bind/bin/tests/system/dnssec/tests_badkey.py

# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0.  If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.

from dns import flags

import pytest

import isctest
from isctest.util import param


pytestmark = pytest.mark.extra_artifacts(
    [
        "*/K*",
        "*/dsset-*",
        "*/*.bk",
        "*/*.conf",
        "*/*.db",
        "*/*.id",
        "*/*.jnl",
        "*/*.jbk",
        "*/*.key",
        "*/*.signed",
        "*/settime.out.*",
        "ans*/ans.run",
        "*/trusted.keys",
        "*/*.bad",
        "*/*.next",
        "*/*.stripped",
        "*/*.tmp",
        "*/*.stage?",
        "*/*.patched",
        "*/*.lower",
        "*/*.upper",
        "*/*.unsplit",
    ]
)


@pytest.mark.parametrize(
    "check, qname, qtype",
    [
        param("validation", "example.", "SOA"),
        param("negative-validation", "example.", "PTR"),
        param("insecurity-proof", "a.insecure.example.", "A"),
    ],
)
def test_misconfigured_ta_servfail(check, qname, qtype):
    isctest.log.info(f"check that {check} fails")
    msg = isctest.query.create(qname, qtype)
    res = isctest.query.tcp(msg, "10.53.0.5")
    isctest.check.servfail(res)


@pytest.mark.parametrize(
    "check, qname, qtype, rcode_func",
    [
        param("positive-answer", "example.", "SOA", isctest.check.noerror),
        param("negative-answer", "q.example.", "SOA", isctest.check.nxdomain),
        param("bogus-answer", "a.bogus.example.", "SOA", isctest.check.noerror),
        param("insecurity-proof", "a.insecure.example.", "SOA", isctest.check.noerror),
        param(
            "negative-insecurity-proof",
            "q.insecure.example.",
            "SOA",
            isctest.check.nxdomain,
        ),
    ],
)
def test_misconfigured_ta_with_cd(check, qname, qtype, rcode_func):
    isctest.log.info(f"check {check} with CD=1")
    msg = isctest.query.create(qname, qtype)
    msg.flags |= flags.CD
    res = isctest.query.tcp(msg, "10.53.0.5")
    rcode_func(res)
    isctest.check.noadflag(res)

    isctest.log.debug("compare the response from a correctly configured server")
    res2 = isctest.query.tcp(msg, "10.53.0.4")
    isctest.check.noadflag(res2)
    isctest.check.same_answer(res, res2)


def test_revoked_init(servers, templates):
    # use a revoked key and try to reiniitialize; check for failure
    ns5 = servers["ns5"]
    templates.render("ns5/named.conf", {"revoked_key": True})
    ns5.reconfigure(log=False)

    msg = isctest.query.create(".", "SOA")
    res = isctest.query.tcp(msg, "10.53.0.5")
    isctest.check.servfail(res)


def test_broken_forwarding(servers, templates):
    # check forwarder CD behavior (forward server with bad trust anchor)
    ns5 = servers["ns5"]
    templates.render("ns5/named.conf", {"broken_key": True})
    ns5.reconfigure(log=False)

    ns9 = servers["ns9"]
    templates.render("ns9/named.conf", {"forward_badkey": True})
    ns9.reconfigure(log=False)

    # confirm invalid trust anchor produces SERVFAIL in resolver
    msg = isctest.query.create("a.secure.example.", "A")
    res = isctest.query.tcp(msg, "10.53.0.5")
    isctest.check.servfail(res)

    # check that lookup involving forwarder succeeds and SERVFAIL was received
    with ns9.watch_log_from_here() as watcher:
        msg = isctest.query.create("a.secure.example.", "SOA")
        res = isctest.query.tcp(msg, "10.53.0.9")
        isctest.check.noerror(res)
        assert (res.flags & flags.AD) != 0
        watcher.wait_for_line("status: SERVFAIL")
start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. 2025-06-25 19:00:22 -07:00			`# Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`#`
			`# SPDX-License-Identifier: MPL-2.0`
			`#`
			`# This Source Code Form is subject to the terms of the Mozilla Public`
			`# License, v. 2.0. If a copy of the MPL was not distributed with this`
			`# file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`#`
			`# See the COPYRIGHT file distributed with this work for additional`
			`# information regarding copyright ownership.`

			`from dns import flags`

tidy up the dnssec test tree many of the zones in the dnssec system test were identical or had only trivial differences, and it would be easier to keep track of them if they were sourced from template files. also, the extra_artifacts have been simplified and restored to the test files. 2025-07-05 11:12:02 -07:00			`import pytest`

start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. 2025-06-25 19:00:22 -07:00			`import isctest`
Parametrize dnssec/tests_badkey.py tests Utilize test parametrization to reduce code duplication. 2025-07-10 15:16:06 +02:00			`from isctest.util import param`
start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. 2025-06-25 19:00:22 -07:00

tidy up the dnssec test tree many of the zones in the dnssec system test were identical or had only trivial differences, and it would be easier to keep track of them if they were sourced from template files. also, the extra_artifacts have been simplified and restored to the test files. 2025-07-05 11:12:02 -07:00			`pytestmark = pytest.mark.extra_artifacts(`
			`[`
			`"/K",`
			`"/dsset-",`
			`"/.bk",`
			`"/.conf",`
			`"/.db",`
			`"/.id",`
			`"/.jnl",`
			`"/.jbk",`
			`"/.key",`
			`"/.signed",`
			`"/settime.out.",`
			`"ans*/ans.run",`
			`"*/trusted.keys",`
			`"/.bad",`
			`"/.next",`
			`"/.stripped",`
			`"/.tmp",`
			`"/.stage?",`
			`"/.patched",`
			`"/.lower",`
			`"/.upper",`
			`"/.unsplit",`
			`]`
			`)`


