1 /* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14 // NS9 15 16 include "trusted.conf"; 17 18 options { 19 query-source address 10.53.0.9; 20 notify-source 10.53.0.9; 21 transfer-source 10.53.0.9; 22 port @PORT@; 23 pid-file "named.pid"; 24 listen-on { 10.53.0.9; }; 25 listen-on-v6 { none; }; 26 allow-transfer { any; }; 27 recursion no; 28 dnssec-validation yes; 29 }; 30 31 key rndc_key { 32 secret "1234abcd8765"; 33 algorithm @DEFAULT_HMAC@; 34 }; 35 36 controls { 37 inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 38 }; 39 40 remote-servers "ns8" port @PORT@ { 41 10.53.0.8; 42 }; 43 44 zone "." { 45 type hint; 46 file "../../_common/root.hint"; 47 }; 48 49 /* 50 * 1. Enabling DNSSEC 51 * 1.1 - With one parental agent 52 * 1.1.1. - DS is correctly published in the parent. 53 */ 54 zone "good.explicit.dspublish.ns2" { 55 type primary; 56 file "good.explicit.dspublish.ns2.db"; 57 dnssec-policy "default"; 58 parental-agents { 10.53.0.8 port @PORT@; }; 59 }; 60 61 /* Same as above, but now with a reference to parental-agents. */ 62 zone "reference.explicit.dspublish.ns2" { 63 type primary; 64 file "reference.explicit.dspublish.ns2.db"; 65 dnssec-policy "default"; 66 parental-agents { "ns8"; }; 67 }; 68 69 /* Same as above, but now with resolver parental agent configured. */ 70 zone "resolver.explicit.dspublish.ns2" { 71 type primary; 72 file "resolver.explicit.dspublish.ns2.db"; 73 dnssec-policy "default"; 74 parental-agents { 75 10.53.0.3 port @PORT@; 76 }; 77 }; 78 79 /* Same as above, but now with auto parental agents. */ 80 zone "good.yes.dspublish.ns2" { 81 type primary; 82 file "good.yes.dspublish.ns2.db"; 83 dnssec-policy "default"; 84 }; 85 86 /* Same as above, but with checkds disabled. */ 87 zone "good.no.dspublish.ns2" { 88 type primary; 89 file "good.no.dspublish.ns2.db"; 90 dnssec-policy "default"; 91 checkds no; 92 }; 93 94 /* Same as auto parental agents, but now without empty non-terminals. */ 95 zone "no-ent.ns2" { 96 type primary; 97 file "no-ent.ns2.db"; 98 dnssec-policy "default"; 99 }; 100 101 /* 102 * 1. Enabling DNSSEC 103 * 1.1 - With one parental agent 104 * 1.1.2. - DS is not (yet) published in the parent. 105 */ 106 zone "not-yet.explicit.dspublish.ns5" { 107 type primary; 108 file "not-yet.explicit.dspublish.ns5.db"; 109 dnssec-policy "default"; 110 parental-agents { 111 10.53.0.5 port @PORT@; // missing 112 }; 113 }; 114 115 zone "not-yet.yes.dspublish.ns5" { 116 type primary; 117 file "not-yet.yes.dspublish.ns5.db"; 118 dnssec-policy "default"; 119 }; 120 121 /* 122 * 1. Enabling DNSSEC 123 * 1.1 - With one parental agent 124 * 1.1.3. - The parental agent is badly configured. 125 */ 126 zone "bad.explicit.dspublish.ns6" { 127 type primary; 128 file "bad.explicit.dspublish.ns6.db"; 129 dnssec-policy "default"; 130 parental-agents { 131 10.53.0.6 port @PORT@; // bad 132 }; 133 }; 134 135 zone "bad.yes.dspublish.ns6" { 136 type primary; 137 file "bad.yes.dspublish.ns6.db"; 138 dnssec-policy "default"; 139 }; 140 141 /* 142 * 1. Enabling DNSSEC 143 * 1.1 - With one parental agent 144 * 1.1.4. - DS is published, but has bogus signature 145 */ 146 // TODO 147 148 /* 149 * 1. Enabling DNSSEC 150 * 1.2 - With multiple parental agent 151 * 1.2.1. - DS is correctly published in all parents. 