2022-11-29 15:07:02 +01:00
|
|
|
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
|
#
|
|
|
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
#
|
|
|
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
|
#
|
|
|
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
|
|
|
# information regarding copyright ownership.
|
|
|
|
|
|
2024-08-19 18:54:13 +02:00
|
|
|
import pytest
|
|
|
|
|
|
|
|
|
|
pytestmark = pytest.mark.extra_artifacts(
|
|
|
|
|
[
|
2025-04-29 15:01:53 +02:00
|
|
|
".hypothesis/examples/*",
|
2024-08-19 18:54:13 +02:00
|
|
|
"K*",
|
|
|
|
|
"canonical*",
|
|
|
|
|
"delv.out*",
|
|
|
|
|
"dig.out.*",
|
|
|
|
|
"dnssectools.out.*",
|
|
|
|
|
"dsfromkey.out.*",
|
|
|
|
|
"keygen*.err*",
|
|
|
|
|
"named.secroots.*",
|
|
|
|
|
"nsupdate.out.*",
|
|
|
|
|
"python.out.*",
|
|
|
|
|
"rndc.out.*",
|
|
|
|
|
"signing.out.*",
|
|
|
|
|
"*/K*",
|
|
|
|
|
"*/dsset-*",
|
|
|
|
|
"*/managed.conf",
|
|
|
|
|
"*/trusted.conf",
|
|
|
|
|
"*/*.bk",
|
|
|
|
|
"*/*.jnl",
|
|
|
|
|
"*/*.jbk",
|
|
|
|
|
"*/*.signed",
|
|
|
|
|
"*/*.mkeys*",
|
|
|
|
|
"ans*/ans.run",
|
|
|
|
|
"ans*/query.log",
|
|
|
|
|
"ns1/managed.key.id",
|
|
|
|
|
"ns1/root.db",
|
|
|
|
|
"ns1/trusted.keys",
|
|
|
|
|
"ns2/algroll.db",
|
|
|
|
|
"ns2/badparam.db",
|
|
|
|
|
"ns2/badparam.db.bad",
|
|
|
|
|
"ns2/cdnskey-update.secure.db",
|
|
|
|
|
"ns2/cdnskey-update.secure.id",
|
|
|
|
|
"ns2/cdnskey-x.secure.db",
|
|
|
|
|
"ns2/cdnskey.secure.db",
|
|
|
|
|
"ns2/cds-update.secure.db",
|
|
|
|
|
"ns2/cds-update.secure.id",
|
|
|
|
|
"ns2/cds-x.secure.db",
|
|
|
|
|
"ns2/cds.secure.db",
|
2024-12-20 20:24:05 +11:00
|
|
|
"ns2/dnskey-rrsigs-stripped.db",
|
|
|
|
|
"ns2/dnskey-rrsigs-stripped.db.next",
|
|
|
|
|
"ns2/dnskey-rrsigs-stripped.db.stripped",
|
2024-12-23 11:12:56 +11:00
|
|
|
"ns2/child.ds-rrsigs-stripped.db",
|
|
|
|
|
"ns2/ds-rrsigs-stripped.db",
|
|
|
|
|
"ns2/ds-rrsigs-stripped.db.next",
|
|
|
|
|
"ns2/ds-rrsigs-stripped.db.stripped",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns2/example.db",
|
|
|
|
|
"ns2/in-addr.arpa.db",
|
|
|
|
|
"ns2/lazy-ksk.db",
|
|
|
|
|
"ns2/managed.db",
|
|
|
|
|
"ns2/nsec3chain-test.db",
|
2025-01-22 23:54:53 +11:00
|
|
|
"ns2/peer-ns-spoof.db",
|
|
|
|
|
"ns2/peer.peer-ns-spoof.db",
|
|
|
|
|
"ns2/peer.peer-ns-spoof.db.next",
|
|
|
|
|
"ns2/peer.peer-ns-spoof.db.stripped",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns2/settime.out.updatecheck-kskonly.secure.ksk",
|
|
|
|
|
"ns2/settime.out.updatecheck-kskonly.secure.zsk",
|
|
|
|
|
"ns2/single-nsec3.db",
|
|
|
|
|
"ns2/too-many-iterations.db",
|
2025-01-27 21:44:51 -08:00
|
|
|
"ns2/inconsistent.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns2/trusted.db",
|
|
|
|
|
"ns2/updatecheck-kskonly.secure.ksk.id",
|
|
|
|
|
"ns2/updatecheck-kskonly.secure.ksk.key",