Parametrize dnssec/tests_badkey.py tests Utilize test parametrization to reduce code duplication. 2025-07-10 15:16:06 +02:00			`@pytest.mark.parametrize(`
			`"check, qname, qtype",`
			`[`
			`param("validation", "example.", "SOA"),`
			`param("negative-validation", "example.", "PTR"),`
			`param("insecurity-proof", "a.insecure.example.", "A"),`
			`],`
			`)`
			`def test_misconfigured_ta_servfail(check, qname, qtype):`
			`isctest.log.info(f"check that {check} fails")`
			`msg = isctest.query.create(qname, qtype)`
start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. 2025-06-25 19:00:22 -07:00			`res = isctest.query.tcp(msg, "10.53.0.5")`
			`isctest.check.servfail(res)`


Parametrize dnssec/tests_badkey.py tests Utilize test parametrization to reduce code duplication. 2025-07-10 15:16:06 +02:00			`@pytest.mark.parametrize(`
			`"check, qname, qtype, rcode_func",`
			`[`
			`param("positive-answer", "example.", "SOA", isctest.check.noerror),`
			`param("negative-answer", "q.example.", "SOA", isctest.check.nxdomain),`
			`param("bogus-answer", "a.bogus.example.", "SOA", isctest.check.noerror),`
			`param("insecurity-proof", "a.insecure.example.", "SOA", isctest.check.noerror),`
			`param(`
			`"negative-insecurity-proof",`
			`"q.insecure.example.",`
			`"SOA",`
			`isctest.check.nxdomain,`
			`),`
			`],`
			`)`
			`def test_misconfigured_ta_with_cd(check, qname, qtype, rcode_func):`
			`isctest.log.info(f"check {check} with CD=1")`
			`msg = isctest.query.create(qname, qtype)`
start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. 2025-06-25 19:00:22 -07:00			`msg.flags \|= flags.CD`
			`res = isctest.query.tcp(msg, "10.53.0.5")`
Parametrize dnssec/tests_badkey.py tests Utilize test parametrization to reduce code duplication. 2025-07-10 15:16:06 +02:00			`rcode_func(res)`
			`isctest.check.noadflag(res)`
start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. 2025-06-25 19:00:22 -07:00
Parametrize dnssec/tests_badkey.py tests Utilize test parametrization to reduce code duplication. 2025-07-10 15:16:06 +02:00			`isctest.log.debug("compare the response from a correctly configured server")`
start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. 2025-06-25 19:00:22 -07:00			`res2 = isctest.query.tcp(msg, "10.53.0.4")`
Parametrize dnssec/tests_badkey.py tests Utilize test parametrization to reduce code duplication. 2025-07-10 15:16:06 +02:00			`isctest.check.noadflag(res2)`
			`isctest.check.same_answer(res, res2)`
start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. 2025-06-25 19:00:22 -07:00

			`def test_revoked_init(servers, templates):`
			`# use a revoked key and try to reiniitialize; check for failure`
			`ns5 = servers["ns5"]`
			`templates.render("ns5/named.conf", {"revoked_key": True})`
			`ns5.reconfigure(log=False)`

			`msg = isctest.query.create(".", "SOA")`
			`res = isctest.query.tcp(msg, "10.53.0.5")`
			`isctest.check.servfail(res)`


			`def test_broken_forwarding(servers, templates):`
			`# check forwarder CD behavior (forward server with bad trust anchor)`
			`ns5 = servers["ns5"]`
			`templates.render("ns5/named.conf", {"broken_key": True})`
			`ns5.reconfigure(log=False)`

			`ns9 = servers["ns9"]`
			`templates.render("ns9/named.conf", {"forward_badkey": True})`
			`ns9.reconfigure(log=False)`

			`# confirm invalid trust anchor produces SERVFAIL in resolver`
			`msg = isctest.query.create("a.secure.example.", "A")`
			`res = isctest.query.tcp(msg, "10.53.0.5")`
			`isctest.check.servfail(res)`

			`# check that lookup involving forwarder succeeds and SERVFAIL was received`
			`with ns9.watch_log_from_here() as watcher:`
			`msg = isctest.query.create("a.secure.example.", "SOA")`
			`res = isctest.query.tcp(msg, "10.53.0.9")`
			`isctest.check.noerror(res)`
			`assert (res.flags & flags.AD) != 0`
			`watcher.wait_for_line("status: SERVFAIL")`