0 231n=0 232 233key_clear "KEY1" 234key_clear "KEY2" 235key_clear "KEY3" 236key_clear "KEY4" 237 238# Zone: nsec-to-nsec3.kasp. 239set_zone_policy "nsec-to-nsec3.kasp" "nsec" 1 3600 240set_server "ns3" "10.53.0.3" 241set_key_default_values "KEY1" 242echo_i "initial check zone ${ZONE}" 243check_nsec 244 245if [ $RSASHA1_SUPPORTED = 1 ]; then 246 # Zone: rsasha1-to-nsec3.kasp. 247 set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600 248 set_server "ns3" "10.53.0.3" 249 set_key_rsasha1_values "KEY1" 250 echo_i "initial check zone ${ZONE}" 251 check_nsec 252 253 # Zone: rsasha1-to-nsec3-wait.kasp. 254 set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600 255 set_server "ns3" "10.53.0.3" 256 set_key_rsasha1_values "KEY1" 257 set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" 258 echo_i "initial check zone ${ZONE}" 259 check_nsec 260 261 # Zone: nsec3-to-rsasha1.kasp. 262 set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600 263 set_server "ns3" "10.53.0.3" 264 set_key_rsasha1_values "KEY1" 265 echo_i "initial check zone ${ZONE}" 266 check_nsec3 267 268 # Zone: nsec3-to-rsasha1-ds.kasp. 269 set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600 270 set_server "ns3" "10.53.0.3" 271 set_key_rsasha1_values "KEY1" 272 set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" 273 echo_i "initial check zone ${ZONE}" 274 check_nsec3 275fi 276 277# Zone: nsec3.kasp. 278set_zone_policy "nsec3.kasp" "nsec3" 1 3600 279set_nsec3param "0" "0" 280set_key_default_values "KEY1" 281echo_i "initial check zone ${ZONE}" 282check_nsec3 283 284# Zone: nsec3-dynamic.kasp. 285set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600 286set_nsec3param "0" "0" 287set_key_default_values "KEY1" 288echo_i "initial check zone ${ZONE}" 289check_nsec3 290 291# Zone: nsec3-change.kasp. 292set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600 293set_nsec3param "0" "0" 294set_key_default_values "KEY1" 295echo_i "initial check zone ${ZONE}" 296check_nsec3 297 298# Test that NSEC3PARAM TTL is equal to SOA MINIMUM. 299n=$((n + 1)) 300echo_i "check TTL of NSEC3PARAM in zone $ZONE is equal to SOA MINIMUM ($n)" 301ret=0 302dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n" || ret=1 303grep "${ZONE}\..*3600.*IN.*NSEC3PARAM" "dig.out.test$n" >/dev/null || ret=1 304test "$ret" -eq 0 || echo_i "failed" 305status=$((status + ret)) 306 307# Update SOA MINIMUM. 308cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 309rndccmd $SERVER reload $ZONE >rndc.reload.test$n.$ZONE || log_error "failed to call rndc reload $ZONE" 310_wait_for_new_soa() { 311 dig_with_opts +noquestion "@${SERVER}" "$ZONE" SOA >"dig.out.soa.test$n" || return 1 312 grep "${ZONE}\..*IN.*SOA.*mname1..*..*20.*20.*.1814400.*900" "dig.out.soa.test$n" >/dev/null || return 1 313} 314retry_quiet 10 _wait_for_new_soa || log_error "failed to update SOA record in zone $ZONE" 315 316# Zone: nsec3-dynamic-change.kasp. 317set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600 318set_nsec3param "0" "0" 319set_key_default_values "KEY1" 320echo_i "initial check zone ${ZONE}" 321check_nsec3 322 323# Zone: nsec3-dynamic-to-inline.kasp. 324set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 325set_nsec3param "0" "0" 326set_key_default_values "KEY1" 327echo_i "initial check zone ${ZONE}" 328check_nsec3 329 330# Zone: nsec3-inline-to-dynamic.kasp. 331set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 332set_nsec3param "0" "0" 333set_key_default_values "KEY1" 334echo_i "initial check zone ${ZONE}" 335check_nsec3 336 337# Zone: nsec3-to-nsec.kasp. 338set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600 339set_nsec3param "0" "0" 340set_key_default_values "KEY1" 341echo_i "initial check zone ${ZONE}" 342check_nsec3 343 344# Zone: nsec3-to-optout.kasp. 345set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600 346set_nsec3param "0" "0" 347set_key_default_values "KEY1" 348echo_i "initial check zone ${ZONE}" 349check_nsec3 350 351# Zone: nsec3-from-optout.kasp. 