Add new test cases with DNSSEC signing

kasp-max-types-per-name (named2.conf.in): An unsigned zone with RR type count on a name right below the configured limit. Then sign the zone using KASP. Adding a RRSIG would push it over the RR type limit per name. Signing should fail, but the server should not crash, nor end up in infinite resign-attempt loop. kasp-max-records-per-type-dnskey (named1.conf.in): Test with low max-record-per-rrset limit and a DNSSEC policy requiring more than the limit. Signing should fail. kasp-max-types-per-name (named1.conf.in): Each RRSIG(covered type) is counted as an individual RR type. Test the corner case where a signed zone, which is just below the limit-1, adds a new type - doing so would trigger signing for the new type and thus increase the number of "types" by 2, pushing it over the limit again.
2025-08-30 05:57:52 +00:00 · 2024-05-31 13:08:38 +02:00 · 2024-05-31 13:08:38 +02:00 · 4e46453035
commit 4e46453035
parent 15ecd2cce6
7 changed files with 318 additions and 2 deletions
--- a/bin/tests/system/masterformat/ns4/compile.sh
+++ b/bin/tests/system/masterformat/ns4/compile.sh
@ -0,0 +1,21 @@
 #!/bin/sh
 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # SPDX-License-Identifier: MPL-2.0
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0.  If a copy of the MPL was not distributed with this
 # file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 # shellcheck source=conf.sh
 . ../../conf.sh
 for zone in kasp-max-records-per-type \
  kasp-max-records-per-type-dnskey \
  kasp-max-types-per-name; do
  $CHECKZONE -D -F raw -o $zone.db.raw $zone template.db >/dev/null 2>&1
 done
--- a/bin/tests/system/masterformat/ns4/kasp.db
+++ b/bin/tests/system/masterformat/ns4/kasp.db
@ -0,0 +1,28 @@
 ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ;
 ; SPDX-License-Identifier: MPL-2.0
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0.  If a copy of the MPL was not distributed with this
 ; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 $TTL 1D
@			IN SOA	ns hostmaster (
 				1
 				3600
 				1800
 				1814400
 				3
 				)
 			NS	ns
 ns			A	10.53.0.1
 mx			MX	10 mail
 a			A	10.53.0.1
 aaaa			AAAA	2001:db8::53
 cname			CNAME	cname-target
 dname			DNAME	dname-target
 txt			TXT	"this is text"
--- a/bin/tests/system/masterformat/ns4/named1.conf.in
+++ b/bin/tests/system/masterformat/ns4/named1.conf.in
@ -0,0 +1,89 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0.  If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 // NS4
 options {
 	pid-file "named.pid";
 	listen-on port @PORT@ { 10.53.0.4; };
 	port @PORT@;
 	listen-on-v6 { none; };
 	recursion no;
 	notify no;
 	session-keyfile "session.key";
 	servfail-ttl 0;
 	dnssec-validation no;
 	/* Ridicously low on purpose */
 	max-records-per-type 1;
 	max-types-per-name 11;
 };
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
 };
 controls {
 	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 dnssec-policy "masterformat" {
 	keys {
 		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 };
 /*
 * This one should be okay, since the default policy only introduces one DNSKEY
 * and each signature covering a different type is considered a separate RRset.
 */
 zone "kasp-max-records-per-type" {
 	type primary;
 	file "kasp-max-records-per-type.db.raw";
 	masterfile-format raw;
 	dnssec-policy "default";
 	inline-signing no;
 	allow-update { any; };
 	allow-transfer { any; };
 };
 /*
 * This one uses a ZSK / KSK, so that is two records in one RRset,
 * thus it should fail to sign.
 */
 zone "kasp-max-records-per-type-dnskey" {
 	type primary;
 	file "kasp-max-records-per-type-dnskey.db.raw";
 	masterfile-format raw;
 	dnssec-policy "masterformat";
 	inline-signing no;
 	allow-update { any; };
 	allow-transfer { any; };
 };
 /*
 * The template zone is fine and should be possible to sign, but when
 * adding an extra type to the apex the max-types-per-name will be exceeded,
 * meaning the update should fail.
 */
 zone "kasp-max-types-per-name" {
 	type primary;
 	file "kasp-max-types-per-name.db.raw";
 	masterfile-format raw;
 	dnssec-policy "default";
 	inline-signing no;
 	allow-update { any; };
 	allow-transfer { any; };
 };
--- a/bin/tests/system/masterformat/ns4/named2.conf.in
+++ b/bin/tests/system/masterformat/ns4/named2.conf.in
@ -0,0 +1,53 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0.  If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 // NS4
 options {
 	pid-file "named.pid";
 	listen-on port @PORT@ { 10.53.0.4; };
 	port @PORT@;
 	listen-on-v6 { none; };
 	recursion no;
 	notify no;
 	session-keyfile "session.key";
 	servfail-ttl 0;
 	dnssec-validation no;
 	/* Ridicously low on purpose */
 	max-records-per-type 1;
 	max-types-per-name 9;
 };
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
 };
 controls {
 	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 /*
 * The template zone is fine, but when adding the DNSSEC records to the apex,
 * the max-types-per-name will be exceeded, meaning signing should fail.
