From 4efe5dd3631b2b79f678ead33e5ba7c588a51e26 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 2 May 2018 13:35:46 +0200 Subject: [DNS-1600] Test is disabled until domain is configured --- include/tests_dns | 80 +++++++++++++++++++++++++++---------------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/include/tests_dns b/include/tests_dns index 4fbc7caa..378e71ec 100644 --- a/include/tests_dns +++ b/include/tests_dns @@ -22,52 +22,52 @@ # ################################################################################# # - SIGOKDNS="sigok.verteiltesysteme.net" # adress with good DESSEC signiture - SIGFAILDNS="sigfail.verteiltesysteme.net" # adress with bad DESSEC signiture - # TODO update it once cisofy.com records are created - # TODO after update even IP match can be checked to detect highjacking - TIMEOUT=";; connection timed out; no servers could be reached" +# # TODO create records on test domain +# # TODO after update even IP match can be checked to detect hijacking +# SIGOKDNS="sigok.example.org" # adress with good DNSSEC signature +# SIGFAILDNS="sigfail.example.org" # adress with bad DNSSEC signature +# TIMEOUT=";; connection timed out; no servers could be reached" # ################################################################################# # - InsertSection "DNS" +# InsertSection "DNS" # ################################################################################# # - # Test : DNS-1600 - # Description : Validate DNSSEC signiture is checked - Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked" - if [ "${SKIPTEST}" -eq 0 ]; then - if [ ! -z "${DIGBINARY}" ]; then - - GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS) - BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS) - - if [ "$GOOD" = "$TIMEOUT" ] && [ "$BAD" = "$TIMEOUT" ]; then - LogText "Result: Exception found, can't determine DNSSEC validation" - Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW - ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout" - elif [ -z "$GOOD" ] && ! [ -z "$BAD" ]; then - LogText "Result: Exception found, can't determine DNSSEC validation" - Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW - ReportException "${TEST_NO}" "Exception found, OK failed, Bad signiture was accepted" - elif ! [ -z "$GOOD" ] && ! [ -z "$BAD" ]; then - Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW - LogText "Note: Useing DNSsec validation can protect from DNS highjacking" - ReportSuggestion "${TEST_NO}" "Malformated DNS querys are accepted, Configure DNSSEC valdating name servers" - AddHP 2 2 - elif ! [ -z "$GOOD" ] && [ -z "$BAD" ]; then - Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN - LogText "Result: Malformated DNS responses were ignored" - AddHP 0 2 - fi - else - Display --indent 4 --text "- DESSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW - LogText "Result: dig not installed, test can't be fully performed" - fi - else - LogText "Result: Test was skipped" - fi +# # Test : DNS-1600 +# # Description : Validate DNSSEC signiture is checked +# Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked" +# if [ "${SKIPTEST}" -eq 0 ]; then +# if [ ! -z "${DIGBINARY}" ]; then +# +# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS) +# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS) +# +# if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then +# LogText "Result: received timeout, can't determine DNSSEC validation" +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW +# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout" +# elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then +# LogText "Result: good signature failed, yet bad signature was accepted" +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW +# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted" +# elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW +# LogText "Note: Using DNSSEC validation can protect from DNS hijacking" +# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers" +# AddHP 2 2 +# elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN +# LogText "Result: altered DNS responses were ignored" +# AddHP 0 2 +# fi +# else +# Display --indent 4 --text "- DNSSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW +# LogText "Result: dig not installed, test can't be fully performed" +# fi +# else +# LogText "Result: Test was skipped" +# fi # ################################################################################# # -- cgit v1.2.3