352set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600 353set_nsec3param "1" "0" 354set_key_default_values "KEY1" 355echo_i "initial check zone ${ZONE}" 356check_nsec3 357 358# Zone: nsec3-other.kasp. 359set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600 360set_nsec3param "1" "8" 361set_key_default_values "KEY1" 362echo_i "initial check zone ${ZONE}" 363check_nsec3 364 365# Zone: nsec3-xfr-inline.kasp. 366# This is a secondary zone, where the primary is signed with NSEC3 but 367# the dnssec-policy dictates NSEC. 368set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600 369set_key_default_values "KEY1" 370echo_i "initial check zone ${ZONE}" 371check_nsec 372 373# Zone: nsec3-dynamic-update-inline.kasp. 374set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600 375set_key_default_values "KEY1" 376echo_i "initial check zone ${ZONE}" 377check_nsec 378 379n=$((n + 1)) 380echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)" 381ret=0 382$NSUPDATE >update.out.$ZONE.test$n 2>&1 <<END || ret=1 383server 10.53.0.3 ${PORT} 384zone ${ZONE}. 385update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG 386send 387END 388wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1 389check_nsec 390 391# Reconfig named. 392ret=0 393echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" 394if [ $RSASHA1_SUPPORTED = 0 ]; then 395 copy_setports ns3/named2-fips.conf.in ns3/named.conf 396else 397 copy_setports ns3/named2-fips.conf.in ns3/named-fips.conf 398 # includes named-fips.conf 399 cp ns3/named2.conf.in ns3/named.conf 400fi 401rndc_reconfig ns3 10.53.0.3 402 403# Zone: nsec-to-nsec3.kasp. (reconfigured) 404set_zone_policy "nsec-to-nsec3.kasp" "nsec3" 1 3600 405set_nsec3param "0" "0" 406set_key_default_values "KEY1" 407echo_i "check zone ${ZONE} after reconfig" 408check_nsec3 409 410if [ $RSASHA1_SUPPORTED = 1 ]; then 411 # Zone: rsasha1-to-nsec3.kasp. 412 set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600 413 set_server "ns3" "10.53.0.3" 414 set_key_rsasha1_values "KEY1" 415 set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" 416 set_keysigning "KEY1" "no" 417 set_zonesigning "KEY1" "no" 418 set_key_default_values "KEY2" 419 echo_i "check zone ${ZONE} after reconfig" 420 check_nsec3 421 422 # Zone: rsasha1-to-nsec3-wait.kasp. 423 set_zone_policy "rsasha1-to-nsec3-wait.kasp" "nsec3" 2 3600 424 set_server "ns3" "10.53.0.3" 425 set_key_rsasha1_values "KEY1" 426 set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" 427 set_key_default_values "KEY2" 428 echo_i "check zone ${ZONE} after reconfig" 429 check_nsec 430 431 # Zone: nsec3-to-rsasha1.kasp. 432 set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600 433 set_nsec3param "1" "0" 434 set_server "ns3" "10.53.0.3" 435 set_key_default_values "KEY1" 436 set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" 437 set_keysigning "KEY1" "no" 438 set_zonesigning "KEY1" "no" 439 set_key_rsasha1_values "KEY2" 440 echo_i "check zone ${ZONE} after reconfig" 441 check_nsec 442 443 # Zone: nsec3-to-rsasha1-ds.kasp. 444 set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600 445 set_nsec3param "1" "0" 446 set_server "ns3" "10.53.0.3" 447 set_key_default_values "KEY1" 448 set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" 449 set_key_rsasha1_values "KEY2" 450 echo_i "check zone ${ZONE} after reconfig" 451 check_nsec 452 453 key_clear "KEY1" 454 key_clear "KEY2" 455fi 456 457# Zone: nsec3.kasp. (same) 458set_zone_policy "nsec3.kasp" "nsec3" 1 3600 459set_nsec3param "0" "0" 460set_key_default_values "KEY1" 461echo_i "check zone ${ZONE} after reconfig" 462check_nsec3 463 464# Zone: nsec3-dyamic.kasp. (same) 465set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600 466set_nsec3param "0" "0" 467set_key_default_values "KEY1" 468echo_i "check zone ${ZONE} after reconfig" 469check_nsec3 470 471# Zone: nsec3-change.kasp. (reconfigured) 472set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600 473set_nsec3param "1" "8" 474set_key_default_values "KEY1" 475echo_i "check zone ${ZONE} after reconfig" 476check_nsec3 477 478# Test that NSEC3PARAM TTL is equal to new SOA MINIMUM. 