|
|
|
|
|
"ns2/updatecheck-kskonly.secure.zsk.id",
|
|
|
|
|
"ns2/updatecheck-kskonly.secure.zsk.id2",
|
|
|
|
|
"ns2/updatecheck-kskonly.secure.zsk.id3",
|
|
|
|
|
"ns2/updatecheck-kskonly.secure.zsk.key",
|
|
|
|
|
"ns3/NSEC",
|
|
|
|
|
"ns3/NSEC3",
|
|
|
|
|
"ns3/auto-nsec.example.db",
|
|
|
|
|
"ns3/auto-nsec3.example.db",
|
|
|
|
|
"ns3/badds.example.db",
|
|
|
|
|
"ns3/bogus.example.db",
|
2025-05-16 15:50:53 +10:00
|
|
|
"ns3/digest-alg-unsupported.example.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns3/disabled.managed.db",
|
|
|
|
|
"ns3/disabled.trusted.db",
|
|
|
|
|
"ns3/dname-at-apex-nsec3.example.db",
|
|
|
|
|
"ns3/dnskey-nsec3-unknown.example.db",
|
|
|
|
|
"ns3/dnskey-nsec3-unknown.example.db.tmp",
|
|
|
|
|
"ns3/dnskey-unknown.example.db",
|
|
|
|
|
"ns3/dnskey-unknown.example.db.tmp",
|
|
|
|
|
"ns3/dnskey-unsupported-2.example.db",
|
|
|
|
|
"ns3/dnskey-unsupported.example.db",
|
|
|
|
|
"ns3/dnskey-unsupported.example.db.tmp",
|
2025-05-16 15:50:53 +10:00
|
|
|
"ns3/ds-unsupported.example.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns3/dynamic.example.db",
|
|
|
|
|
"ns3/enabled.managed.db",
|
|
|
|
|
"ns3/enabled.trusted.db",
|
|
|
|
|
"ns3/example.bk",
|
|
|
|
|
"ns3/expired.example.db",
|
|
|
|
|
"ns3/expiring.example.db",
|
2025-05-28 20:02:48 +10:00
|
|
|
"ns3/extended-ds-unknown-oid.example.db",
|
|
|
|
|
"ns3/extended-ds-unknown-oid.example.db.stage1",
|
|
|
|
|
"ns3/extended-ds-unknown-oid.example.db.stage2",
|
2025-05-16 15:50:53 +10:00
|
|
|
"ns3/extradsoid.example.db",
|
|
|
|
|
"ns3/extradsunknownoid.example.db",
|
|
|
|
|
"ns3/extradsunknownoid.example.db.stage1",
|
|
|
|
|
"ns3/extradsunknownoid.example.db.stage2",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns3/future.example.db",
|
|
|
|
|
"ns3/keyless.example.db",
|
|
|
|
|
"ns3/kskonly.example.db",
|
when forwarding, try with CD=0 first
when sending a query to a forwarder for a name within a secure domain,
the first query is now sent with CD=0. when the forwarder itself
is validating, this will give it a chance to detect bogus data and
replace it with valid data before answering. this reduces our chances
of being stuck with data that can't be validated.
if the forwarder returns SERVFAIL to the initial query, the query
will be repeated with CD=1, to allow for the possibility that the
forwarder's validator is faulty or that the bogus answer is covered
by an NTA.
note: previously, CD=1 was only sent when the query name was in a
secure domain. today, validating servers have a trust anchor at the
root by default, so virtually all queries are in a secure domain.
therefore, the code has been simplified. as long as validation is
enabled, any forward query that receives a SERVFAIL response will be
retried with CD=1.
