mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
Convert kasp inheritance tests
These tests ensure that if dnssec-policy is set on a higher level, the zone is still signed (or unsigned) as expected. Or if a higher level has an override, the new policy is honored as expected.
This commit is contained in:
Matthijs Mekking
@@ -206,355 +206,6 @@ set_keytimes_autosign_policy() {
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
|
||||
}
|
||||
|
||||
#
|
||||
# Test dnssec-policy inheritance.
|
||||
#
|
||||
|
||||
# These zones should be unsigned:
|
||||
# ns2/unsigned.tld
|
||||
# ns4/none.inherit.signed
|
||||
# ns4/none.override.signed
|
||||
# ns4/inherit.none.signed
|
||||
# ns4/none.none.signed
|
||||
# ns5/inherit.inherit.unsigned
|
||||
# ns5/none.inherit.unsigned
|
||||
# ns5/none.override.unsigned
|
||||
# ns5/inherit.none.unsigned
|
||||
# ns5/none.none.unsigned
|
||||
key_clear "KEY1"
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
set_zone "unsigned.tld"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns2" "10.53.0.2"
|
||||
TSIG=""
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "none.inherit.signed"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha1:sha1:$SHA1"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "none.override.signed"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha224:sha224:$SHA224"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "inherit.none.signed"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha256:sha256:$SHA256"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "none.none.signed"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha256:sha256:$SHA256"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "inherit.inherit.unsigned"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha1:sha1:$SHA1"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "none.inherit.unsigned"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha1:sha1:$SHA1"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "none.override.unsigned"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha224:sha224:$SHA224"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "inherit.none.unsigned"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha256:sha256:$SHA256"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
set_zone "none.none.unsigned"
|
||||
set_policy "none" "0" "0"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha256:sha256:$SHA256"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
|
||||
# These zones should be signed with the default policy:
|
||||
# ns2/signed.tld
|
||||
# ns4/override.inherit.signed
|
||||
# ns4/inherit.override.signed
|
||||
# ns5/override.inherit.signed
|
||||
# ns5/inherit.override.signed
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
|
||||
set_keystate "KEY1" "STATE_DS" "hidden"
|
||||
|
||||
set_zone "signed.tld"
|
||||
set_policy "default" "1" "3600"
|
||||
set_server "ns2" "10.53.0.2"
|
||||
TSIG=""
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
set_zone "override.inherit.signed"
|
||||
set_policy "default" "1" "3600"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha1:sha1:$SHA1"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
set_zone "inherit.override.signed"
|
||||
set_policy "default" "1" "3600"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha224:sha224:$SHA224"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
set_zone "override.inherit.unsigned"
|
||||
set_policy "default" "1" "3600"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha1:sha1:$SHA1"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
set_zone "inherit.override.unsigned"
|
||||
set_policy "default" "1" "3600"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha224:sha224:$SHA224"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# These zones should be signed with the test policy:
|
||||
# ns4/inherit.inherit.signed
|
||||
# ns4/override.override.signed
|
||||
# ns4/override.none.signed
|
||||
# ns5/override.override.unsigned
|
||||
# ns5/override.none.unsigned
|
||||
# ns4/example.net (both views)
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
|
||||
set_zone "inherit.inherit.signed"
|
||||
set_policy "test" "1" "3600"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha1:sha1:$SHA1"
|
||||
wait_for_nsec
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
set_zone "override.override.signed"
|
||||
set_policy "test" "1" "3600"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha224:sha224:$SHA224"
|
||||
wait_for_nsec
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
set_zone "override.none.signed"
|
||||
set_policy "test" "1" "3600"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="hmac-sha256:sha256:$SHA256"
|
||||
wait_for_nsec
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
set_zone "override.override.unsigned"
|
||||
set_policy "test" "1" "3600"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha224:sha224:$SHA224"
|
||||
wait_for_nsec
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
set_zone "override.none.unsigned"
|
||||
set_policy "test" "1" "3600"
|
||||
set_server "ns5" "10.53.0.5"
|
||||
TSIG="hmac-sha256:sha256:$SHA256"
|
||||
wait_for_nsec
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Test with views.