152 */ 153 zone "good.explicit.dspublish.ns2-4" { 154 type primary; 155 file "good.explicit.dspublish.ns2-4.db"; 156 dnssec-policy "default"; 157 parental-agents { 158 10.53.0.8 port @PORT@; 159 10.53.0.4 port @PORT@; 160 }; 161 }; 162 163 zone "good.yes.dspublish.ns2-4" { 164 type primary; 165 file "good.yes.dspublish.ns2-4.db"; 166 dnssec-policy "default"; 167 }; 168 169 zone "good.no.dspublish.ns2-4" { 170 type primary; 171 file "good.no.dspublish.ns2-4.db"; 172 dnssec-policy "default"; 173 checkds no; 174 }; 175 176 /* 177 * 1. Enabling DNSSEC 178 * 1.2 - With multiple parental agent 179 * 1.2.2. - DS is not (yet) published in some parents. 180 */ 181 zone "incomplete.explicit.dspublish.ns2-4-5" { 182 type primary; 183 file "incomplete.explicit.dspublish.ns2-4-5.db"; 184 dnssec-policy "default"; 185 parental-agents { 186 10.53.0.8 port @PORT@; 187 10.53.0.4 port @PORT@; 188 10.53.0.5 port @PORT@; // missing 189 }; 190 }; 191 192 zone "incomplete.yes.dspublish.ns2-4-5" { 193 type primary; 194 file "incomplete.yes.dspublish.ns2-4-5.db"; 195 dnssec-policy "default"; 196 }; 197 198 /* 199 * 1. Enabling DNSSEC 200 * 1.2 - With multiple parental agent 201 * 1.2.3. - DS is not (yet) published in some parents. 202 */ 203 zone "bad.explicit.dspublish.ns2-4-6" { 204 type primary; 205 file "bad.explicit.dspublish.ns2-4-6.db"; 206 dnssec-policy "default"; 207 parental-agents { 208 10.53.0.8 port @PORT@; 209 10.53.0.4 port @PORT@; 210 10.53.0.6 port @PORT@; // bad 211 }; 212 }; 213 214 zone "bad.yes.dspublish.ns2-4-6" { 215 type primary; 216 file "bad.yes.dspublish.ns2-4-6.db"; 217 dnssec-policy "default"; 218 }; 219 220 /* 221 * 1. Enabling DNSSEC 222 * 1.2 - With multiple parental agent 223 * 1.2.4. - DS is completely published, bogus signature. 224 */ 225 // TODO 226 227 // TODO: Other test cases: 228 // - check with TSIG 229 // - check with TLS 230 231 /* 232 * 2. Going insecure 233 * 2.1 - With one parental agent 234 * 2.1.1. - DS is correctly withdrawn from the parent. 235 */ 236 zone "good.explicit.dsremoved.ns5" { 237 type primary; 238 file "good.explicit.dsremoved.ns5.db"; 239 dnssec-policy "insecure"; 240 parental-agents { 10.53.0.10 port @PORT@; }; 241 }; 242 243 zone "resolver.explicit.dsremoved.ns5" { 244 type primary; 245 file "resolver.explicit.dsremoved.ns5.db"; 246 dnssec-policy "default"; 247 parental-agents { 248 10.53.0.3 port @PORT@; 249 }; 250 }; 251 252 zone "good.yes.dsremoved.ns5" { 253 type primary; 254 file "good.yes.dsremoved.ns5.db"; 255 dnssec-policy "insecure"; 256 }; 257 258 zone "good.no.dsremoved.ns5" { 259 type primary; 260 file "good.no.dsremoved.ns5.db"; 261 dnssec-policy "insecure"; 262 checkds no; 263 }; 264 265 zone "no-ent.ns5" { 266 type primary; 267 file "no-ent.ns5.db"; 268 dnssec-policy "default"; 269 }; 270 271 /* 272 * 2. Going insecure 273 * 2.1 - With one parental agent 274 * 2.1.2. - DS is (still) published in the parent. 