mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 08:05:21 +00:00
Code Issues Releases Wiki Activity

tests for support for EDE 1 & 2

Browse Source
This commit is contained in:
Colin Vidal
2025-01-13 14:50:58 +01:00
parent 46a58acdf5
commit 8b50d63fe1
12 changed files with 84 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bin/tests/system/dnssec/ns2/example.db.in
View File

@@ -102,6 +102,9 @@ ns.dnskey-unknown A 10.53.0.3
dnskey-unsupported NS ns.dnskey-unsupported dnskey-unsupported NS ns.dnskey-unsupported
ns.dnskey-unsupported A 10.53.0.3 ns.dnskey-unsupported A 10.53.0.3
ds-unsupported NS ns.ds-unsupported
ns.ds-unsupported A 10.53.0.3
dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown
ns.dnskey-nsec3-unknown A 10.53.0.3 ns.dnskey-nsec3-unknown A 10.53.0.3

2
bin/tests/system/dnssec/ns2/sign.sh
View File

@@ -56,7 +56,7 @@ infile=example.db.in
zonefile=example.db zonefile=example.db
# Get the DS records for the "example." zone. # Get the DS records for the "example." zone.
for subdomain in secure badds bogus dynamic keyless nsec3 optout \ for subdomain in ds-unsupported secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \ ttlpatch split-dnssec split-smart expired expiring upper lower \

22
bin/tests/system/dnssec/ns3/ds-unsupported.example.db.in Normal file
View File

@@ -0,0 +1,22 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1

6
bin/tests/system/dnssec/ns3/named.conf.in
View File

@@ -195,6 +195,12 @@ zone "dnskey-unknown.example" {
file "dnskey-unknown.example.db.signed"; file "dnskey-unknown.example.db.signed";
}; };
zone "ds-unsupported.example" {
type primary;
file "ds-unsupported.example.db.signed";
allow-update { any; };
};
zone "dnskey-unsupported.example" { zone "dnskey-unsupported.example" {
type primary; type primary;
file "dnskey-unsupported.example.db.signed"; file "dnskey-unsupported.example.db.signed";

1
bin/tests/system/dnssec/ns3/secure.example.db.in
View File

@@ -30,6 +30,7 @@ g A 10.0.0.7
z A 10.0.0.26 z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a x CNAME a
badalg A 10.53.0.4
private NS ns.private private NS ns.private
ns.private A 10.53.0.2 ns.private A 10.53.0.2

18
bin/tests/system/dnssec/ns3/sign.sh
View File

@@ -298,6 +298,24 @@ awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefil
DSFILE="dsset-${zone}." DSFILE="dsset-${zone}."
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone which is fime by itself (supported alg and digest) but that is used
# to mimic unsupported DS digest (see ns8).
#
zone=ds-unsupported.example.
infile=ds-unsupported.example.db.in
zonefile=ds-unsupported.example.db
cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
mv "$zonefile".tmp "$zonefile".signed
# #
# A zone with a published unsupported DNSKEY algorithm (Reserved). # A zone with a published unsupported DNSKEY algorithm (Reserved).
# Different from above because this key is not intended for signing. # Different from above because this key is not intended for signing.

4
bin/tests/system/dnssec/ns4/named1.conf.in
View File

@@ -27,9 +27,11 @@ options {
nta-lifetime 12s; nta-lifetime 12s;
nta-recheck 9s; nta-recheck 9s;
validate-except { corp; }; validate-except { corp; };
disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
# Note: We only reference the bind.keys file here to confirm that it # Note: We only reference the bind.keys file here to confirm that it
# is *not* being used. It contains the real root key, and we're # is *not* being used. It contains the real root key, and we're
# using a local toy root zone for the tests, so it wouldn't work. # using a local toy root zone for the tests, so it wouldn't work.