|
||||
set_zone "example.net"
|
||||
set_server "ns4" "10.53.0.4"
|
||||
TSIG="$DEFAULT_HMAC:keyforview1:$VIEW1"
|
||||
wait_for_nsec
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1"
|
||||
set_keytimes_csk_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
dnssec_verify
|
||||
# check zonestatus
|
||||
n=$((n + 1))
|
||||
echo_i "check $ZONE (view example1) zonestatus ($n)"
|
||||
ret=0
|
||||
check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic"
|
||||
check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# check subdomain
|
||||
n=$((n + 1))
|
||||
echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)"
|
||||
ret=0
|
||||
dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
|
||||
grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
|
||||
grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
|
||||
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2"
|
||||
wait_for_nsec
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
|
||||
check_apex
|
||||
dnssec_verify
|
||||
# check zonestatus
|
||||
n=$((n + 1))
|
||||
echo_i "check $ZONE (view example2) zonestatus ($n)"
|
||||
ret=0
|
||||
check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected"
|
||||
check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# check subdomain
|
||||
n=$((n + 1))
|
||||
echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)"
|
||||
ret=0
|
||||
dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
|
||||
grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
|
||||
grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
|
||||
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3"
|
||||
wait_for_nsec
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3"
|
||||
check_apex
|
||||
dnssec_verify
|
||||
# check zonestatus
|
||||
n=$((n + 1))
|
||||
echo_i "check $ZONE (view example3) zonestatus ($n)"
|
||||
ret=0
|
||||
check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected"
|
||||
check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# check subdomain
|
||||
n=$((n + 1))
|
||||
echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)"
|
||||
ret=0
|
||||
dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
|
||||
grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
|
||||
grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
|
||||
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Clear TSIG.
|
||||
TSIG=""
|
||||
|
||||
#
|
||||
# Testing RFC 8901 Multi-Signer Model 2.
|
||||
#
|
||||
|
||||
@@ -26,6 +26,7 @@ from isctest.kasp import (
|
||||
KeyProperties,
|
||||
KeyTimingMetadata,
|
||||
)
|
||||
from isctest.vars.algorithms import ECDSAP256SHA256, ECDSAP384SHA384
|
||||
|
||||
pytestmark = pytest.mark.extra_artifacts(
|
||||
[
|
||||
@@ -116,6 +117,21 @@ lifetime = {
|
||||
"P6M": int(timedelta(days=31 * 6).total_seconds()),
|
||||
}
|
||||
|
||||
KASP_INHERIT_TSIG_SECRET = {
|
||||
"sha1": "FrSt77yPTFx6hTs4i2tKLB9LmE0=",
|
||||
"sha224": "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==",
|
||||
"sha256": "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=",
|
||||
"view1": "YPfMoAk6h+3iN8MDRQC004iSNHY=",
|
||||
"view2": "4xILSZQnuO1UKubXHkYUsvBRPu8=",
|
||||
"view3": "C1Azf+gGPMmxrUg/WQINP6eV9Y0=",
|
||||
}
|
||||
|
||||
|
||||
def param(*args, **kwargs):
|
||||
if "id" not in kwargs:
|
||||
kwargs["id"] = args[0] # use first argument as test ID
|
||||
return pytest.param(*args, **kwargs)
|
||||
|
||||
|
||||
def autosign_properties(alg, size):
|
||||
return [
|
||||
@@ -685,6 +701,129 @@ def test_kasp_case(servers, params):
|
||||
callback(*arguments, params=params, ksks=ksks, zsks=zsks)
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"zone, server_id, tsig_kind",
|
||||
[
|
||||
param("unsigned.tld", "ns2", None),
|
||||
param("none.inherit.signed", "ns4", "sha1"),
|
||||
param("none.override.signed", "ns4", "sha224"),
|
||||
param("inherit.none.signed", "ns4", "sha256"),
|
||||
param("none.none.signed", "ns4", "sha256"),
|
||||
param("inherit.inherit.unsigned", "ns5", "sha1"),
|
||||
param("none.inherit.unsigned", "ns5", "sha1"),
|
||||
param("none.override.unsigned", "ns5", "sha224"),
|
||||
param("inherit.none.unsigned", "ns5", "sha256"),
|
||||
param("none.none.unsigned", "ns5", "sha256"),
|
||||
],
|
||||
)
|
||||
def test_kasp_inherit_unsigned(zone, server_id, tsig_kind, servers):
|
||||
server = servers[server_id]
|
||||
tsig = (
|
||||
f"hmac-{tsig_kind}:{tsig_kind}:{KASP_INHERIT_TSIG_SECRET[tsig_kind]}"
|
||||
if tsig_kind
|