479n=$((n + 1)) 480echo_i "check TTL of NSEC3PARAM in zone $ZONE is updated after SOA MINIMUM changed ($n)" 481ret=0 482# Check NSEC3PARAM TTL. 483dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.nsec3param.test$n" || ret=1 484grep "${ZONE}\..*900.*IN.*NSEC3PARAM" "dig.out.nsec3param.test$n" >/dev/null || ret=1 485test "$ret" -eq 0 || echo_i "failed" 486status=$((status + ret)) 487 488# Using rndc signing -nsec3param (should fail) 489echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings" 490rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" 491grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail" 492check_nsec3 493 494# Zone: nsec3-dynamic-change.kasp. (reconfigured) 495set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600 496set_nsec3param "1" "8" 497set_key_default_values "KEY1" 498echo_i "check zone ${ZONE} after reconfig" 499check_nsec3 500 501# Zone: nsec3-dynamic-to-inline.kasp. (same) 502set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 503set_nsec3param "0" "0" 504set_key_default_values "KEY1" 505echo_i "check zone ${ZONE} after reconfig" 506check_nsec3 507 508# Zone: nsec3-inline-to-dynamic.kasp. (same) 509set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 510set_nsec3param "0" "0" 511set_key_default_values "KEY1" 512echo_i "initial check zone ${ZONE}" 513check_nsec3 514 515# Zone: nsec3-to-nsec.kasp. (reconfigured) 516set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600 517set_nsec3param "1" "8" 518set_key_default_values "KEY1" 519echo_i "check zone ${ZONE} after reconfig" 520check_nsec 521 522# Zone: nsec3-to-optout.kasp. (reconfigured) 523# DISABLED: 524# There is a bug in the nsec3param building code that thinks when the 525# optout bit is changed, the chain already exists. [GL #2216] 526#set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600 527#set_nsec3param "1" "0" 528#set_key_default_values "KEY1" 529#echo_i "check zone ${ZONE} after reconfig" 530#check_nsec3 531 532# Zone: nsec3-from-optout.kasp. (reconfigured) 533# DISABLED: 534# There is a bug in the nsec3param building code that thinks when the 535# optout bit is changed, the chain already exists. [GL #2216] 536#set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600 537#set_nsec3param "0" "0" 538#set_key_default_values "KEY1" 539#echo_i "check zone ${ZONE} after reconfig" 540#check_nsec3 541 542# Zone: nsec3-other.kasp. (same) 543set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600 544set_nsec3param "1" "8" 545set_key_default_values "KEY1" 546echo_i "check zone ${ZONE} after reconfig" 547check_nsec3 548 549# Test NSEC3 and NSEC3PARAM is the same after restart 550set_zone_policy "nsec3.kasp" "nsec3" 1 3600 551set_nsec3param "0" "0" 552set_key_default_values "KEY1" 553echo_i "check zone ${ZONE} before restart" 554check_nsec3 555 556# Restart named, NSEC3 should stay the same. 557ret=0 558echo "stop ns3" 559stop_server --use-rndc --port ${CONTROLPORT} ${DIR} || ret=1 560test "$ret" -eq 0 || echo_i "failed" 561status=$((status + ret)) 562 563ret=0 564echo "start ns3" 565start_server --noclean --restart --port ${PORT} ${DIR} 566test "$ret" -eq 0 || echo_i "failed" 567status=$((status + ret)) 568 569prevsalt="${SALT}" 570set_zone_policy "nsec3.kasp" "nsec3" 1 3600 571set_nsec3param "0" "0" 572set_key_default_values "KEY1" 573SALT="${prevsalt}" 574echo_i "check zone ${ZONE} after restart has salt ${SALT}" 575check_nsec3 576 577# Zone: nsec3-fails-to-load.kasp. (should be fixed after reload) 578cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db 579rndc_reload ns3 10.53.0.3 580 581set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600 582set_nsec3param "0" "0" 583set_key_default_values "KEY1" 584echo_i "check zone ${ZONE} after reload" 585check_nsec3 586 587echo_i "exit status: $status" 588[ $status -eq 0 ] || exit 1 589