 */
 zone "kasp-max-types-per-name" {
 	type primary;
 	file "kasp-max-types-per-name.db.raw";
 	masterfile-format raw;
 	dnssec-policy "default";
 	inline-signing no;
 	allow-update { any; };
 	allow-transfer { any; };
 };
--- a/bin/tests/system/masterformat/ns4/template.db
+++ b/bin/tests/system/masterformat/ns4/template.db
@ -0,0 +1,28 @@
 ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ;
 ; SPDX-License-Identifier: MPL-2.0
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0.  If a copy of the MPL was not distributed with this
 ; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 $TTL 1D
@			IN SOA	ns hostmaster (
 				1
 				3600
 				1800
 				1814400
 				3
 				)
 			NS	ns
 ns			A	10.53.0.1
 mx			MX	10 mail
 a			A	10.53.0.1
 aaaa			AAAA	2001:db8::53
 cname			CNAME	cname-target
 dname			DNAME	dname-target
 txt			TXT	"this is text"
--- a/bin/tests/system/masterformat/setup.sh
+++ b/bin/tests/system/masterformat/setup.sh
@ -19,6 +19,7 @@ $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named1.conf.in ns4/named.conf
 cp ns1/example.db ns2/
 cp ns2/formerly-text.db.in ns2/formerly-text.db
@ -57,4 +58,5 @@ for ntype in $(seq 65280 65534); do
  echo "m TYPE${ntype} \# 0"
 done >>ns1/255types.db
 echo "m TXT bunny" >>ns1/255types.db
-cd ns1 && $SHELL compile.sh
+(cd ns1 && $SHELL compile.sh)
 (cd ns4 && $SHELL compile.sh)
--- a/bin/tests/system/masterformat/tests.sh
+++ b/bin/tests/system/masterformat/tests.sh
@ -301,7 +301,6 @@ n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 echo_i "checking that over-limit rdatasets not loaded ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
  ret=0
@ -316,6 +315,102 @@ n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 echo_i "checking that kasp-max-records-per-type rdatasets loaded ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
  ret=0
  for rrtype in soa dnskey ns; do
    $DIG +tcp +dnssec $rrtype "kasp-max-records-per-type" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n"
    grep "status: NOERROR" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1
    grep "RRSIG" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1
  done
  [ $ret -eq 0 ] && break
  sleep 1
 done
 n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 echo_i "checking that kasp-max-records-per-type-dnskey rdatasets not signed ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
  ret=0
  for rrtype in soa dnskey ns; do
    $DIG +tcp +dnssec $rrtype "kasp-max-records-per-type-dnskey" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n"
    grep "status: NOERROR" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1
    grep "RRSIG" "dig.out.ns4.$rrtype.test$n" >/dev/null && ret=1
  done
  [ $ret -eq 0 ] && break
  sleep 1
 done
 n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 echo_i "checking that kasp-max-types-per-name rdatasets loaded ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
  ret=0
  for rrtype in soa dnskey ns; do
    $DIG +tcp +dnssec $rrtype "kasp-max-types-per-name" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n"
    grep "status: NOERROR" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1
    grep "RRSIG" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1
  done
  [ $ret -eq 0 ] && break
  sleep 1
 done
 n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 # Update zone with nsupdate.
 n=$((n + 1))
 echo_i "add new type to zone and check that it fails ($n)"
 ret=0
 (
  echo zone kasp-max-types-per-name.
  echo server 10.53.0.4 "$PORT"
  echo update add kasp-max-types-per-name. 300 TXT KAPUTT
  echo send
 ) | $NSUPDATE && ret=1
 n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 echo_i "checking that kasp-max-types-per-name rdatasets loaded ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
  ret=0
  for rrtype in soa dnskey ns txt; do
    $DIG +tcp +dnssec $rrtype "kasp-max-types-per-name" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n"
    grep "status: NOERROR" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1
    grep "KAPUTT" "dig.out.ns4.$rrtype.test$n" >/dev/null && ret=1
  done
  [ $ret -eq 0 ] && break
  sleep 1
 done
 n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 # Reconfigure ns4
 echo_i "reconfigure ns4"
 stop_server ns4
 copy_setports ns4/named2.conf.in ns4/named.conf
 # Recompile zone
 $CHECKZONE -D -F raw -o ns4/kasp.db.raw kasp-max-types-per-name ns4/template.db >/dev/null 2>&1
 start_server --noclean --restart --port "${PORT}" ns4
 echo_i "checking that kasp-max-types-per-name rdatasets not loaded ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
  ret=0
  for rrtype in soa dnskey ns; do
    $DIG +tcp +dnssec $rrtype "kasp-max-types-per-name" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n"
    grep "status: SERVFAIL" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1
  done
  [ $ret -eq 0 ] && break
  sleep 1
 done
 n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 echo_i "checking that 255 types are loaded ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
  ret=0