2025-01-24 18:00:14 -08:00
|
|
|
"ns3/localkey.example.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns3/lower.example.db",
|
|
|
|
|
"ns3/managed-future.example.db",
|
|
|
|
|
"ns3/multiple.example.db",
|
|
|
|
|
"ns3/nsec3-unknown.example.db",
|
|
|
|
|
"ns3/nsec3.example.db",
|
|
|
|
|
"ns3/nsec3.nsec3.example.db",
|
|
|
|
|
"ns3/nsec3.optout.example.db",
|
|
|
|
|
"ns3/nsec3chain-test.bk",
|
|
|
|
|
"ns3/occluded.example.db",
|
|
|
|
|
"ns3/optout-unknown.example.db",
|
|
|
|
|
"ns3/optout.example.db",
|
|
|
|
|
"ns3/optout.nsec3.example.db",
|
|
|
|
|
"ns3/optout.optout.example.db",
|
|
|
|
|
"ns3/revkey.example.db",
|
|
|
|
|
"ns3/revoked.managed.db",
|
|
|
|
|
"ns3/revoked.trusted.db",
|
|
|
|
|
"ns3/rfc2335.example.bk",
|
|
|
|
|
"ns3/rsasha256.example.db",
|
2025-05-16 15:50:53 +10:00
|
|
|
"ns3/rsasha256oid.example.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns3/rsasha512.example.db",
|
2025-05-16 15:50:53 +10:00
|
|
|
"ns3/rsasha512oid.example.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns3/secure.below-cname.example.db",
|
|
|
|
|
"ns3/secure.example.db",
|
|
|
|
|
"ns3/secure.managed.db",
|
|
|
|
|
"ns3/secure.nsec3.example.db",
|
|
|
|
|
"ns3/secure.optout.example.db",
|
|
|
|
|
"ns3/secure.trusted.db",
|
|
|
|
|
"ns3/siginterval.conf",
|
|
|
|
|
"ns3/siginterval.example.db",
|
|
|
|
|
"ns3/split-dnssec.example.db",
|
|
|
|
|
"ns3/split-smart.example.db",
|
2025-01-22 23:54:53 +11:00
|
|
|
"ns3/target.peer-ns-spoof.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns3/trusted-future.key",
|
|
|
|
|
"ns3/ttlpatch.example.db",
|
|
|
|
|
"ns3/ttlpatch.example.db.patched",
|
2025-05-16 15:50:53 +10:00
|
|
|
"ns3/unknownoid.example.db",
|
|
|
|
|
"ns3/unknownoid.example.db.stage1",
|
|
|
|
|
"ns3/unknownoid.example.db.stage2",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns3/unsupported.managed.db",
|
|
|
|
|
"ns3/unsupported.managed.db.tmp",
|
|
|
|
|
"ns3/unsupported.trusted.db",
|
|
|
|
|
"ns3/unsupported.trusted.db.tmp",
|
|
|
|
|
"ns3/update-nsec3.example.db",
|
|
|
|
|
"ns3/update-nsec3.example.db.signed",
|
|
|
|
|
"ns3/upper.example.db",
|
|
|
|
|
"ns3/upper.example.db.lower",
|
2025-03-27 19:59:53 -07:00
|
|
|
"ns4/broken.conf",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns4/managed.conf",
|
|
|
|
|
"ns4/managed-keys.bind",
|
|
|
|
|
"ns4/named.secroots",
|
2025-01-22 23:54:53 +11:00
|
|
|
"ns4/named_dump.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"ns4/named_dump.db.*",
|
|
|
|
|
"ns5/revoked.conf",
|
|
|
|
|
"ns6/optout-tld.db",
|
|
|
|
|
"ns7/split-rrsig.db",
|
|
|
|
|
"ns7/split-rrsig.db.unsplit",
|
when forwarding, try with CD=0 first
when sending a query to a forwarder for a name within a secure domain,
the first query is now sent with CD=0. when the forwarder itself
is validating, this will give it a chance to detect bogus data and
replace it with valid data before answering. this reduces our chances
of being stuck with data that can't be validated.
if the forwarder returns SERVFAIL to the initial query, the query
will be repeated with CD=1, to allow for the possibility that the
forwarder's validator is faulty or that the bogus answer is covered
by an NTA.
note: previously, CD=1 was only sent when the query name was in a
secure domain. today, validating servers have a trust anchor at the
root by default, so virtually all queries are in a secure domain.
therefore, the code has been simplified. as long as validation is
enabled, any forward query that receives a SERVFAIL response will be
retried with CD=1.
2025-01-24 18:00:14 -08:00
|
|
|
"ns9/trusted-localkey.conf",
|
2024-08-19 18:54:13 +02:00
|
|
|
"signer/example.db",
|
|
|
|
|
"signer/example.db.after",
|
|
|
|
|
"signer/example.db.before",
|
|
|
|
|
"signer/example.db.changed",
|
|
|
|
|
"signer/example2.db",
|
|
|
|
|
"signer/example3.db",
|
2025-01-14 14:10:20 +01:00
|
|
|
"signer/general/dnskey.expect",
|
2024-08-19 18:54:13 +02:00
|
|
|
"signer/general/dsset-*",
|
2025-01-14 14:10:20 +01:00
|
|
|
"signer/general/signed.expect",
|
2024-08-19 18:54:13 +02:00
|
|
|
"signer/general/signed.zone",
|
|
|
|
|
"signer/general/signer.out.*",
|
|
|
|
|
"signer/nsec3param.out",
|
|
|
|
|
"signer/prepub.db",
|
2024-12-02 18:30:41 +11:00
|
|
|
"signer/revoke.example.db",
|
2024-08-19 18:54:13 +02:00
|
|
|
"signer/signer.err.*",
|
|
|
|
|
"signer/signer.out.*",
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2022-11-29 15:07:02 +01:00
|
|
|
|
|
|
|
|
def test_dnssec(run_tests_sh):
|
|
|
|
|
run_tests_sh()
|