||||
else None
|
||||
)
|
||||
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
|
||||
isctest.kasp.check_keys(zone, keys, [])
|
||||
isctest.kasp.check_dnssecstatus(server, zone, [])
|
||||
isctest.kasp.check_apex(server, zone, [], [], tsig=tsig)
|
||||
isctest.kasp.check_subdomain(server, zone, [], [], tsig=tsig)
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"zone, policy, server_id, alg, tsig_kind",
|
||||
[
|
||||
param("signed.tld", "default", "ns2", ECDSAP256SHA256, None),
|
||||
param("override.inherit.signed", "default", "ns4", ECDSAP256SHA256, "sha1"),
|
||||
param("inherit.override.signed", "default", "ns4", ECDSAP256SHA256, "sha224"),
|
||||
param("override.inherit.unsigned", "default", "ns5", ECDSAP256SHA256, "sha1"),
|
||||
param("inherit.override.unsigned", "default", "ns5", ECDSAP256SHA256, "sha224"),
|
||||
param("inherit.inherit.signed", "test", "ns4", ECDSAP384SHA384, "sha1"),
|
||||
param("override.override.signed", "test", "ns4", ECDSAP384SHA384, "sha224"),
|
||||
param("override.none.signed", "test", "ns4", ECDSAP384SHA384, "sha256"),
|
||||
param("override.override.unsigned", "test", "ns5", ECDSAP384SHA384, "sha224"),
|
||||
param("override.none.unsigned", "test", "ns5", ECDSAP384SHA384, "sha256"),
|
||||
],
|
||||
)
|
||||
def test_kasp_inherit_signed(zone, policy, server_id, alg, tsig_kind, servers):
|
||||
server = servers[server_id]
|
||||
tsig = (
|
||||
f"hmac-{tsig_kind}:{tsig_kind}:{KASP_INHERIT_TSIG_SECRET[tsig_kind]}"
|
||||
if tsig_kind
|
||||
else None
|
||||
)
|
||||
|
||||
key1 = KeyProperties.default()
|
||||
key1.metadata["Algorithm"] = alg.number
|
||||
key1.metadata["Length"] = alg.bits
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
|
||||
|
||||
isctest.kasp.check_zone_is_signed(server, zone, tsig=tsig)
|
||||
isctest.kasp.check_keys(zone, keys, [key1])
|
||||
set_keytimes_default_policy(key1)
|
||||
isctest.kasp.check_keytimes(keys, [key1])
|
||||
check_all(server, zone, policy, keys, [], tsig=tsig)
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"number, dynamic, inline_signing, txt_rdata",
|
||||
[
|
||||
param("1", "yes", "no", "view1"),
|
||||
param("2", "no", "yes", "view2"),
|
||||
param("3", "no", "yes", "view2"),
|
||||
],
|
||||
)
|
||||
def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, servers):
|
||||
zone = "example.net"
|
||||
policy = "test"
|
||||
server = servers["ns4"]
|
||||
view = f"example{number}"
|
||||
tsig = f"{os.environ['DEFAULT_HMAC']}:keyforview{number}:{KASP_INHERIT_TSIG_SECRET[f'view{number}']}"
|
||||
|
||||
key1 = KeyProperties.default()
|
||||
key1.metadata["Algorithm"] = ECDSAP384SHA384.number
|
||||
key1.metadata["Length"] = ECDSAP384SHA384.bits
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
|
||||
|
||||
isctest.kasp.check_zone_is_signed(server, zone, tsig=tsig)
|
||||
isctest.kasp.check_keys(zone, keys, [key1])
|
||||
set_keytimes_default_policy(key1)
|
||||
isctest.kasp.check_keytimes(keys, [key1])
|
||||
isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy, view=view)
|
||||
isctest.kasp.check_apex(server, zone, keys, [], tsig=tsig)
|
||||
# check zonestatus
|
||||
response = server.rndc(f"zonestatus {zone} in {view}", log=False)
|
||||
assert f"dynamic: {dynamic}" in response
|
||||
assert f"inline signing: {inline_signing}" in response
|
||||
# check subdomain
|
||||
fqdn = f"{zone}."
|
||||
qname = f"view.{zone}."
|
||||
qtype = dns.rdatatype.TXT
|
||||
rdata = txt_rdata
|
||||
query = dns.message.make_query(qname, qtype, use_edns=True, want_dnssec=True)
|
||||
tsigkey = tsig.split(":")
|
||||
keyring = dns.tsig.Key(tsigkey[1], tsigkey[2], tsigkey[0])
|
||||
query.use_tsig(keyring)
|
||||
try:
|
||||
response = isctest.query.tcp(query, server.ip, server.ports.dns, timeout=3)
|
||||
except dns.exception.Timeout:
|
||||
isctest.log.debug(f"query timeout for query {qname} {qtype} to {server.ip}")
|
||||
response = None
|
||||
assert response.rcode() == dns.rcode.NOERROR
|
||||
match = f'{qname} 300 IN TXT "{rdata}"'
|
||||
rrsigs = []
|
||||
for rrset in response.answer:
|
||||
if rrset.match(
|
||||
dns.name.from_text(qname), dns.rdataclass.IN, dns.rdatatype.RRSIG, qtype
|
||||
):
|
||||
rrsigs.append(rrset)
|
||||
else:
|
||||
assert match in rrset.to_text()
|
||||
assert len(rrsigs) > 0
|
||||
isctest.kasp.check_signatures(rrsigs, qtype, fqdn, keys, [])
|
||||
|
||||
|
||||
def test_kasp_default(servers):
|
||||
server = servers["ns3"]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user