bind/bin/tests/system/dnssec/tests_badkey_broken.py

# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0.  If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.

from dns import flags

import pytest

import isctest


@pytest.fixture(scope="module", autouse=True)
def reconfigure(ns5, ns9, templates):
    templates.render("ns5/named.conf", {"broken_key": True})
    ns5.reconfigure(log=False)

    templates.render("ns9/named.conf", {"forward_badkey": True})
    ns9.reconfigure(log=False)


def test_broken_forwarding(ns9):
    # check forwarder CD behavior (forward server with bad trust anchor)

    # confirm invalid trust anchor produces SERVFAIL in resolver
    msg = isctest.query.create("a.secure.example.", "A")
    res = isctest.query.tcp(msg, "10.53.0.5")
    isctest.check.servfail(res)

    # check that lookup involving forwarder succeeds and SERVFAIL was received
    with ns9.watch_log_from_here() as watcher:
        msg = isctest.query.create("a.secure.example.", "SOA")
        res = isctest.query.tcp(msg, "10.53.0.9")
        isctest.check.noerror(res)
        assert (res.flags & flags.AD) != 0
        watcher.wait_for_line("status: SERVFAIL")
Split up badkey tests into separate modules If nsX.reconfigure() is used in a way that might affect other tests within the same module, it's best to split up the tests which need the reconfig to a separate module. This ensures the reconfigure() won't interfere with test results in case the tests are executed separately, or in a different order. 2025-07-10 15:21:05 +02:00			`# Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`#`
			`# SPDX-License-Identifier: MPL-2.0`
			`#`
			`# This Source Code Form is subject to the terms of the Mozilla Public`
			`# License, v. 2.0. If a copy of the MPL was not distributed with this`
			`# file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`#`
			`# See the COPYRIGHT file distributed with this work for additional`
			`# information regarding copyright ownership.`

			`from dns import flags`

			`import pytest`

			`import isctest`


			`@pytest.fixture(scope="module", autouse=True)`
Use nsX fixtures rather than servers Rather than using servers["nsX"] syntax, utilize the nsX fixtures to make the test code a bit more concise. See fe5534291699572e67ad4a854b412e40c524307a 2025-07-25 18:29:55 +02:00			`def reconfigure(ns5, ns9, templates):`
Split up badkey tests into separate modules If nsX.reconfigure() is used in a way that might affect other tests within the same module, it's best to split up the tests which need the reconfig to a separate module. This ensures the reconfigure() won't interfere with test results in case the tests are executed separately, or in a different order. 2025-07-10 15:21:05 +02:00			`templates.render("ns5/named.conf", {"broken_key": True})`
			`ns5.reconfigure(log=False)`

			`templates.render("ns9/named.conf", {"forward_badkey": True})`
			`ns9.reconfigure(log=False)`


Use nsX fixtures rather than servers Rather than using servers["nsX"] syntax, utilize the nsX fixtures to make the test code a bit more concise. See fe5534291699572e67ad4a854b412e40c524307a 2025-07-25 18:29:55 +02:00			`def test_broken_forwarding(ns9):`
Split up badkey tests into separate modules If nsX.reconfigure() is used in a way that might affect other tests within the same module, it's best to split up the tests which need the reconfig to a separate module. This ensures the reconfigure() won't interfere with test results in case the tests are executed separately, or in a different order. 2025-07-10 15:21:05 +02:00			`# check forwarder CD behavior (forward server with bad trust anchor)`

			`# confirm invalid trust anchor produces SERVFAIL in resolver`
			`msg = isctest.query.create("a.secure.example.", "A")`
			`res = isctest.query.tcp(msg, "10.53.0.5")`
			`isctest.check.servfail(res)`

			`# check that lookup involving forwarder succeeds and SERVFAIL was received`
			`with ns9.watch_log_from_here() as watcher:`
			`msg = isctest.query.create("a.secure.example.", "SOA")`
			`res = isctest.query.tcp(msg, "10.53.0.9")`
			`isctest.check.noerror(res)`
			`assert (res.flags & flags.AD) != 0`
			`watcher.wait_for_line("status: SERVFAIL")`