275 */ 276 zone "still-there.explicit.dsremoved.ns2" { 277 type primary; 278 file "still-there.explicit.dsremoved.ns2.db"; 279 dnssec-policy "insecure"; 280 parental-agents { 281 10.53.0.2 port @PORT@; // still published 282 }; 283 }; 284 285 zone "still-there.yes.dsremoved.ns2" { 286 type primary; 287 file "still-there.yes.dsremoved.ns2.db"; 288 dnssec-policy "insecure"; 289 }; 290 291 /* 292 * 2. Going insecure 293 * 2.1 - With one parental agent 294 * 2.1.3. - The parental agent is badly configured. 295 */ 296 zone "bad.explicit.dsremoved.ns6" { 297 type primary; 298 file "bad.explicit.dsremoved.ns6.db"; 299 dnssec-policy "insecure"; 300 parental-agents { 301 10.53.0.6 port @PORT@; // bad 302 }; 303 }; 304 305 zone "bad.yes.dsremoved.ns6" { 306 type primary; 307 file "bad.yes.dsremoved.ns6.db"; 308 dnssec-policy "insecure"; 309 }; 310 311 /* 312 * 2. Going insecure 313 * 2.1 - With one parental agent 314 * 2.1.4. - DS is withdrawn, but has bogus signature. 315 */ 316 // TODO 317 318 /* 319 * 2. Going insecure 320 * 2.2. - With multiple parental agents 321 * 2.2.1. - DS is correctly withdrawn from all parents. 322 */ 323 zone "good.explicit.dsremoved.ns5-7" { 324 type primary; 325 file "good.explicit.dsremoved.ns5-7.db"; 326 dnssec-policy "insecure"; 327 parental-agents { 328 10.53.0.10 port @PORT@; 329 10.53.0.7 port @PORT@; 330 }; 331 }; 332 333 zone "good.yes.dsremoved.ns5-7" { 334 type primary; 335 file "good.yes.dsremoved.ns5-7.db"; 336 dnssec-policy "insecure"; 337 }; 338 339 zone "good.no.dsremoved.ns5-7" { 340 type primary; 341 file "good.no.dsremoved.ns5-7.db"; 342 dnssec-policy "insecure"; 343 checkds no; 344 }; 345 346 /* 347 * 2. Going insecure 348 * 2.2. - With multiple parental agents 349 * 2.2.2. - DS is not (yet) withdrawn from some parents. 350 */ 351 zone "incomplete.explicit.dsremoved.ns2-5-7" { 352 type primary; 353 file "incomplete.explicit.dsremoved.ns2-5-7.db"; 354 dnssec-policy "insecure"; 355 parental-agents { 356 10.53.0.2 port @PORT@; // still published 357 10.53.0.10 port @PORT@; 358 10.53.0.7 port @PORT@; 359 }; 360 }; 361 362 zone "incomplete.yes.dsremoved.ns2-5-7" { 363 type primary; 364 file "incomplete.yes.dsremoved.ns2-5-7.db"; 365 dnssec-policy "insecure"; 366 }; 367 368 /* 369 * 2. Going insecure 370 * 2.2. - With multiple parental agents 371 * 2.2.3. - One parental agent is badly configured. 372 */ 373 zone "bad.explicit.dsremoved.ns5-6-7" { 374 type primary; 375 file "bad.explicit.dsremoved.ns5-6-7.db"; 376 dnssec-policy "insecure"; 377 parental-agents { 378 10.53.0.10 port @PORT@; 379 10.53.0.7 port @PORT@; 380 10.53.0.6 port @PORT@; // bad 381 }; 382 }; 383 384 zone "bad.yes.dsremoved.ns5-6-7" { 385 type primary; 386 file "bad.yes.dsremoved.ns5-6-7.db"; 387 dnssec-policy "insecure"; 388 }; 389 390 /* 391 * 2. Going insecure 392 * 2.2. - With multiple parental agents 393 * 2.2.4. - DS is removed completely, bogus signature 394 */ 395 // TODO 396
Indexes created Sat Feb 28 05:31:39 UTC 2026