2
bin/tests/system/dnssec/ns4/named2.conf.in
View File

@@ -25,6 +25,8 @@ options {
dnssec-validation auto; dnssec-validation auto;
bindkeys-file "managed.conf"; bindkeys-file "managed.conf";
minimal-responses no; minimal-responses no;
disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
}; };
key rndc_key { key rndc_key {

2
bin/tests/system/dnssec/ns4/named3.conf.in
View File

@@ -26,6 +26,8 @@ options {
bindkeys-file "managed.conf"; bindkeys-file "managed.conf";
dnssec-accept-expired yes; dnssec-accept-expired yes;
minimal-responses no; minimal-responses no;
disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
}; };
key rndc_key { key rndc_key {

2
bin/tests/system/dnssec/ns4/named4.conf.in
View File

@@ -21,6 +21,8 @@ options {
pid-file "named.pid"; pid-file "named.pid";
listen-on { 10.53.0.4; }; listen-on { 10.53.0.4; };
listen-on-v6 { none; }; listen-on-v6 { none; };
disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
}; };
key rndc_key { key rndc_key {

23
bin/tests/system/dnssec/tests.sh
View File

@@ -3677,6 +3677,25 @@ dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.exa
dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A >dig.out.ns4.test$n dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A >dig.out.ns4.test$n
grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 dnskey-unsupported.example/SOA)" dig.out.ns4.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking EDE code 2 for unsupported DS digest ($n)"
ret=0
dig_with_opts @10.53.0.4 a.ds-unsupported.example >dig.out.ns4.test$n || ret=1
grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-256 ds-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking EDE code 1 for bad alg mnemonic ($n)"
ret=0
dig_with_opts @10.53.0.4 badalg.secure.example >dig.out.ns4.test$n || ret=1
grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP256SHA256 badalg.secure.example/A)" dig.out.ns4.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
n=$((n + 1)) n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
@@ -3974,6 +3993,7 @@ dig_with_opts @10.53.0.8 a.secure.trusted A >dig.out.ns8.test$n
grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1
grep "; EDE: " dig.out.ns8.test$n >/dev/null && ret=1
n=$((n + 1)) n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
@@ -3985,6 +4005,7 @@ dig_with_opts @10.53.0.8 a.secure.managed A >dig.out.ns8.test$n
grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1
grep "; EDE: " dig.out.ns8.test$n >/dev/null && ret=1
n=$((n + 1)) n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
@@ -3999,6 +4020,7 @@ dig_with_opts @10.53.0.3 a.unsupported.trusted A >dig.out.ns3.test$n
dig_with_opts @10.53.0.8 a.unsupported.trusted A >dig.out.ns8.test$n dig_with_opts @10.53.0.8 a.unsupported.trusted A >dig.out.ns8.test$n
grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1
grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 ns3.unsupported.trusted (cached))" dig.out.ns8.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1
n=$((n + 1)) n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
@@ -4010,6 +4032,7 @@ dig_with_opts @10.53.0.3 a.unsupported.managed A >dig.out.ns3.test$n
dig_with_opts @10.53.0.8 a.unsupported.managed A >dig.out.ns8.test$n dig_with_opts @10.53.0.8 a.unsupported.managed A >dig.out.ns8.test$n
grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1
grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (255 ns3.unsupported.managed (cached))" dig.out.ns8.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1
n=$((n + 1)) n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"

1
bin/tests/system/dnssec/tests_sh_dnssec.py
View File

@@ -131,6 +131,7 @@ pytestmark = pytest.mark.extra_artifacts(
"ns3/update-nsec3.example.db.signed", "ns3/update-nsec3.example.db.signed",
"ns3/upper.example.db", "ns3/upper.example.db",
"ns3/upper.example.db.lower", "ns3/upper.example.db.lower",
"ns3/ds-unsupported.example.db",
"ns4/managed.conf", "ns4/managed.conf",
"ns4/managed-keys.bind", "ns4/managed-keys.bind",
"ns4/named.secroots", "ns4/named.secroots",